Removes an ApiAssociation object from a custom domain.
Evaluates a given template and returns the response. The mapping template can be a request or response template.
Request templates take the incoming request after a GraphQL operation is parsed and convert it into a request configuration for the selected data source operation. Response templates interpret responses from the data source and map it to the shape of the GraphQL field output type.
Mapping templates are written in the Apache Velocity Template Language (VTL).
" + }, "FlushApiCache":{ "name":"FlushApiCache", "http":{ @@ -1101,6 +1116,7 @@ "BooleanValue":{"type":"boolean"}, "CachingConfig":{ "type":"structure", + "required":["ttl"], "members":{ "ttl":{ "shape":"Long", @@ -1140,7 +1156,7 @@ }, "appIdClientRegex":{ "shape":"String", - "documentation":"A regular expression for validating the incoming Amazon Cognito user pool app client ID.
" + "documentation":"A regular expression for validating the incoming Amazon Cognito user pool app client ID. If this value isn't set, no filtering is applied.
" } }, "documentation":"Describes an Amazon Cognito user pool configuration.
" @@ -1170,6 +1186,12 @@ "NONE" ] }, + "Context":{ + "type":"string", + "max":28000, + "min":2, + "pattern":"^[\\s\\S]*$" + }, "CreateApiCacheRequest":{ "type":"structure", "required":[ @@ -1939,7 +1961,53 @@ }, "documentation":"Describes an OpenSearch data source configuration.
As of September 2021, Amazon Elasticsearch service is Amazon OpenSearch Service. This configuration is deprecated. For new data sources, use OpenSearchServiceDataSourceConfig to specify an OpenSearch data source.
" }, + "ErrorDetail":{ + "type":"structure", + "members":{ + "message":{ + "shape":"ErrorMessage", + "documentation":"The error payload.
" + } + }, + "documentation":"Contains the list of errors generated when attempting to evaluate a mapping template.
" + }, "ErrorMessage":{"type":"string"}, + "EvaluateMappingTemplateRequest":{ + "type":"structure", + "required":[ + "template", + "context" + ], + "members":{ + "template":{ + "shape":"Template", + "documentation":"The mapping template; this can be a request or response template. A template is required for this action.
The map that holds all of the contextual information for your resolver invocation. A context is required for this action.
The mapping template; this can be a request or response template.
" + }, + "error":{ + "shape":"ErrorDetail", + "documentation":"The ErrorDetail object.
A regular expression for validating the incoming Amazon Cognito user pool app client ID.
" + "documentation":"A regular expression for validating the incoming Amazon Cognito user pool app client ID. If this value isn't set, no filtering is applied.
" } }, "documentation":"Describes an Amazon Cognito user pool configuration.
" diff --git a/botocore/data/detective/2018-10-26/service-2.json b/botocore/data/detective/2018-10-26/service-2.json index 74c0896f0d..25a4fdb912 100644 --- a/botocore/data/detective/2018-10-26/service-2.json +++ b/botocore/data/detective/2018-10-26/service-2.json @@ -27,6 +27,36 @@ ], "documentation":"Accepts an invitation for the member account to contribute data to a behavior graph. This operation can only be called by an invited member account.
The request provides the ARN of behavior graph.
The member account status in the graph must be INVITED.
Gets data source package information for the behavior graph.
" + }, + "BatchGetMembershipDatasources":{ + "name":"BatchGetMembershipDatasources", + "http":{ + "method":"POST", + "requestUri":"/membership/datasources/get" + }, + "input":{"shape":"BatchGetMembershipDatasourcesRequest"}, + "output":{"shape":"BatchGetMembershipDatasourcesResponse"}, + "errors":[ + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ValidationException"} + ], + "documentation":"Gets information on the data source package history for an account.
" + }, "CreateGraph":{ "name":"CreateGraph", "http":{ @@ -114,7 +144,7 @@ {"shape":"ValidationException"}, {"shape":"TooManyRequestsException"} ], - "documentation":"Removes the Detective administrator account for the organization in the current Region. Deletes the behavior graph for that account.
Can only be called by the organization management account. Before you can select a different Detective administrator account, you must remove the Detective administrator account in all Regions.
" + "documentation":"Removes the Detective administrator account in the current Region. Deletes the organization behavior graph.
Can only be called by the organization management account.
Removing the Detective administrator account does not affect the delegated administrator account for Detective in Organizations.
To remove the delegated administrator account in Organizations, use the Organizations API. Removing the delegated administrator account also removes the Detective administrator account in all Regions, except for Regions where the Detective administrator account is the organization management account.
" }, "DisassociateMembership":{ "name":"DisassociateMembership", @@ -143,7 +173,7 @@ {"shape":"ValidationException"}, {"shape":"TooManyRequestsException"} ], - "documentation":"Designates the Detective administrator account for the organization in the current Region.
If the account does not have Detective enabled, then enables Detective for that account and creates a new behavior graph.
Can only be called by the organization management account.
The Detective administrator account for an organization must be the same in all Regions. If you already designated a Detective administrator account in another Region, then you must designate the same account.
" + "documentation":"Designates the Detective administrator account for the organization in the current Region.
If the account does not have Detective enabled, then enables Detective for that account and creates a new behavior graph.
Can only be called by the organization management account.
If the organization has a delegated administrator account in Organizations, then the Detective administrator account must be either the delegated administrator account or the organization management account.
If the organization does not have a delegated administrator account in Organizations, then you can choose any account in the organization. If you choose an account other than the organization management account, Detective calls Organizations to make that account the delegated administrator account for Detective. The organization management account cannot be the delegated administrator account.
" }, "GetMembers":{ "name":"GetMembers", @@ -160,6 +190,21 @@ ], "documentation":"Returns the membership details for specified member accounts for a behavior graph.
