The logical expression used to recognize what data to collect. For example,\n $variable.Vehicle.OutsideAirTemperature >= 105.0.
The logical expression used to recognize what data to collect. For example,\n $variable.`Vehicle.OutsideAirTemperature` >= 105.0.
The maximum number of items to return, between 1 and 100, inclusive.
", "smithy.api#httpQuery": "maxResults" } + }, + "signalNodeType": { + "target": "com.amazonaws.iotfleetwise#SignalNodeType", + "traits": { + "smithy.api#documentation": "The type of node in the signal catalog.
", + "smithy.api#httpQuery": "signalNodeType" + } } } }, @@ -7275,6 +7282,47 @@ } } }, + "com.amazonaws.iotfleetwise#SignalNodeType": { + "type": "enum", + "members": { + "SENSOR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "SENSOR" + } + }, + "ACTUATOR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ACTUATOR" + } + }, + "ATTRIBUTE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ATTRIBUTE" + } + }, + "BRANCH": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "BRANCH" + } + }, + "CUSTOM_STRUCT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "CUSTOM_STRUCT" + } + }, + "CUSTOM_PROPERTY": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "CUSTOM_PROPERTY" + } + } + } + }, "com.amazonaws.iotfleetwise#SpoolingMode": { "type": "enum", "members": { @@ -8839,6 +8887,12 @@ "smithy.api#documentation": "The time the vehicle was last updated in seconds since epoch (January 1, 1970 at midnight UTC time).
", "smithy.api#required": {} } + }, + "attributes": { + "target": "com.amazonaws.iotfleetwise#attributesMap", + "traits": { + "smithy.api#documentation": "Static information about a vehicle in a key-value pair. For example:
\n\n \"engineType\" : \"1.3 L R2\"\n
The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon Web Services managed KMS key or a customer managed KMS key. By default, these buckets encrypt new objects automatically using SSE-KMS encryption.
", + "smithy.api#documentation": "The total number of buckets whose default encryption settings are configured to encrypt new objects with an KMS key, either an Amazon Web Services managed key or a customer managed key. By default, these buckets encrypt new objects automatically using DSSE-KMS or SSE-KMS encryption.
", "smithy.api#jsonName": "kmsManaged" } }, @@ -1241,7 +1241,7 @@ "type": { "target": "com.amazonaws.macie2#Type", "traits": { - "smithy.api#documentation": "The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:
AES256 - New objects are encrypted with an Amazon S3 managed key. They use SSE-S3 encryption.
aws:kms - New objects are encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key. They use SSE-KMS encryption.
NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.
The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:
AES256 - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key.
aws:kms - New objects use SSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.
aws:kms:dsse - New objects use DSSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.
NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.
Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:
ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.
INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.
INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.
MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.
RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
This value is null if sensitive data can be retrieved for the finding.
", + "smithy.api#documentation": "Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:
ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.
INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available in the current Amazon Web Services Region, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.
INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
MEMBER_ROLE_TOO_PERMISSIVE - The trust or permissions policy for the IAM role in the affected member account doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID for your organization. Macie can't assume the role to retrieve the sensitive data.
MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, deleted, or changed after Macie created the finding. Or the object is encrypted with an KMS key that's currently disabled.
RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
This value is null if sensitive data can be retrieved for the finding.
", "smithy.api#jsonName": "reasons" } } @@ -10106,21 +10112,21 @@ "customerManaged": { "target": "com.amazonaws.macie2#__long", "traits": { - "smithy.api#documentation": "The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
", + "smithy.api#documentation": "The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).
", "smithy.api#jsonName": "customerManaged" } }, "kmsManaged": { "target": "com.amazonaws.macie2#__long", "traits": { - "smithy.api#documentation": "The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
", + "smithy.api#documentation": "The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).
", "smithy.api#jsonName": "kmsManaged" } }, "s3Managed": { "target": "com.amazonaws.macie2#__long", "traits": { - "smithy.api#documentation": "The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
", + "smithy.api#documentation": "The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).
", "smithy.api#jsonName": "s3Managed" } }, @@ -10769,7 +10775,7 @@ "externalId": { "target": "com.amazonaws.macie2#__string", "traits": { - "smithy.api#documentation": "The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.
This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.
", + "smithy.api#documentation": "The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). This value is null if the value for retrievalMode is CALLER_CREDENTIALS.
This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume an IAM role. For a Macie administrator to retrieve sensitive data from an affected S3 object for a member account, the trust policy for the role in the member account must include an sts:ExternalId condition that requires this ID.
", "smithy.api#jsonName": "externalId" } }, @@ -10777,7 +10783,7 @@ "target": "com.amazonaws.macie2#RetrievalMode", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.
", + "smithy.api#documentation": "The access method that's used to retrieve sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.
", "smithy.api#jsonName": "retrievalMode", "smithy.api#required": {} } @@ -10828,7 +10834,7 @@ "target": "com.amazonaws.macie2#RevealStatus", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
", + "smithy.api#documentation": "The status of the configuration for the Amazon Macie account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account.
If you disable the configuration, you also permanently delete current settings that specify how to access affected S3 objects. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.
The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:
ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.
INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.
INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.
MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.
RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:
ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.
INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available in the current Amazon Web Services Region, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.
INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
MEMBER_ROLE_TOO_PERMISSIVE - The trust or permissions policy for the IAM role in the affected member account doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID for your organization. Macie can't assume the role to retrieve the sensitive data.
MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, deleted, or changed after Macie created the finding. Or the object is encrypted with an KMS key that's currently disabled.
RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Retrieving sensitive data samples with findings in the Amazon Macie User Guide.
" + "smithy.api#documentation": "Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Configuration options and requirements for retrieving sensitive data samples in the Amazon Macie User Guide.
" } }, "com.amazonaws.macie2#UpdateRevealConfiguration": { @@ -13727,7 +13739,7 @@ "retrievalConfiguration": { "target": "com.amazonaws.macie2#UpdateRetrievalConfiguration", "traits": { - "smithy.api#documentation": "The access method and settings to use to retrieve the sensitive data.
", + "smithy.api#documentation": "The access method and settings to use when retrieving the sensitive data.
", "smithy.api#jsonName": "retrievalConfiguration" } } @@ -13749,7 +13761,7 @@ "retrievalConfiguration": { "target": "com.amazonaws.macie2#RetrievalConfiguration", "traits": { - "smithy.api#documentation": "The access method and settings to use to retrieve the sensitive data.
", + "smithy.api#documentation": "The access method and settings to use when retrieving the sensitive data.