" }, + "ListDatasourcePackages":{ + "name":"ListDatasourcePackages", + "http":{ + "method":"POST", + "requestUri":"/graph/datasources/list" + }, + "input":{"shape":"ListDatasourcePackagesRequest"}, + "output":{"shape":"ListDatasourcePackagesResponse"}, + "errors":[ + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ValidationException"} + ], + "documentation":"Lists data source packages in the behavior graph.
" + }, "ListGraphs":{ "name":"ListGraphs", "http":{ @@ -297,6 +342,21 @@ ], "documentation":"Removes tags from a behavior graph.
" }, + "UpdateDatasourcePackages":{ + "name":"UpdateDatasourcePackages", + "http":{ + "method":"POST", + "requestUri":"/graph/datasources/update" + }, + "input":{"shape":"UpdateDatasourcePackagesRequest"}, + "errors":[ + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ValidationException"} + ], + "documentation":"Starts a data source packages for the behavior graph.
" + }, "UpdateOrganizationConfiguration":{ "name":"UpdateOrganizationConfiguration", "http":{ @@ -347,6 +407,12 @@ "min":12, "pattern":"^[0-9]+$" }, + "AccountIdExtendedList":{ + "type":"list", + "member":{"shape":"AccountId"}, + "max":200, + "min":1 + }, "AccountIdList":{ "type":"list", "member":{"shape":"AccountId"}, @@ -381,6 +447,59 @@ "type":"list", "member":{"shape":"Administrator"} }, + "BatchGetGraphMemberDatasourcesRequest":{ + "type":"structure", + "required":[ + "GraphArn", + "AccountIds" + ], + "members":{ + "GraphArn":{ + "shape":"GraphArn", + "documentation":"The ARN of the behavior graph.
" + }, + "AccountIds":{ + "shape":"AccountIdExtendedList", + "documentation":"The list of Amazon Web Services accounts to get data source package information on.
" + } + } + }, + "BatchGetGraphMemberDatasourcesResponse":{ + "type":"structure", + "members":{ + "MemberDatasources":{ + "shape":"MembershipDatasourcesList", + "documentation":"Details on the status of data source packages for members of the behavior graph.
" + }, + "UnprocessedAccounts":{ + "shape":"UnprocessedAccountList", + "documentation":"Accounts that data source package information could not be retrieved for.
" + } + } + }, + "BatchGetMembershipDatasourcesRequest":{ + "type":"structure", + "required":["GraphArns"], + "members":{ + "GraphArns":{ + "shape":"GraphArnList", + "documentation":"The ARN of the behavior graph.
" + } + } + }, + "BatchGetMembershipDatasourcesResponse":{ + "type":"structure", + "members":{ + "MembershipDatasources":{ + "shape":"MembershipDatasourcesList", + "documentation":"Details on the data source package history for an member of the behavior graph.
" + }, + "UnprocessedGraphs":{ + "shape":"UnprocessedGraphList", + "documentation":"Graphs that data source package information could not be retrieved for.
" + } + } + }, "Boolean":{"type":"boolean"}, "ByteValue":{"type":"long"}, "ConflictException":{ @@ -448,6 +567,70 @@ } } }, + "DatasourcePackage":{ + "type":"string", + "enum":[ + "DETECTIVE_CORE", + "EKS_AUDIT" + ] + }, + "DatasourcePackageIngestDetail":{ + "type":"structure", + "members":{ + "DatasourcePackageIngestState":{ + "shape":"DatasourcePackageIngestState", + "documentation":"Details on which data source packages are ingested for a member account.
" + }, + "LastIngestStateChange":{ + "shape":"LastIngestStateChangeDates", + "documentation":"The date a data source package was enabled for this account
" + } + }, + "documentation":"Details about the data source packages ingested by your behavior graph.
" + }, + "DatasourcePackageIngestDetails":{ + "type":"map", + "key":{"shape":"DatasourcePackage"}, + "value":{"shape":"DatasourcePackageIngestDetail"} + }, + "DatasourcePackageIngestHistory":{ + "type":"map", + "key":{"shape":"DatasourcePackage"}, + "value":{"shape":"LastIngestStateChangeDates"} + }, + "DatasourcePackageIngestState":{ + "type":"string", + "enum":[ + "STARTED", + "STOPPED", + "DISABLED" + ] + }, + "DatasourcePackageIngestStates":{ + "type":"map", + "key":{"shape":"DatasourcePackage"}, + "value":{"shape":"DatasourcePackageIngestState"} + }, + "DatasourcePackageList":{ + "type":"list", + "member":{"shape":"DatasourcePackage"}, + "max":25, + "min":1 + }, + "DatasourcePackageUsageInfo":{ + "type":"structure", + "members":{ + "VolumeUsageInBytes":{ + "shape":"ByteValue", + "documentation":"Total volume of data in bytes per day ingested for a given data source package.
" + }, + "VolumeUsageUpdateTime":{ + "shape":"Timestamp", + "documentation":"The data and time when the member account data volume was last updated. The value is an ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
Information on the usage of a data source package in the behavior graph.
" + }, "DeleteGraphRequest":{ "type":"structure", "required":["GraphArn"], @@ -538,6 +721,15 @@ } } }, + "ErrorCode":{ + "type":"string", + "enum":[ + "INVALID_GRAPH_ARN", + "INVALID_REQUEST_BODY", + "INTERNAL_ERROR" + ] + }, + "ErrorCodeReason":{"type":"string"}, "ErrorMessage":{"type":"string"}, "GetMembersRequest":{ "type":"structure", @@ -587,6 +779,12 @@ "type":"string", "pattern":"^arn:aws[-\\w]{0,10}?:detective:[-\\w]{2,20}?:\\d{12}?:graph:[abcdef\\d]{32}?$" }, + "GraphArnList":{ + "type":"list", + "member":{"shape":"GraphArn"}, + "max":50, + "min":1 + }, "GraphList":{ "type":"list", "member":{"shape":"Graph"} @@ -607,6 +805,42 @@ "ORGANIZATION" ] }, + "LastIngestStateChangeDates":{ + "type":"map", + "key":{"shape":"DatasourcePackageIngestState"}, + "value":{"shape":"TimestampForCollection"} + }, + "ListDatasourcePackagesRequest":{ + "type":"structure", + "required":["GraphArn"], + "members":{ + "GraphArn":{ + "shape":"GraphArn", + "documentation":"The ARN of the behavior graph.
" + }, + "NextToken":{ + "shape":"PaginationToken", + "documentation":"For requests to get the next page of results, the pagination token that was returned with the previous set of results. The initial request does not include a pagination token.
" + }, + "MaxResults":{ + "shape":"MemberResultsLimit", + "documentation":"The maximum number of results to return.
" + } + } + }, + "ListDatasourcePackagesResponse":{ + "type":"structure", + "members":{ + "DatasourcePackages":{ + "shape":"DatasourcePackageIngestDetails", + "documentation":"Details on the data source packages active in the behavior graph.
" + }, + "NextToken":{ + "shape":"PaginationToken", + "documentation":"For requests to get the next page of results, the pagination token that was returned with the previous set of results. The initial request does not include a pagination token.
" + } + } + }, "ListGraphsRequest":{ "type":"structure", "members":{ @@ -708,7 +942,7 @@ "members":{ "Administrators":{ "shape":"AdministratorList", - "documentation":"The list of delegated administrator accounts.
" + "documentation":"The list of Detective administrator accounts.
" }, "NextToken":{ "shape":"PaginationToken", @@ -780,27 +1014,39 @@ }, "VolumeUsageInBytes":{ "shape":"ByteValue", - "documentation":"The data volume in bytes per day for the member account.
" + "documentation":"The data volume in bytes per day for the member account.
", + "deprecated":true, + "deprecatedMessage":"This property is deprecated. Use VolumeUsageByDatasourcePackage instead." }, "VolumeUsageUpdatedTime":{ "shape":"Timestamp", - "documentation":"The data and time when the member account data volume was last updated. The value is an ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
The data and time when the member account data volume was last updated. The value is an ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
The member account data volume as a percentage of the maximum allowed data volume. 0 indicates 0 percent, and 100 indicates 100 percent.
Note that this is not the percentage of the behavior graph data volume.
For example, the data volume for the behavior graph is 80 GB per day. The maximum data volume is 160 GB per day. If the data volume for the member account is 40 GB per day, then PercentOfGraphUtilization is 25. It represents 25% of the maximum allowed data volume.
The date and time when the graph utilization percentage was last updated. The value is an ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
The type of behavior graph membership.
For an organization account in the organization behavior graph, the type is ORGANIZATION.
For an account that was invited to a behavior graph, the type is INVITATION.
Details on the volume of usage for each data source package in a behavior graph.
" + }, + "DatasourcePackageIngestStates":{ + "shape":"DatasourcePackageIngestStates", + "documentation":"The state of a data source package for the behavior graph.
" } }, "documentation":"Details about a member account in a behavior graph.
" @@ -832,6 +1078,28 @@ "ACCEPTED_BUT_DISABLED" ] }, + "MembershipDatasources":{ + "type":"structure", + "members":{ + "AccountId":{ + "shape":"AccountId", + "documentation":"The account identifier of the Amazon Web Services account.
" + }, + "GraphArn":{ + "shape":"GraphArn", + "documentation":"The ARN of the organization behavior graph.
" + }, + "DatasourcePackageIngestHistory":{ + "shape":"DatasourcePackageIngestHistory", + "documentation":"Details on when a data source package was added to a behavior graph.
" + } + }, + "documentation":"Details on data source packages for members of the behavior graph.
" + }, + "MembershipDatasourcesList":{ + "type":"list", + "member":{"shape":"MembershipDatasources"} + }, "PaginationToken":{ "type":"string", "max":1024, @@ -848,6 +1116,17 @@ } } }, + "Resource":{ + "type":"string", + "max":64, + "min":1 + }, + "ResourceList":{ + "type":"list", + "member":{"shape":"Resource"}, + "max":50, + "min":1 + }, "ResourceNotFoundException":{ "type":"structure", "members":{ @@ -860,7 +1139,11 @@ "ServiceQuotaExceededException":{ "type":"structure", "members":{ - "Message":{"shape":"ErrorMessage"} + "Message":{"shape":"ErrorMessage"}, + "Resources":{ + "shape":"ResourceList", + "documentation":"The type of resource that has exceeded the service quota.
" + } }, "documentation":"This request cannot be completed for one of the following reasons.
The request would cause the number of member accounts in the behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1200 member accounts.
The request would cause the data rate for the behavior graph to exceed the maximum allowed.
Detective is unable to verify the data rate for the member account. This is usually because the member account is not enrolled in Amazon GuardDuty.
The data and time when data collection began for a source package. The value is an ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
Details on when data collection began for a source package.
" + }, "TooManyRequestsException":{ "type":"structure", "members":{ @@ -961,6 +1254,24 @@ "type":"list", "member":{"shape":"UnprocessedAccount"} }, + "UnprocessedGraph":{ + "type":"structure", + "members":{ + "GraphArn":{ + "shape":"GraphArn", + "documentation":"The ARN of the organization behavior graph.
" + }, + "Reason":{ + "shape":"UnprocessedReason", + "documentation":"The reason data source package information could not be processed for a behavior graph.
" + } + }, + "documentation":"Behavior graphs that could not be processed in the request.