", "smithy.api#jsonName": "retrievalConfiguration" } } diff --git a/codegen/sdk-codegen/aws-models/payment-cryptography.json b/codegen/sdk-codegen/aws-models/payment-cryptography.json index c3ecb7e9f6d..4e9412269fa 100644 --- a/codegen/sdk-codegen/aws-models/payment-cryptography.json +++ b/codegen/sdk-codegen/aws-models/payment-cryptography.json @@ -524,7 +524,35 @@ ], "traits": { "aws.api#controlPlane": {}, - "smithy.api#documentation": "Exports a key from Amazon Web Services Payment Cryptography.
\nAmazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ExportKey you can export symmetric keys using either symmetric and asymmetric key exchange mechanisms. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography
For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm . Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK). After which you can export working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.
\nThe TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block.
\nYou can also use ExportKey functionality to generate and export an IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK (Base Derivation Key) and ExportDukptInitialKey attribute KSN (KeySerialNumber). The generated IPEK does not persist within Amazon Web Services Payment Cryptography and has to be re-generated each time during export.
\n To export KEK or IPEK using TR-34\n
\nUsing this operation, you can export initial key using TR-34 asymmetric key exchange. You can only export KEK generated within Amazon Web Services Payment Cryptography. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export and KRD is the user receiving the key.
\nTo initiate TR-34 key export, the KRD must obtain an export token by calling GetParametersForExport. This operation also generates a key pair for the purpose of key export, signs the key and returns back the signing public key certificate (also known as KDH signing certificate) and root certificate chain. The KDH uses the private key to sign the the export payload and the signing public key certificate is provided to KRD to verify the signature. The KRD can import the root certificate into its Hardware Security Module (HSM), as required. The export token and the associated KDH signing certificate expires after 7 days.
\nNext the KRD generates a key pair for the the purpose of encrypting the KDH key and provides the public key cerificate (also known as KRD wrapping certificate) back to KDH. The KRD will also import the root cerificate chain into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey. The KDH, Amazon Web Services Payment Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key under export and signs it with signing private key to generate a TR-34 WrappedKeyBlock. For more information on TR-34 key export, see section Exporting symmetric keys in the Amazon Web Services Payment Cryptography User Guide.
Set the following parameters:
\n\n ExportAttributes: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.
\n ExportKeyIdentifier: The KeyARN of the KEK or BDK (in case of IPEK) under export.
\n KeyMaterial: Use Tr34KeyBlock parameters.
\n CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed the KRD wrapping key certificate.
\n ExportToken: Obtained from KDH by calling GetParametersForImport.
\n WrappingKeyCertificate: The public key certificate in PEM format (base64 encoded) of the KRD wrapping key Amazon Web Services Payment Cryptography uses for encryption of the TR-34 export payload. This certificate must be signed by the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services Payment Cryptography.
When this operation is successful, Amazon Web Services Payment Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.
\n\n To export WK (Working Key) or IPEK using TR-31\n
\nUsing this operation, you can export working keys or IPEK using TR-31 symmetric key exchange. In TR-31, you must use an initial key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use CreateKey or ImportKey.
\nSet the following parameters:
\n\n ExportAttributes: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.
\n ExportKeyIdentifier: The KeyARN of the KEK or BDK (in case of IPEK) under export.
\n KeyMaterial: Use Tr31KeyBlock parameters.
When this operation is successful, Amazon Web Services Payment Cryptography returns the WK or IPEK as a TR-31 WrappedKeyBlock.
\n\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ImportKey\n
\nExports a key from Amazon Web Services Payment Cryptography.
\nAmazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ExportKey you can export symmetric keys using either symmetric and asymmetric key exchange mechanisms. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography
For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange mechanism. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK). After which you can export working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.
\nThe TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. With RSA wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram format and you will need to specify the key attributes during import.
\nYou can also use ExportKey functionality to generate and export an IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK (Base Derivation Key) and ExportDukptInitialKey attribute KSN (KeySerialNumber). The generated IPEK does not persist within Amazon Web Services Payment Cryptography and has to be re-generated each time during export.
\n To export initial keys (KEK) or IPEK using TR-34\n
\nUsing this operation, you can export initial key using TR-34 asymmetric key exchange. You can only export KEK generated within Amazon Web Services Payment Cryptography. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export and KRD is the user receiving the key.
\nTo initiate TR-34 key export, the KRD must obtain an export token by calling GetParametersForExport. This operation also generates a key pair for the purpose of key export, signs the key and returns back the signing public key certificate (also known as KDH signing certificate) and root certificate chain. The KDH uses the private key to sign the the export payload and the signing public key certificate is provided to KRD to verify the signature. The KRD can import the root certificate into its Hardware Security Module (HSM), as required. The export token and the associated KDH signing certificate expires after 7 days.
\nNext the KRD generates a key pair for the the purpose of encrypting the KDH key and provides the public key cerificate (also known as KRD wrapping certificate) back to KDH. The KRD will also import the root cerificate chain into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey. The KDH, Amazon Web Services Payment Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key under export and signs it with signing private key to generate a TR-34 WrappedKeyBlock. For more information on TR-34 key export, see section Exporting symmetric keys in the Amazon Web Services Payment Cryptography User Guide.
Set the following parameters:
\n\n ExportAttributes: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.
\n ExportKeyIdentifier: The KeyARN of the KEK or BDK (in case of IPEK) under export.
\n KeyMaterial: Use Tr34KeyBlock parameters.
\n CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed the KRD wrapping key certificate.
\n ExportToken: Obtained from KDH by calling GetParametersForImport.
\n WrappingKeyCertificate: The public key certificate in PEM format (base64 encoded) of the KRD wrapping key Amazon Web Services Payment Cryptography uses for encryption of the TR-34 export payload. This certificate must be signed by the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services Payment Cryptography.
When this operation is successful, Amazon Web Services Payment Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.
\n\n To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap\n
\nUsing this operation, you can export initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate export, generate an asymmetric key pair on the receiving HSM and obtain the public key certificate in PEM format (base64 encoded) for the purpose of wrapping and the root certifiate chain. Import the root certificate into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey.
Next call ExportKey and set the following parameters:
\n CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed wrapping key certificate.
\n KeyMaterial: Set to KeyCryptogram.
\n WrappingKeyCertificate: The public key certificate in PEM format (base64 encoded) obtained by the receiving HSM and signed by the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services Payment Cryptography. The receiving HSM uses its private key component to unwrap the WrappedKeyCryptogram.
When this operation is successful, Amazon Web Services Payment Cryptography returns the WrappedKeyCryptogram.
\n\n To export working keys or IPEK using TR-31\n
\nUsing this operation, you can export working keys or IPEK using TR-31 symmetric key exchange. In TR-31, you must use an initial key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use CreateKey or ImportKey.
\nSet the following parameters:
\n\n ExportAttributes: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.
\n ExportKeyIdentifier: The KeyARN of the KEK or BDK (in case of IPEK) under export.
\n KeyMaterial: Use Tr31KeyBlock parameters.
When this operation is successful, Amazon Web Services Payment Cryptography returns the working key or IPEK as a TR-31 WrappedKeyBlock.
\n\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ImportKey\n
\nThe KeyARN of the certificate chain that signs the wrapping key certificate during RSA wrap and unwrap key export.
The wrapping key certificate in PEM format (base64 encoded). Amazon Web Services Payment Cryptography uses this certificate to wrap the key under export.
", + "smithy.api#required": {} + } + }, + "WrappingSpec": { + "target": "com.amazonaws.paymentcryptography#WrappingKeySpec", + "traits": { + "smithy.api#documentation": "The wrapping spec for the key under export.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Parameter information for key material export using asymmetric RSA wrap and unwrap key exchange method.
" } }, "com.amazonaws.paymentcryptography#ExportKeyInput": { @@ -569,10 +597,16 @@ "traits": { "smithy.api#documentation": "Parameter information for key material export using the asymmetric TR-34 key exchange method.
" } + }, + "KeyCryptogram": { + "target": "com.amazonaws.paymentcryptography#ExportKeyCryptogram", + "traits": { + "smithy.api#documentation": "Parameter information for key material export using asymmetric RSA wrap and unwrap key exchange method
" + } } }, "traits": { - "smithy.api#documentation": "Parameter information for key material export from Amazon Web Services Payment Cryptography using TR-31 or TR-34 key exchange method.
" + "smithy.api#documentation": "Parameter information for key material export from Amazon Web Services Payment Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method.
" } }, "com.amazonaws.paymentcryptography#ExportKeyOutput": { @@ -581,7 +615,7 @@ "WrappedKey": { "target": "com.amazonaws.paymentcryptography#WrappedKey", "traits": { - "smithy.api#documentation": "The key material under export as a TR-34 WrappedKeyBlock or a TR-31 WrappedKeyBlock.
" + "smithy.api#documentation": "The key material under export as a TR-34 WrappedKeyBlock or a TR-31 WrappedKeyBlock. or a RSA WrappedKeyCryptogram.
" } } }, @@ -928,7 +962,7 @@ ], "traits": { "aws.api#controlPlane": {}, - "smithy.api#documentation": "Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock.
\nThe wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 7 days. You can use the same import token to import multiple keys into your service account.
\n\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ImportKey\n
\nGets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.
\nThe wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 7 days. You can use the same import token to import multiple keys into your service account.
\n\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ImportKey\n
\nThe method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK).
Import token is not required for TR-31, root public key cerificate or trusted public key certificate.
", + "smithy.api#documentation": "The method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK) and RSA WrappedKeyCryptogram (KEY_CRYPTOGRAM).
Import token is not required for TR-31, root public key cerificate or trusted public key certificate.
", "smithy.api#required": {} } }, "WrappingKeyAlgorithm": { "target": "com.amazonaws.paymentcryptography#KeyAlgorithm", "traits": { - "smithy.api#documentation": "The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.
\nAt this time, RSA_2048, RSA_3072, RSA_4096 are the only allowed algorithms for TR-34 WrappedKeyBlock import.
The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.
\nAt this time, RSA_2048 is the allowed algorithm for TR-34 WrappedKeyBlock import. Additionally, RSA_2048, RSA_3072, RSA_4096 are the allowed algorithms for RSA WrappedKeyCryptogram import.
The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock.
", + "smithy.api#documentation": "The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock or RSA WrappedKeyCryptogram.
", "smithy.api#required": {} } }, @@ -1123,7 +1157,48 @@ ], "traits": { "aws.api#controlPlane": {}, - "smithy.api#documentation": "Imports symmetric keys and public key certificates in PEM format (base64 encoded) into Amazon Web Services Payment Cryptography.
\nAmazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ImportKey you can import symmetric keys using either symmetric and asymmetric key exchange mechanisms.
For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm . Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.
\nThe TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block.
\nYou can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.
\n\n To import a public root key certificate\n
\nYou can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.
\n\n To import a public root key certificate\n
\nUsing this operation, you can import the public component (in PEM cerificate format) of your private root key. You can use the imported public root key certificate for digital signatures, for example signing wrapping key or signing key in TR-34, within your Amazon Web Services Payment Cryptography account.
\nSet the following parameters:
\n\n KeyMaterial: RootCertificatePublicKey\n
\n KeyClass: PUBLIC_KEY\n
\n KeyModesOfUse: Verify\n
\n KeyUsage: TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE\n
\n PublicKeyCertificate: The public key certificate in PEM format (base64 encoded) of the private root key under import.
\n To import a trusted public key certificate\n
\nThe root public key certificate must be in place and operational before you import a trusted public key certificate. Set the following parameters:
\n\n KeyMaterial: TrustedCertificatePublicKey\n
\n CertificateAuthorityPublicKeyIdentifier: KeyArn of the RootCertificatePublicKey.
\n KeyModesOfUse and KeyUsage: Corresponding to the cryptographic operations such as wrap, sign, or encrypt that you will allow the trusted public key certificate to perform.
\n PublicKeyCertificate: The trusted public key certificate in PEM format (base64 encoded) under import.
\n To import KEK or ZMK using TR-34\n
\nUsing this operation, you can import initial key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During the key import process, KDH is the user who initiates the key import and KRD is Amazon Web Services Payment Cryptography who receives the key.
\nTo initiate TR-34 key import, the KDH must obtain an import token by calling GetParametersForImport. This operation generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate (also known as KRD wrapping certificate) and the root certificate chain. The KDH must trust and install the KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key during TR-34 WrappedKeyBlock generation. The import token and associated KRD wrapping certificate expires after 7 days.
\nNext the KDH generates a key pair for the purpose of signing the encrypted KDH key and provides the public certificate of the signing key to Amazon Web Services Payment Cryptography. The KDH will also need to import the root certificate chain of the KDH signing certificate by calling ImportKey for RootCertificatePublicKey. For more information on TR-34 key import, see section Importing symmetric keys in the Amazon Web Services Payment Cryptography User Guide.
Set the following parameters:
\n\n KeyMaterial: Use Tr34KeyBlock parameters.
\n CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed the KDH signing key certificate.
\n ImportToken: Obtained from KRD by calling GetParametersForImport.
\n WrappedKeyBlock: The TR-34 wrapped key material from KDH. It contains the KDH key under import, wrapped with KRD wrapping certificate and signed by KDH signing private key. This TR-34 key block is typically generated by the KDH Hardware Security Module (HSM) outside of Amazon Web Services Payment Cryptography.