" + }, + "UnprocessedGraphList":{ + "type":"list", + "member":{"shape":"UnprocessedGraph"} + }, "UnprocessedReason":{"type":"string"}, "UntagResourceRequest":{ "type":"structure", @@ -988,6 +1299,23 @@ "members":{ } }, + "UpdateDatasourcePackagesRequest":{ + "type":"structure", + "required":[ + "GraphArn", + "DatasourcePackages" + ], + "members":{ + "GraphArn":{ + "shape":"GraphArn", + "documentation":"The ARN of the behavior graph.
" + }, + "DatasourcePackages":{ + "shape":"DatasourcePackageList", + "documentation":"The data source package start for the behavior graph.
" + } + } + }, "UpdateOrganizationConfigurationRequest":{ "type":"structure", "required":["GraphArn"], @@ -1005,12 +1333,25 @@ "ValidationException":{ "type":"structure", "members":{ - "Message":{"shape":"ErrorMessage"} + "Message":{"shape":"ErrorMessage"}, + "ErrorCode":{ + "shape":"ErrorCode", + "documentation":"The error code associated with the validation failure.
" + }, + "ErrorCodeReason":{ + "shape":"ErrorCodeReason", + "documentation":"An explanation of why validation failed.
" + } }, "documentation":"The request parameters are invalid.
", "error":{"httpStatusCode":400}, "exception":true + }, + "VolumeUsageByDatasourcePackage":{ + "type":"map", + "key":{"shape":"DatasourcePackage"}, + "value":{"shape":"DatasourcePackageUsageInfo"} } }, - "documentation":"Detective uses machine learning and purpose-built visualizations to help you to analyze and investigate security issues across your Amazon Web Services (Amazon Web Services) workloads. Detective automatically extracts time-based events such as login attempts, API calls, and network traffic from CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs. It also extracts findings detected by Amazon GuardDuty.
The Detective API primarily supports the creation and management of behavior graphs. A behavior graph contains the extracted data from a set of member accounts, and is created and managed by an administrator account.
To add a member account to the behavior graph, the administrator account sends an invitation to the account. When the account accepts the invitation, it becomes a member account in the behavior graph.
Detective is also integrated with Organizations. The organization management account designates the Detective administrator account for the organization. That account becomes the administrator account for the organization behavior graph. The Detective administrator account can enable any organization account as a member account in the organization behavior graph. The organization accounts do not receive invitations. The Detective administrator account can also invite other accounts to the organization behavior graph.
Every behavior graph is specific to a Region. You can only use the API to manage behavior graphs that belong to the Region that is associated with the currently selected endpoint.
The administrator account for a behavior graph can use the Detective API to do the following:
Enable and disable Detective. Enabling Detective creates a new behavior graph.
View the list of member accounts in a behavior graph.
Add member accounts to a behavior graph.
Remove member accounts from a behavior graph.
Apply tags to a behavior graph.
The organization management account can use the Detective API to select the delegated administrator for Detective.
The Detective administrator account for an organization can use the Detective API to do the following:
Perform all of the functions of an administrator account.
Determine whether to automatically enable new organization accounts as member accounts in the organization behavior graph.
An invited member account can use the Detective API to do the following:
View the list of behavior graphs that they are invited to.
Accept an invitation to contribute to a behavior graph.
Decline an invitation to contribute to a behavior graph.
Remove their account from a behavior graph.
All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
We replaced the term \"master account\" with the term \"administrator account.\" An administrator account is used to centrally manage multiple accounts. In the case of Detective, the administrator account manages the accounts in their behavior graph.
Detective uses machine learning and purpose-built visualizations to help you to analyze and investigate security issues across your Amazon Web Services (Amazon Web Services) workloads. Detective automatically extracts time-based events such as login attempts, API calls, and network traffic from CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs. It also extracts findings detected by Amazon GuardDuty.
The Detective API primarily supports the creation and management of behavior graphs. A behavior graph contains the extracted data from a set of member accounts, and is created and managed by an administrator account.
To add a member account to the behavior graph, the administrator account sends an invitation to the account. When the account accepts the invitation, it becomes a member account in the behavior graph.
Detective is also integrated with Organizations. The organization management account designates the Detective administrator account for the organization. That account becomes the administrator account for the organization behavior graph. The Detective administrator account is also the delegated administrator account for Detective in Organizations.
The Detective administrator account can enable any organization account as a member account in the organization behavior graph. The organization accounts do not receive invitations. The Detective administrator account can also invite other accounts to the organization behavior graph.
Every behavior graph is specific to a Region. You can only use the API to manage behavior graphs that belong to the Region that is associated with the currently selected endpoint.
The administrator account for a behavior graph can use the Detective API to do the following:
Enable and disable Detective. Enabling Detective creates a new behavior graph.
View the list of member accounts in a behavior graph.
Add member accounts to a behavior graph.
Remove member accounts from a behavior graph.
Apply tags to a behavior graph.
The organization management account can use the Detective API to select the delegated administrator for Detective.
The Detective administrator account for an organization can use the Detective API to do the following:
Perform all of the functions of an administrator account.
Determine whether to automatically enable new organization accounts as member accounts in the organization behavior graph.
An invited member account can use the Detective API to do the following:
View the list of behavior graphs that they are invited to.
Accept an invitation to contribute to a behavior graph.
Decline an invitation to contribute to a behavior graph.
Remove their account from a behavior graph.
All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
We replaced the term \"master account\" with the term \"administrator account.\" An administrator account is used to centrally manage multiple accounts. In the case of Detective, the administrator account manages the accounts in their behavior graph.
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
" }, + "DescribeMalwareScans":{ + "name":"DescribeMalwareScans", + "http":{ + "method":"POST", + "requestUri":"/detector/{detectorId}/malware-scans", + "responseCode":200 + }, + "input":{"shape":"DescribeMalwareScansRequest"}, + "output":{"shape":"DescribeMalwareScansResponse"}, + "errors":[ + {"shape":"BadRequestException"}, + {"shape":"InternalServerErrorException"} + ], + "documentation":"Returns a list of malware scans.