\n SigningKeyCertificate: The public key certificate in PEM format (base64 encoded) of the KDH signing key generated under the root certificate (CertificateAuthorityPublicKeyIdentifier) imported in Amazon Web Services Payment Cryptography.
\n To import WK (Working Key) using TR-31\n
\nAmazon Web Services Payment Cryptography uses TR-31 symmetric key exchange norm to import working keys. A KEK must be established within Amazon Web Services Payment Cryptography by using TR-34 key import or by using CreateKey. To initiate a TR-31 key import, set the following parameters:
\n\n KeyMaterial: Use Tr31KeyBlock parameters.
\n WrappedKeyBlock: The TR-31 wrapped key material. It contains the key under import, encrypted using KEK. The TR-31 key block is typically generated by a HSM outside of Amazon Web Services Payment Cryptography.
\n WrappingKeyIdentifier: The KeyArn of the KEK that Amazon Web Services Payment Cryptography uses to decrypt or unwrap the key under import.
\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ExportKey\n
\nImports symmetric keys and public key certificates in PEM format (base64 encoded) into Amazon Web Services Payment Cryptography.
\nAmazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ImportKey you can import symmetric keys using either symmetric and asymmetric key exchange mechanisms.
For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange mechanisms. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.
\nThe TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. With RSA wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram format and you will need to specify the key attributes during import.
\nYou can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.
\n\n To import a public root key certificate\n
\nYou can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.
\n\n To import a public root key certificate\n
\nUsing this operation, you can import the public component (in PEM cerificate format) of your private root key. You can use the imported public root key certificate for digital signatures, for example signing wrapping key or signing key in TR-34, within your Amazon Web Services Payment Cryptography account.
\nSet the following parameters:
\n\n KeyMaterial: RootCertificatePublicKey\n
\n KeyClass: PUBLIC_KEY\n
\n KeyModesOfUse: Verify\n
\n KeyUsage: TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE\n
\n PublicKeyCertificate: The public key certificate in PEM format (base64 encoded) of the private root key under import.
\n To import a trusted public key certificate\n
\nThe root public key certificate must be in place and operational before you import a trusted public key certificate. Set the following parameters:
\n\n KeyMaterial: TrustedCertificatePublicKey\n
\n CertificateAuthorityPublicKeyIdentifier: KeyArn of the RootCertificatePublicKey.
\n KeyModesOfUse and KeyUsage: Corresponding to the cryptographic operations such as wrap, sign, or encrypt that you will allow the trusted public key certificate to perform.
\n PublicKeyCertificate: The trusted public key certificate in PEM format (base64 encoded) under import.
\n To import initial keys (KEK or ZMK or similar) using TR-34\n
\nUsing this operation, you can import initial key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During the key import process, KDH is the user who initiates the key import and KRD is Amazon Web Services Payment Cryptography who receives the key.
\nTo initiate TR-34 key import, the KDH must obtain an import token by calling GetParametersForImport. This operation generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate (also known as KRD wrapping certificate) and the root certificate chain. The KDH must trust and install the KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key during TR-34 WrappedKeyBlock generation. The import token and associated KRD wrapping certificate expires after 7 days.
\nNext the KDH generates a key pair for the purpose of signing the encrypted KDH key and provides the public certificate of the signing key to Amazon Web Services Payment Cryptography. The KDH will also need to import the root certificate chain of the KDH signing certificate by calling ImportKey for RootCertificatePublicKey. For more information on TR-34 key import, see section Importing symmetric keys in the Amazon Web Services Payment Cryptography User Guide.
Set the following parameters:
\n\n KeyMaterial: Use Tr34KeyBlock parameters.
\n CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate chain that signed the KDH signing key certificate.
\n ImportToken: Obtained from KRD by calling GetParametersForImport.
\n WrappedKeyBlock: The TR-34 wrapped key material from KDH. It contains the KDH key under import, wrapped with KRD wrapping certificate and signed by KDH signing private key. This TR-34 key block is typically generated by the KDH Hardware Security Module (HSM) outside of Amazon Web Services Payment Cryptography.
\n SigningKeyCertificate: The public key certificate in PEM format (base64 encoded) of the KDH signing key generated under the root certificate (CertificateAuthorityPublicKeyIdentifier) imported in Amazon Web Services Payment Cryptography.
\n To import initial keys (KEK or ZMK or similar) using RSA Wrap and Unwrap\n
\nUsing this operation, you can import initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate import, call GetParametersForImport with KeyMaterial set to KEY_CRYPTOGRAM to generate an import token. This operation also generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate in PEM format (base64 encoded) and its root certificate chain. The import token and associated KRD wrapping certificate expires after 7 days.
You must trust and install the wrapping certificate and its certificate chain on the sending HSM and use it to wrap the key under export for WrappedKeyCryptogram generation. Next call ImportKey with KeyMaterial set to KEY_CRYPTOGRAM and provide the ImportToken and KeyAttributes for the key under import.
\n To import working keys using TR-31\n
\nAmazon Web Services Payment Cryptography uses TR-31 symmetric key exchange norm to import working keys. A KEK must be established within Amazon Web Services Payment Cryptography by using TR-34 key import or by using CreateKey. To initiate a TR-31 key import, set the following parameters:
\n\n KeyMaterial: Use Tr31KeyBlock parameters.
\n WrappedKeyBlock: The TR-31 wrapped key material. It contains the key under import, encrypted using KEK. The TR-31 key block is typically generated by a HSM outside of Amazon Web Services Payment Cryptography.
\n WrappingKeyIdentifier: The KeyArn of the KEK that Amazon Web Services Payment Cryptography uses to decrypt or unwrap the key under import.
\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.
\n\n Related operations:\n
\n\n ExportKey\n
\nSpecifies whether the key is exportable from the service.
", + "smithy.api#required": {} + } + }, + "WrappedKeyCryptogram": { + "target": "com.amazonaws.paymentcryptography#WrappedKeyCryptogram", + "traits": { + "smithy.api#documentation": "The RSA wrapped key cryptogram under import.
", + "smithy.api#required": {} + } + }, + "ImportToken": { + "target": "com.amazonaws.paymentcryptography#ImportTokenId", + "traits": { + "smithy.api#documentation": "The import token that initiates key import using the asymmetric RSA wrap and unwrap key exchange method into AWS Payment Cryptography. It expires after 7 days. You can use the same import token to import multiple keys to the same service account.
", + "smithy.api#required": {} + } + }, + "WrappingSpec": { + "target": "com.amazonaws.paymentcryptography#WrappingKeySpec", + "traits": { + "smithy.api#documentation": "The wrapping spec for the wrapped key cryptogram.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Parameter information for key material import using asymmetric RSA wrap and unwrap key exchange method.
" } }, "com.amazonaws.paymentcryptography#ImportKeyInput": { @@ -1185,10 +1260,16 @@ "traits": { "smithy.api#documentation": "Parameter information for key material import using the asymmetric TR-34 key exchange method.
" } + }, + "KeyCryptogram": { + "target": "com.amazonaws.paymentcryptography#ImportKeyCryptogram", + "traits": { + "smithy.api#documentation": "Parameter information for key material import using asymmetric RSA wrap and unwrap key exchange method.
" + } } }, "traits": { - "smithy.api#documentation": "Parameter information for key material import into Amazon Web Services Payment Cryptography using TR-31 or TR-34 key exchange method.
" + "smithy.api#documentation": "Parameter information for key material import into Amazon Web Services Payment Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method.
" } }, "com.amazonaws.paymentcryptography#ImportKeyOutput": { @@ -1608,6 +1689,10 @@ { "value": "TRUSTED_PUBLIC_KEY_CERTIFICATE", "name": "TRUSTED_PUBLIC_KEY_CERTIFICATE" + }, + { + "value": "KEY_CRYPTOGRAM", + "name": "KEY_CRYPTOGRAM" } ] } @@ -1881,6 +1966,10 @@ "value": "TR31_M3_ISO_9797_3_MAC_KEY", "name": "TR31_M3_ISO_9797_3_MAC_KEY" }, + { + "value": "TR31_M1_ISO_9797_1_MAC_KEY", + "name": "TR31_M1_ISO_9797_1_MAC_KEY" + }, { "value": "TR31_M6_ISO_9797_5_CMAC_KEY", "name": "TR31_M6_ISO_9797_5_CMAC_KEY" @@ -3610,6 +3699,16 @@ "smithy.api#documentation": "Parameter information for generating a WrappedKeyBlock for key exchange.
" } }, + "com.amazonaws.paymentcryptography#WrappedKeyCryptogram": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 16, + "max": 4096 + }, + "smithy.api#pattern": "^[0-9A-F]+$" + } + }, "com.amazonaws.paymentcryptography#WrappedKeyMaterialFormat": { "type": "string", "traits": { @@ -3628,6 +3727,21 @@ } ] } + }, + "com.amazonaws.paymentcryptography#WrappingKeySpec": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "RSA_OAEP_SHA_256", + "name": "RSA_OAEP_SHA_256" + }, + { + "value": "RSA_OAEP_SHA_512", + "name": "RSA_OAEP_SHA_512" + } + ] + } } } } \ No newline at end of file diff --git a/codegen/sdk-codegen/aws-models/personalize-runtime.json b/codegen/sdk-codegen/aws-models/personalize-runtime.json index 889b4919e6f..e3e39c56d69 100644 --- a/codegen/sdk-codegen/aws-models/personalize-runtime.json +++ b/codegen/sdk-codegen/aws-models/personalize-runtime.json @@ -980,7 +980,7 @@ "metadataColumns": { "target": "com.amazonaws.personalizeruntime#MetadataColumns", "traits": { - "smithy.api#documentation": "If you enabled metadata in recommendations when you created or updated the campaign, specify metadata columns from your Items dataset to include\n in the personalized ranking.\n The map key is ITEMS and the value is a list of column names from your Items dataset.\n The maximum number of columns you can provide is 10.
\n For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.\n
" + "smithy.api#documentation": "If you enabled metadata in recommendations when you created or updated the campaign, specify metadata columns from your Items dataset to include\n in the personalized ranking.\n The map key is ITEMS and the value is a list of column names from your Items dataset.\n The maximum number of columns you can provide is 10.
\n For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.\n
" } } }, @@ -1095,7 +1095,7 @@ "metadataColumns": { "target": "com.amazonaws.personalizeruntime#MetadataColumns", "traits": { - "smithy.api#documentation": "If you enabled metadata in recommendations when you created or updated the campaign or recommender, specify the metadata columns from your Items dataset to include in item recommendations. \n The map key is ITEMS and the value is a list of column names from your Items dataset.\n The maximum number of columns you can provide is 10.
\n For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.\n For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.\n
" + "smithy.api#documentation": "If you enabled metadata in recommendations when you created or updated the campaign or recommender, specify the metadata columns from your Items dataset to include in item recommendations. \n The map key is ITEMS and the value is a list of column names from your Items dataset.\n The maximum number of columns you can provide is 10.
\n For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.\n For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.\n
" } } }, diff --git a/codegen/sdk-codegen/aws-models/personalize.json b/codegen/sdk-codegen/aws-models/personalize.json index bbcd1a9841d..fb7d5c65146 100644 --- a/codegen/sdk-codegen/aws-models/personalize.json +++ b/codegen/sdk-codegen/aws-models/personalize.json @@ -1649,7 +1649,7 @@ "enableMetadataWithRecommendations": { "target": "com.amazonaws.personalize#Boolean", "traits": { - "smithy.api#documentation": "Whether metadata with recommendations is enabled for the campaign. \n If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response.
\n\n If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.\n
" + "smithy.api#documentation": "Whether metadata with recommendations is enabled for the campaign. \n If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response.\n For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.
\n\n If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.\n
" } } }, @@ -2153,7 +2153,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates a campaign that deploys a solution version. When a client calls the\n GetRecommendations\n and\n GetPersonalizedRanking\n APIs, a campaign is specified in the request.
\n\n Minimum Provisioned TPS and Auto-Scaling\n
\n A high minProvisionedTPS will increase your bill. We recommend starting with 1 for minProvisionedTPS (the default). Track\n your usage using Amazon CloudWatch metrics, and increase the minProvisionedTPS\n as necessary.
A transaction is a single GetRecommendations or\n GetPersonalizedRanking call. Transactions per second (TPS) is the throughput\n and unit of billing for Amazon Personalize. The minimum provisioned TPS\n (minProvisionedTPS) specifies the baseline throughput provisioned by\n Amazon Personalize, and thus, the minimum billing charge. \n
\n If your TPS increases beyond\n minProvisionedTPS, Amazon Personalize auto-scales the provisioned capacity up and down,\n but never below minProvisionedTPS.\n There's a short time delay while the capacity is increased that might cause loss of\n transactions.
The actual TPS used is calculated as the average requests/second within a 5-minute window.\n You pay for maximum of either the minimum provisioned TPS or the actual TPS.\n We recommend starting with a low minProvisionedTPS, track\n your usage using Amazon CloudWatch metrics, and then increase the minProvisionedTPS\n as necessary.
\n Status\n
\nA campaign can be in one of the following states:
\nCREATE PENDING > CREATE IN_PROGRESS > ACTIVE -or- CREATE FAILED
\nDELETE PENDING > DELETE IN_PROGRESS
\nTo get the campaign status, call DescribeCampaign.