" + }, "DescribeOrganizationConfiguration":{ "name":"DescribeOrganizationConfiguration", "http":{ @@ -496,6 +511,21 @@ ], "documentation":"Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
" }, + "GetMalwareScanSettings":{ + "name":"GetMalwareScanSettings", + "http":{ + "method":"GET", + "requestUri":"/detector/{detectorId}/malware-scan-settings", + "responseCode":200 + }, + "input":{"shape":"GetMalwareScanSettingsRequest"}, + "output":{"shape":"GetMalwareScanSettingsResponse"}, + "errors":[ + {"shape":"BadRequestException"}, + {"shape":"InternalServerErrorException"} + ], + "documentation":"Returns the details of the malware scan settings.
" + }, "GetMasterAccount":{ "name":"GetMasterAccount", "http":{ @@ -888,6 +918,21 @@ ], "documentation":"Updates the IPSet specified by the IPSet ID.
" }, + "UpdateMalwareScanSettings":{ + "name":"UpdateMalwareScanSettings", + "http":{ + "method":"POST", + "requestUri":"/detector/{detectorId}/malware-scan-settings", + "responseCode":200 + }, + "input":{"shape":"UpdateMalwareScanSettingsRequest"}, + "output":{"shape":"UpdateMalwareScanSettingsResponse"}, + "errors":[ + {"shape":"BadRequestException"}, + {"shape":"InternalServerErrorException"} + ], + "documentation":"Updates the malware scan settings.
" + }, "UpdateMemberDetectors":{ "name":"UpdateMemberDetectors", "http":{ @@ -1874,6 +1919,17 @@ "key":{"shape":"String"}, "value":{"shape":"Condition"} }, + "CriterionKey":{ + "type":"string", + "enum":[ + "EC2_INSTANCE_ARN", + "SCAN_ID", + "ACCOUNT_ID", + "GUARDDUTY_FINDING_ID", + "SCAN_START_TIME", + "SCAN_STATUS" + ] + }, "DNSLogsConfigurationResult":{ "type":"structure", "required":["Status"], @@ -1893,7 +1949,8 @@ "CLOUD_TRAIL", "DNS_LOGS", "S3_LOGS", - "KUBERNETES_AUDIT_LOGS" + "KUBERNETES_AUDIT_LOGS", + "EC2_MALWARE_SCAN" ] }, "DataSourceConfigurations":{ @@ -1908,6 +1965,11 @@ "shape":"KubernetesConfiguration", "documentation":"Describes whether any Kubernetes logs are enabled as data sources.
", "locationName":"kubernetes" + }, + "MalwareProtection":{ + "shape":"MalwareProtectionConfiguration", + "documentation":"Describes whether Malware Protection is enabled as a data source.
", + "locationName":"malwareProtection" } }, "documentation":"Contains information about which data sources are enabled.
" @@ -1945,6 +2007,11 @@ "shape":"KubernetesConfigurationResult", "documentation":"An object that contains information on the status of all Kubernetes data sources.
", "locationName":"kubernetes" + }, + "MalwareProtection":{ + "shape":"MalwareProtectionConfigurationResult", + "documentation":"Describes the configuration of Malware Protection data sources.
", + "locationName":"malwareProtection" } }, "documentation":"Contains information on the status of data sources for the detector.
" @@ -2000,6 +2067,11 @@ "shape":"KubernetesDataSourceFreeTrial", "documentation":"Describes whether any Kubernetes logs are enabled as data sources.
", "locationName":"kubernetes" + }, + "MalwareProtection":{ + "shape":"MalwareProtectionDataSourceFreeTrial", + "documentation":"Describes whether Malware Protection is enabled as a data source.
", + "locationName":"malwareProtection" } }, "documentation":"Contains information about which data sources are enabled for the GuardDuty member account.
" @@ -2216,6 +2288,54 @@ "members":{ } }, + "DescribeMalwareScansRequest":{ + "type":"structure", + "required":["DetectorId"], + "members":{ + "DetectorId":{ + "shape":"DetectorId", + "documentation":"The unique ID of the detector that the request is associated with.
", + "location":"uri", + "locationName":"detectorId" + }, + "NextToken":{ + "shape":"String", + "documentation":"You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", + "locationName":"nextToken" + }, + "MaxResults":{ + "shape":"IntegerValueWithMax", + "documentation":"You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
", + "locationName":"maxResults" + }, + "FilterCriteria":{ + "shape":"FilterCriteria", + "documentation":"Represents the criteria to be used in the filter for describing scan entries.
", + "locationName":"filterCriteria" + }, + "SortCriteria":{ + "shape":"SortCriteria", + "documentation":"Represents the criteria used for sorting scan entries.
", + "locationName":"sortCriteria" + } + } + }, + "DescribeMalwareScansResponse":{ + "type":"structure", + "required":["Scans"], + "members":{ + "Scans":{ + "shape":"Scans", + "documentation":"Contains information about malware scans.
", + "locationName":"scans" + }, + "NextToken":{ + "shape":"String", + "documentation":"The pagination parameter to be used on the next list operation to retrieve more items.
", + "locationName":"nextToken" + } + } + }, "DescribeOrganizationConfigurationRequest":{ "type":"structure", "required":["DetectorId"], @@ -2500,6 +2620,178 @@ "documentation":"Contains information about the domain.
" }, "Double":{"type":"double"}, + "EbsSnapshotPreservation":{ + "type":"string", + "enum":[ + "NO_RETENTION", + "RETENTION_WITH_FINDING" + ] + }, + "EbsVolumeDetails":{ + "type":"structure", + "members":{ + "ScannedVolumeDetails":{ + "shape":"VolumeDetails", + "documentation":"List of EBS volumes that were scanned.
", + "locationName":"scannedVolumeDetails" + }, + "SkippedVolumeDetails":{ + "shape":"VolumeDetails", + "documentation":"List of EBS volumes that were skipped from the malware scan.
", + "locationName":"skippedVolumeDetails" + } + }, + "documentation":"Contains list of scanned and skipped EBS volumes with details.
" + }, + "EbsVolumeScanDetails":{ + "type":"structure", + "members":{ + "ScanId":{ + "shape":"String", + "documentation":"Unique Id of the malware scan that generated the finding.
", + "locationName":"scanId" + }, + "ScanStartedAt":{ + "shape":"Timestamp", + "documentation":"Returns the start date and time of the malware scan.
", + "locationName":"scanStartedAt" + }, + "ScanCompletedAt":{ + "shape":"Timestamp", + "documentation":"Returns the completion date and time of the malware scan.
", + "locationName":"scanCompletedAt" + }, + "TriggerFindingId":{ + "shape":"String", + "documentation":"GuardDuty finding ID that triggered a malware scan.
", + "locationName":"triggerFindingId" + }, + "Sources":{ + "shape":"Sources", + "documentation":"Contains list of threat intelligence sources used to detect threats.
", + "locationName":"sources" + }, + "ScanDetections":{ + "shape":"ScanDetections", + "documentation":"Contains a complete view providing malware scan result details.
", + "locationName":"scanDetections" + } + }, + "documentation":"Contains details from the malware scan that created a finding.
" + }, + "EbsVolumesResult":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"DataSourceStatus", + "documentation":"Describes whether scanning EBS volumes is enabled as a data source.
", + "locationName":"status" + } + }, + "documentation":"Describes the configuration of scanning EBS volumes as a data source.
" + }, + "EcsClusterDetails":{ + "type":"structure", + "members":{ + "Name":{ + "shape":"String", + "documentation":"The name of the ECS Cluster.
", + "locationName":"name" + }, + "Arn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) that identifies the cluster.
", + "locationName":"arn" + }, + "Status":{ + "shape":"String", + "documentation":"The status of the ECS cluster.
", + "locationName":"status" + }, + "ActiveServicesCount":{ + "shape":"Integer", + "documentation":"The number of services that are running on the cluster in an ACTIVE state.
", + "locationName":"activeServicesCount" + }, + "RegisteredContainerInstancesCount":{ + "shape":"Integer", + "documentation":"The number of container instances registered into the cluster.
", + "locationName":"registeredContainerInstancesCount" + }, + "RunningTasksCount":{ + "shape":"Integer", + "documentation":"The number of tasks in the cluster that are in the RUNNING state.
", + "locationName":"runningTasksCount" + }, + "Tags":{ + "shape":"Tags", + "documentation":"The tags of the ECS Cluster.
", + "locationName":"tags" + }, + "TaskDetails":{ + "shape":"EcsTaskDetails", + "documentation":"Contains information about the details of the ECS Task.
", + "locationName":"taskDetails" + } + }, + "documentation":"Contains information about the details of the ECS Cluster.
" + }, + "EcsTaskDetails":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) of the task.
", + "locationName":"arn" + }, + "DefinitionArn":{ + "shape":"String", + "documentation":"The ARN of the task definition that creates the task.
", + "locationName":"definitionArn" + }, + "Version":{ + "shape":"String", + "documentation":"The version counter for the task.
", + "locationName":"version" + }, + "TaskCreatedAt":{ + "shape":"Timestamp", + "documentation":"The Unix timestamp for the time when the task was created.
", + "locationName":"createdAt" + }, + "StartedAt":{ + "shape":"Timestamp", + "documentation":"The Unix timestamp for the time when the task started.
", + "locationName":"startedAt" + }, + "StartedBy":{ + "shape":"String", + "documentation":"Contains the tag specified when a task is started.
", + "locationName":"startedBy" + }, + "Tags":{ + "shape":"Tags", + "documentation":"The tags of the ECS Task.
", + "locationName":"tags" + }, + "Volumes":{ + "shape":"Volumes", + "documentation":"The list of data volume definitions for the task.
", + "locationName":"volumes" + }, + "Containers":{ + "shape":"Containers", + "documentation":"The containers that's associated with the task.
", + "locationName":"containers" + }, + "Group":{ + "shape":"String", + "documentation":"The name of the task group that's associated with the task.
", + "locationName":"group" + } + }, + "documentation":"Contains information about the task in an ECS cluster.
" + }, "EksClusterDetails":{ "type":"structure", "members":{ @@ -2583,6 +2875,10 @@ "NOT_USEFUL" ] }, + "FilePaths":{ + "type":"list", + "member":{"shape":"ScanFilePath"} + }, "FilterAction":{ "type":"string", "enum":[ @@ -2592,6 +2888,60 @@ "max":300, "min":1 }, + "FilterCondition":{ + "type":"structure", + "members":{ + "EqualsValue":{ + "shape":"NonEmptyString", + "documentation":"Represents an equal condition to be applied to a single field when querying for scan entries.
", + "locationName":"equalsValue" + }, + "GreaterThan":{ + "shape":"LongValue", + "documentation":"Represents a greater than condition to be applied to a single field when querying for scan entries.
", + "locationName":"greaterThan" + }, + "LessThan":{ + "shape":"LongValue", + "documentation":"Represents a less than condition to be applied to a single field when querying for scan entries.
", + "locationName":"lessThan" + } + }, + "documentation":"Contains information about the condition.
" + }, + "FilterCriteria":{ + "type":"structure", + "members":{ + "FilterCriterion":{ + "shape":"FilterCriterionList", + "documentation":"Represents a condition that when matched will be added to the response of the operation.
", + "locationName":"filterCriterion" + } + }, + "documentation":"Represents the criteria to be used in the filter for describing scan entries.
" + }, + "FilterCriterion":{ + "type":"structure", + "members":{ + "CriterionKey":{ + "shape":"CriterionKey", + "documentation":"An enum value representing possible scan properties to match with given scan entries.