\nWait until the status of the campaign\n is ACTIVE before asking the campaign for recommendations.
\n Related APIs\n
\n\n ListCampaigns\n
\n\n DescribeCampaign\n
\n\n UpdateCampaign\n
\n\n DeleteCampaign\n
\nCreates a campaign that deploys a solution version. When a client calls the\n GetRecommendations\n and\n GetPersonalizedRanking\n APIs, a campaign is specified in the request.
\n\n Minimum Provisioned TPS and Auto-Scaling\n
\n A high minProvisionedTPS will increase your cost. We recommend starting with 1 for minProvisionedTPS (the default). Track\n your usage using Amazon CloudWatch metrics, and increase the minProvisionedTPS\n as necessary.
\n When you create an Amazon Personalize campaign, you can specify the minimum provisioned transactions per second\n (minProvisionedTPS) for the campaign. This is the baseline transaction throughput for the campaign provisioned by\n Amazon Personalize. It sets the minimum billing charge for the campaign while it is active. A transaction is a single GetRecommendations or\n GetPersonalizedRanking request. The default minProvisionedTPS is 1.
If your TPS increases beyond the minProvisionedTPS, Amazon Personalize auto-scales the provisioned capacity up\n and down, but never below minProvisionedTPS. \n There's a short time delay while the capacity is increased\n that might cause loss of transactions. When your traffic reduces, capacity returns to the minProvisionedTPS.\n
You are charged for the\n the minimum provisioned TPS or, if your requests exceed the minProvisionedTPS, the actual TPS. \n The actual TPS is the total number of recommendation requests you make.\n We recommend starting with a low minProvisionedTPS, track\n your usage using Amazon CloudWatch metrics, and then increase the minProvisionedTPS as necessary.
For more information about campaign costs, see Amazon Personalize pricing.
\n\n Status\n
\nA campaign can be in one of the following states:
\nCREATE PENDING > CREATE IN_PROGRESS > ACTIVE -or- CREATE FAILED
\nDELETE PENDING > DELETE IN_PROGRESS
\nTo get the campaign status, call DescribeCampaign.
\nWait until the status of the campaign\n is ACTIVE before asking the campaign for recommendations.
\n Related APIs\n
\n\n ListCampaigns\n
\n\n DescribeCampaign\n
\n\n UpdateCampaign\n
\n\n DeleteCampaign\n
\nWe don't recommend enabling automated machine learning. Instead, match your use case to the available Amazon Personalize \n recipes. For more information, see Determining your use case.\n
\nWhether to perform automated machine learning (AutoML). The default is false.\n For this case, you must specify recipeArn.
When set to true, Amazon Personalize analyzes your training data and selects\n the optimal USER_PERSONALIZATION recipe and hyperparameters. In this case, you must omit\n recipeArn. Amazon Personalize determines the optimal recipe by running tests with\n different values for the hyperparameters.\n AutoML lengthens the training process as compared to selecting a specific recipe.
We don't recommend enabling automated machine learning. Instead, match your use case to the available Amazon Personalize \n recipes. For more information, see Choosing a recipe.
\nWhether to perform automated machine learning (AutoML). The default is false.\n For this case, you must specify recipeArn.
When set to true, Amazon Personalize analyzes your training data and selects\n the optimal USER_PERSONALIZATION recipe and hyperparameters. In this case, you must omit\n recipeArn. Amazon Personalize determines the optimal recipe by running tests with\n different values for the hyperparameters.\n AutoML lengthens the training process as compared to selecting a specific recipe.
The ARN of the recipe to use for model training. This is required when\n performAutoML is false.
The Amazon Resource Name (ARN) of the recipe to use for model training. This is required when\n performAutoML is false. For information about different Amazon Personalize recipes and their ARNs, \n see Choosing a recipe.\n \n
Whether metadata with recommendations is enabled for the recommender. \n If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response.
\n\n If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.\n
" + "smithy.api#documentation": "Whether metadata with recommendations is enabled for the recommender. \n If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response. \n For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.
\n\n If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.\n
" } } }, diff --git a/codegen/sdk-codegen/aws-models/rekognition.json b/codegen/sdk-codegen/aws-models/rekognition.json index 2b61d6d097c..de18bed9573 100644 --- a/codegen/sdk-codegen/aws-models/rekognition.json +++ b/codegen/sdk-codegen/aws-models/rekognition.json @@ -217,7 +217,7 @@ "AssociatedFaces": { "target": "com.amazonaws.rekognition#AssociatedFacesList", "traits": { - "smithy.api#documentation": "An array of AssociatedFace objects containing FaceIDs that are successfully associated\n with the UserID is returned. Returned if the AssociateFaces action is successful.
" + "smithy.api#documentation": "An array of AssociatedFace objects containing FaceIDs that have been successfully associated\n with the UserID. Returned if the AssociateFaces action is successful.
" } }, "UnsuccessfulFaceAssociations": { @@ -1179,6 +1179,38 @@ } } }, + "com.amazonaws.rekognition#ContentType": { + "type": "structure", + "members": { + "Confidence": { + "target": "com.amazonaws.rekognition#Percent", + "traits": { + "smithy.api#documentation": "The confidence level of the label given
" + } + }, + "Name": { + "target": "com.amazonaws.rekognition#String", + "traits": { + "smithy.api#documentation": "The name of the label
" + } + } + }, + "traits": { + "smithy.api#documentation": "Contains information regarding the confidence and name of a detected content type.
" + } + }, + "com.amazonaws.rekognition#ContentTypes": { + "type": "list", + "member": { + "target": "com.amazonaws.rekognition#ContentType" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 50 + } + } + }, "com.amazonaws.rekognition#CopyProjectVersion": { "type": "operation", "input": { @@ -3671,7 +3703,7 @@ } ], "traits": { - "smithy.api#documentation": "This operation applies only to Amazon Rekognition Custom Labels.
\nDetects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model.
\nYou specify which version of a model version to use by using the ProjectVersionArn input\n parameter.
You pass the input image as base64-encoded image bytes or as a reference to an image in\n an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing\n image bytes is not supported. The image must be either a PNG or JPEG formatted file.
\n For each object that the model version detects on an image, the API returns a \n (CustomLabel) object in an array (CustomLabels).\n Each CustomLabel object provides the label name (Name), the level\n of confidence that the image contains the object (Confidence), and \n object location information, if it exists, for the label on the image (Geometry).