", + "locationName":"criterionKey" + }, + "FilterCondition":{ + "shape":"FilterCondition", + "documentation":"Contains information about the condition.
", + "locationName":"filterCondition" + } + }, + "documentation":"Represents a condition that when matched will be added to the response of the operation.
" + }, + "FilterCriterionList":{ + "type":"list", + "member":{"shape":"FilterCriterion"}, + "max":1, + "min":0 + }, "FilterDescription":{ "type":"string", "max":512, @@ -3084,6 +3434,33 @@ } } }, + "GetMalwareScanSettingsRequest":{ + "type":"structure", + "required":["DetectorId"], + "members":{ + "DetectorId":{ + "shape":"DetectorId", + "documentation":"The unique ID of the detector that the scan setting is associated with.
", + "location":"uri", + "locationName":"detectorId" + } + } + }, + "GetMalwareScanSettingsResponse":{ + "type":"structure", + "members":{ + "ScanResourceCriteria":{ + "shape":"ScanResourceCriteria", + "documentation":"Represents the criteria to be used in the filter for scanning resources.
", + "locationName":"scanResourceCriteria" + }, + "EbsSnapshotPreservation":{ + "shape":"EbsSnapshotPreservation", + "documentation":"An enum value representing possible snapshot preservations.
", + "locationName":"ebsSnapshotPreservation" + } + } + }, "GetMasterAccountRequest":{ "type":"structure", "required":["DetectorId"], @@ -3342,6 +3719,27 @@ "type":"string", "pattern":"^arn:[A-Za-z_.-]{1,20}:guardduty:[A-Za-z0-9_/.-]{0,63}:\\d+:detector/[A-Za-z0-9_/.-]{32,264}$" }, + "HighestSeverityThreatDetails":{ + "type":"structure", + "members":{ + "Severity":{ + "shape":"String", + "documentation":"Severity level of the highest severity threat detected.
", + "locationName":"severity" + }, + "ThreatName":{ + "shape":"String", + "documentation":"Threat name of the highest severity threat detected as part of the malware scan.
", + "locationName":"threatName" + }, + "Count":{ + "shape":"Integer", + "documentation":"Total number of infected files with the highest severity threat detected.
", + "locationName":"count" + } + }, + "documentation":"Contains details of the highest severity threat detected during scan and number of infected files.
" + }, "HostPath":{ "type":"structure", "members":{ @@ -3369,6 +3767,10 @@ }, "documentation":"Contains information about the EC2 instance profile.
" }, + "InstanceArn":{ + "type":"string", + "pattern":"^arn:(aws|aws-cn|aws-us-gov):[a-z]+:[a-z]+(-[0-9]+|-[a-z]+)+:([0-9]{12}):[a-z\\-]+\\/[a-zA-Z0-9]*$" + }, "InstanceDetails":{ "type":"structure", "members":{ @@ -3441,6 +3843,11 @@ "documentation":"Contains information about the details of an instance.
" }, "Integer":{"type":"integer"}, + "IntegerValueWithMax":{ + "type":"integer", + "max":50, + "min":1 + }, "InternalServerErrorException":{ "type":"structure", "members":{ @@ -4151,6 +4558,49 @@ "min":1 }, "Long":{"type":"long"}, + "LongValue":{"type":"long"}, + "MalwareProtectionConfiguration":{ + "type":"structure", + "members":{ + "ScanEc2InstanceWithFindings":{ + "shape":"ScanEc2InstanceWithFindings", + "documentation":"Describes the configuration of Malware Protection for EC2 instances with findings.
", + "locationName":"scanEc2InstanceWithFindings" + } + }, + "documentation":"Describes whether Malware Protection will be enabled as a data source.
" + }, + "MalwareProtectionConfigurationResult":{ + "type":"structure", + "members":{ + "ScanEc2InstanceWithFindings":{ + "shape":"ScanEc2InstanceWithFindingsResult", + "documentation":"Describes the configuration of Malware Protection for EC2 instances with findings.
", + "locationName":"scanEc2InstanceWithFindings" + }, + "ServiceRole":{ + "shape":"String", + "documentation":"The GuardDuty Malware Protection service role.
", + "locationName":"serviceRole" + } + }, + "documentation":"An object that contains information on the status of all Malware Protection data sources.
" + }, + "MalwareProtectionDataSourceFreeTrial":{ + "type":"structure", + "members":{ + "ScanEc2InstanceWithFindings":{ + "shape":"DataSourceFreeTrial", + "documentation":"Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.
", + "locationName":"scanEc2InstanceWithFindings" + } + }, + "documentation":"Provides details about Malware Protection when it is enabled as a data source.
" + }, + "MapEquals":{ + "type":"list", + "member":{"shape":"ScanConditionPair"} + }, "Master":{ "type":"structure", "members":{ @@ -4377,6 +4827,11 @@ "type":"list", "member":{"shape":"NetworkInterface"} }, + "NonEmptyString":{ + "type":"string", + "max":200, + "min":1 + }, "NotEquals":{ "type":"list", "member":{"shape":"String"} @@ -4426,6 +4881,11 @@ "shape":"OrganizationKubernetesConfiguration", "documentation":"Describes the configuration of Kubernetes data sources for new members of the organization.
", "locationName":"kubernetes" + }, + "MalwareProtection":{ + "shape":"OrganizationMalwareProtectionConfiguration", + "documentation":"Describes the configuration of Malware Protection for new members of the organization.
", + "locationName":"malwareProtection" } }, "documentation":"An object that contains information on which data sources will be configured to be automatically enabled for new members within the organization.
" @@ -4443,10 +4903,37 @@ "shape":"OrganizationKubernetesConfigurationResult", "documentation":"Describes the configuration of Kubernetes data sources.