To filter labels that are returned, specify a value for MinConfidence.\n DetectCustomLabelsLabels only returns labels with a confidence that's higher than\n the specified value.\n\n The value of MinConfidence maps to the assumed threshold values\n created during training. For more information, see Assumed threshold\n in the Amazon Rekognition Custom Labels Developer Guide. \n Amazon Rekognition Custom Labels metrics expresses an assumed threshold as a floating point value between 0-1. The range of\n MinConfidence normalizes the threshold value to a percentage value (0-100). Confidence\n responses from DetectCustomLabels are also returned as a percentage. \n You can use MinConfidence to change the precision and recall or your model. \n For more information, see \n Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.
If you don't specify a value for MinConfidence, DetectCustomLabels\n returns labels based on the assumed threshold of each label.
This is a stateless API operation. That is, the operation does not persist any\n data.
\nThis operation requires permissions to perform the\n rekognition:DetectCustomLabels action.
For more information, see \n Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.
", + "smithy.api#documentation": "This operation applies only to Amazon Rekognition Custom Labels.
\nDetects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model.
\nYou specify which version of a model version to use by using the ProjectVersionArn input\n parameter.
You pass the input image as base64-encoded image bytes or as a reference to an image in\n an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing\n image bytes is not supported. The image must be either a PNG or JPEG formatted file.
\n For each object that the model version detects on an image, the API returns a\n (CustomLabel) object in an array (CustomLabels). Each\n CustomLabel object provides the label name (Name), the level\n of confidence that the image contains the object (Confidence), and object\n location information, if it exists, for the label on the image (Geometry).\n Note that for the DetectCustomLabelsLabels operation, Polygons\n are not returned in the Geometry section of the response.
To filter labels that are returned, specify a value for MinConfidence.\n DetectCustomLabelsLabels only returns labels with a confidence that's higher than\n the specified value.\n\n The value of MinConfidence maps to the assumed threshold values\n created during training. For more information, see Assumed threshold\n in the Amazon Rekognition Custom Labels Developer Guide. \n Amazon Rekognition Custom Labels metrics expresses an assumed threshold as a floating point value between 0-1. The range of\n MinConfidence normalizes the threshold value to a percentage value (0-100). Confidence\n responses from DetectCustomLabels are also returned as a percentage. \n You can use MinConfidence to change the precision and recall or your model. \n For more information, see \n Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.
If you don't specify a value for MinConfidence, DetectCustomLabels\n returns labels based on the assumed threshold of each label.
This is a stateless API operation. That is, the operation does not persist any\n data.
\nThis operation requires permissions to perform the\n rekognition:DetectCustomLabels action.
For more information, see \n Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.
", "smithy.api#examples": [ { "title": "To detect custom labels in an image with an Amazon Rekognition Custom Labels model", @@ -4308,6 +4340,12 @@ "traits": { "smithy.api#documentation": "Identifier of the custom adapter that was used during inference. If\n during inference the adapter was EXPIRED, then the parameter will not be returned,\n indicating that a base moderation detection project version was used.
" } + }, + "ContentTypes": { + "target": "com.amazonaws.rekognition#ContentTypes", + "traits": { + "smithy.api#documentation": "A list of predicted results for the type of content an image contains. For example, \n the image content might be from animation, sports, or a video game.
" + } } }, "traits": { @@ -9641,6 +9679,20 @@ "smithy.api#documentation": "Summary that provides statistics on input manifest and errors identified in the input manifest.
" } }, + "com.amazonaws.rekognition#MediaAnalysisModelVersions": { + "type": "structure", + "members": { + "Moderation": { + "target": "com.amazonaws.rekognition#String", + "traits": { + "smithy.api#documentation": "The Moderation base model version.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Object containing information about the model versions of selected features in a given job.
" + } + }, "com.amazonaws.rekognition#MediaAnalysisOperationsConfig": { "type": "structure", "members": { @@ -9681,6 +9733,12 @@ "members": { "S3Object": { "target": "com.amazonaws.rekognition#S3Object" + }, + "ModelVersions": { + "target": "com.amazonaws.rekognition#MediaAnalysisModelVersions", + "traits": { + "smithy.api#documentation": "Information about the model versions for the features selected in a given job.
" + } } }, "traits": { @@ -9726,6 +9784,12 @@ "traits": { "smithy.api#documentation": "The name for the parent label. Labels at the top level of the hierarchy have the parent\n label \"\".
The level of the moderation label with regard to its taxonomy, from 1 to 3.
" + } } }, "traits": { @@ -11247,7 +11311,7 @@ "name": "rekognition" }, "aws.protocols#awsJson1_1": {}, - "smithy.api#documentation": "This is the API Reference for Amazon Rekognition Image, Amazon Rekognition Custom Labels,\n Amazon Rekognition Stored\n Video, Amazon Rekognition Streaming Video. It provides descriptions of actions, data types, common\n parameters, and common errors.
\n\n Amazon Rekognition Image\n
\n\n AssociateFaces\n
\n\n CompareFaces\n
\n\n CreateCollection\n
\n\n CreateUser\n
\n\n DeleteCollection\n
\n\n DeleteFaces\n
\n\n DeleteUser\n
\n\n DescribeCollection\n
\n\n DetectFaces\n
\n\n DetectLabels\n
\n\n DetectText\n
\n\n DisassociateFaces\n
\n\n GetCelebrityInfo\n
\n\n IndexFaces\n
\n\n ListCollections\n
\n\n ListFaces\n
\n\n ListUsers\n
\n\n RecognizeCelebrities\n
\n\n SearchFaces\n
\n\n SearchFacesByImage\n
\n\n SearchUsers\n
\n\n SearchUsersByImage\n
\n\n Amazon Rekognition Custom Labels\n
\n\n CopyProjectVersion\n
\n\n CreateDataset\n
\n\n CreateProject\n
\n\n CreateProjectVersion\n
\n\n DeleteDataset\n
\n\n DeleteProject\n
\n\n DeleteProjectPolicy\n
\n\n DeleteProjectVersion\n
\n\n DescribeDataset\n
\n\n DescribeProjects\n
\n\n DetectCustomLabels\n
\n\n ListDatasetEntries\n
\n\n ListDatasetLabels\n
\n\n ListProjectPolicies\n
\n\n PutProjectPolicy\n
\n\n StartProjectVersion\n
\n\n StopProjectVersion\n
\n\n UpdateDatasetEntries\n
\n\n Amazon Rekognition Video Stored Video\n
\n\n GetContentModeration\n
\n\n GetFaceDetection\n
\n\n GetFaceSearch\n
\n\n GetLabelDetection\n
\n\n GetPersonTracking\n
\n\n GetSegmentDetection\n
\n\n GetTextDetection\n
\n\n StartFaceDetection\n
\n\n StartFaceSearch\n
\n\n StartLabelDetection\n
\n\n StartPersonTracking\n
\n\n StartTextDetection\n
\n\n Amazon Rekognition Video Streaming Video\n
\n\n ListStreamProcessors\n
\n\n StartStreamProcessor\n
\n\n StopStreamProcessor\n
\nThis is the API Reference for Amazon Rekognition Image, Amazon Rekognition Custom Labels,\n Amazon Rekognition Stored\n Video, Amazon Rekognition Streaming Video. It provides descriptions of actions, data types, common\n parameters, and common errors.
\n\n Amazon Rekognition Image\n
\n\n AssociateFaces\n
\n\n CompareFaces\n
\n\n CreateCollection\n
\n\n CreateUser\n
\n\n DeleteCollection\n
\n\n DeleteFaces\n
\n\n DeleteUser\n
\n\n DescribeCollection\n
\n\n DetectFaces\n
\n\n DetectLabels\n
\n\n DetectText\n
\n\n DisassociateFaces\n
\n\n GetCelebrityInfo\n
\n\n GetMediaAnalysisJob\n
\n\n IndexFaces\n
\n\n ListCollections\n
\n\n ListMediaAnalysisJob\n
\n\n ListFaces\n
\n\n ListUsers\n
\n\n RecognizeCelebrities\n
\n\n SearchFaces\n
\n\n SearchFacesByImage\n
\n\n SearchUsers\n
\n\n SearchUsersByImage\n
\n\n Amazon Rekognition Custom Labels\n
\n\n CopyProjectVersion\n
\n\n CreateDataset\n
\n\n CreateProject\n
\n\n CreateProjectVersion\n
\n\n DeleteDataset\n
\n\n DeleteProject\n
\n\n DeleteProjectPolicy\n
\n\n DeleteProjectVersion\n
\n\n DescribeDataset\n
\n\n DescribeProjects\n
\n\n DetectCustomLabels\n
\n\n ListDatasetEntries\n
\n\n ListDatasetLabels\n
\n\n ListProjectPolicies\n
\n\n PutProjectPolicy\n
\n\n StartProjectVersion\n
\n\n StopProjectVersion\n
\n\n UpdateDatasetEntries\n
\n\n Amazon Rekognition Video Stored Video\n
\n\n GetContentModeration\n
\n\n GetFaceDetection\n
\n\n GetFaceSearch\n
\n\n GetLabelDetection\n
\n\n GetPersonTracking\n
\n\n GetSegmentDetection\n
\n\n GetTextDetection\n
\n\n StartFaceDetection\n
\n\n StartFaceSearch\n
\n\n StartLabelDetection\n
\n\n StartPersonTracking\n
\n\n StartTextDetection\n
\n\n Amazon Rekognition Video Streaming Video\n
\n\n ListStreamProcessors\n
\n\n StartStreamProcessor\n
\n\n StopStreamProcessor\n
\nThe layer's compatible runtimes. Maximum number of five items.
\nValid values: nodejs10.x | nodejs12.x | java8 |\n java11 | python2.7 | python3.6 |\n python3.7 | python3.8 | dotnetcore1.0 |\n dotnetcore2.1 | go1.x | ruby2.5 |\n provided\n
The layer's compatible function runtimes.
\nThe following list includes deprecated runtimes. For more information, see Runtime deprecation policy in the Lambda Developer Guide.
\nArray Members: Maximum number of 5 items.
\nValid Values: nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | nodejs4.3-edge | go1.x | ruby2.5 | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | ruby3.2 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21\n
Security Hub provides you with a comprehensive view of the security state of\n your Amazon Web Services environment and resources. It also provides you with the readiness\n status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and\n integrated third-party products and helps you analyze security trends in your environment\n to identify the highest priority security issues. For more information about Security Hub, see the \n Security Hub User \nGuide\n .
\nWhen you use operations in the Security Hub API, the requests are executed only in\n the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change\n that results from the operation is applied only to that Region. To make the same change in\n other Regions, run the same command for each Region in which you want to apply the change.
\nFor example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of\n the member account with the administrator account is created only in the us-west-2\n Region. Security Hub must be enabled for the member account in the same Region that the invitation\n was sent from.
The following throttling limits apply to using Security Hub API operations.
\n\n BatchEnableStandards - RateLimit of 1 request per\n second. BurstLimit of 1 request per second.
\n GetFindings - RateLimit of 3 requests per second.\n BurstLimit of 6 requests per second.
\n BatchImportFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n BatchUpdateFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n UpdateStandardsControl - RateLimit of 1 request per\n second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps \n you assess your Amazon Web Services environment against security industry standards and best practices.
\nSecurity Hub collects security data across Amazon Web Services accounts, Amazon Web Services, and \n supported third-party products and helps you analyze your security trends and identify the highest priority security \n issues.
\nTo help you manage the security state of your organization, Security Hub supports multiple security standards. \n These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, \n and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data \n Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes \n several security controls, each of which represents a security best practice. Security Hub runs checks against \n security controls and generates control findings to help you assess your compliance against security best practices.
\nIn addition to generating control findings, Security Hub also receives findings from other Amazon Web Services, \n such as Amazon GuardDuty and Amazon Inspector, and \n supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You \n can also send Security Hub findings to other Amazon Web Services and supported third-party products.
\nSecurity Hub offers automation features that help you triage and remediate security issues. For example, \n you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with \n Amazon EventBridge to trigger automatic responses to specific findings.
\nThis guide, the Security Hub API Reference, provides\n information about the Security Hub API. This includes supported resources, HTTP methods, parameters,\n and schemas. If you're new to Security Hub, you might find it helpful to also review the \n Security Hub User Guide\n . The\n user guide explains key concepts and provides procedures\n that demonstrate how to use Security Hub features. It also provides information about topics such as\n integrating Security Hub with other Amazon Web Services.
\nIn addition to interacting with Security Hub by making calls to the Security Hub API, you can\n use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools \n and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,\n Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to\n Security Hub and other Amazon Web Services . They also handle tasks such as signing requests, \n managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools\n and SDKs, see Tools to Build on Amazon Web Services.
\nWith the exception of operations that are related to central configuration, Security Hub API requests are executed only in\n the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change\n that results from the operation is applied only to that Region. To make the same change in\n other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, \nAPI requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of \ncentral configuration operations, see the Central configuration \nterms and concepts section of the Security Hub User Guide.
\nThe following throttling limits apply to Security Hub API operations.
\n\n BatchEnableStandards - RateLimit of 1 request per\n second. BurstLimit of 1 request per second.
\n GetFindings - RateLimit of 3 requests per second.\n BurstLimit of 6 requests per second.
\n BatchImportFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n BatchUpdateFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n UpdateStandardsControl - RateLimit of 1 request per\n second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.