", "locationName":"kubernetes" + }, + "MalwareProtection":{ + "shape":"OrganizationMalwareProtectionConfigurationResult", + "documentation":"Describes the configuration of Malware Protection data source for an organization.
", + "locationName":"malwareProtection" } }, "documentation":"An object that contains information on which data sources are automatically enabled for new members within the organization.
" }, + "OrganizationEbsVolumes":{ + "type":"structure", + "members":{ + "AutoEnable":{ + "shape":"Boolean", + "documentation":"Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
", + "locationName":"autoEnable" + } + }, + "documentation":"Organization-wide EBS volumes scan configuration.
" + }, + "OrganizationEbsVolumesResult":{ + "type":"structure", + "members":{ + "AutoEnable":{ + "shape":"Boolean", + "documentation":"An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.
", + "locationName":"autoEnable" + } + }, + "documentation":"An object that contains information on the status of whether EBS volumes scanning will be enabled as a data source for an organization.
" + }, "OrganizationKubernetesAuditLogsConfiguration":{ "type":"structure", "required":["AutoEnable"], @@ -4495,6 +4982,28 @@ }, "documentation":"The current configuration of all Kubernetes data sources for the organization.
" }, + "OrganizationMalwareProtectionConfiguration":{ + "type":"structure", + "members":{ + "ScanEc2InstanceWithFindings":{ + "shape":"OrganizationScanEc2InstanceWithFindings", + "documentation":"Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
", + "locationName":"scanEc2InstanceWithFindings" + } + }, + "documentation":"Organization-wide Malware Protection configurations.
" + }, + "OrganizationMalwareProtectionConfigurationResult":{ + "type":"structure", + "members":{ + "ScanEc2InstanceWithFindings":{ + "shape":"OrganizationScanEc2InstanceWithFindingsResult", + "documentation":"Describes the configuration for scanning EC2 instances with findings for an organization.
", + "locationName":"scanEc2InstanceWithFindings" + } + }, + "documentation":"An object that contains information on the status of all Malware Protection data source for an organization.
" + }, "OrganizationS3LogsConfiguration":{ "type":"structure", "required":["AutoEnable"], @@ -4519,6 +5028,28 @@ }, "documentation":"The current configuration of S3 data event logs as a data source for the organization.
" }, + "OrganizationScanEc2InstanceWithFindings":{ + "type":"structure", + "members":{ + "EbsVolumes":{ + "shape":"OrganizationEbsVolumes", + "documentation":"Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
", + "locationName":"ebsVolumes" + } + }, + "documentation":"Organization-wide EC2 instances with findings scan configuration.
" + }, + "OrganizationScanEc2InstanceWithFindingsResult":{ + "type":"structure", + "members":{ + "EbsVolumes":{ + "shape":"OrganizationEbsVolumesResult", + "documentation":"Describes the configuration for scanning EBS volumes for an organization.
", + "locationName":"ebsVolumes" + } + }, + "documentation":"An object that contains information on the status of scanning EC2 instances with findings for an organization.
" + }, "Owner":{ "type":"structure", "members":{ @@ -4587,6 +5118,10 @@ "type":"list", "member":{"shape":"PortProbeDetail"} }, + "PositiveLong":{ + "type":"long", + "min":0 + }, "PrivateIpAddressDetails":{ "type":"structure", "members":{ @@ -4749,10 +5284,35 @@ "shape":"String", "documentation":"The type of Amazon Web Services resource.
", "locationName":"resourceType" + }, + "EbsVolumeDetails":{ + "shape":"EbsVolumeDetails", + "documentation":"Contains list of scanned and skipped EBS volumes with details.
", + "locationName":"ebsVolumeDetails" + }, + "EcsClusterDetails":{ + "shape":"EcsClusterDetails", + "documentation":"Contains information about the details of the ECS Cluster.
", + "locationName":"ecsClusterDetails" + }, + "ContainerDetails":{ + "shape":"Container", + "locationName":"containerDetails" } }, "documentation":"Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
" }, + "ResourceDetails":{ + "type":"structure", + "members":{ + "InstanceArn":{ + "shape":"InstanceArn", + "documentation":"InstanceArn that was scanned in the scan entry.
", + "locationName":"instanceArn" + } + }, + "documentation":"Represents the resources that were scanned in the scan entry.
" + }, "ResourceList":{ "type":"list", "member":{"shape":"String"} @@ -4831,6 +5391,293 @@ }, "documentation":"Describes whether S3 data event logs will be enabled as a data source.
" }, + "Scan":{ + "type":"structure", + "members":{ + "DetectorId":{ + "shape":"DetectorId", + "documentation":"The unique ID of the detector that the request is associated with.
", + "locationName":"detectorId" + }, + "AdminDetectorId":{ + "shape":"DetectorId", + "documentation":"The unique detector ID of the administrator account that the request is associated with. Note that this value will be the same as the one used for DetectorId if the account is an administrator.
The unique scan ID associated with a scan entry.
", + "locationName":"scanId" + }, + "ScanStatus":{ + "shape":"ScanStatus", + "documentation":"An enum value representing possible scan statuses.
", + "locationName":"scanStatus" + }, + "FailureReason":{ + "shape":"NonEmptyString", + "documentation":"Represents the reason for FAILED scan status.
", + "locationName":"failureReason" + }, + "ScanStartTime":{ + "shape":"Timestamp", + "documentation":"The timestamp of when the scan was triggered.
", + "locationName":"scanStartTime" + }, + "ScanEndTime":{ + "shape":"Timestamp", + "documentation":"The timestamp of when the scan was finished.
", + "locationName":"scanEndTime" + }, + "TriggerDetails":{ + "shape":"TriggerDetails", + "documentation":"Represents the reason the scan was triggered.
", + "locationName":"triggerDetails" + }, + "ResourceDetails":{ + "shape":"ResourceDetails", + "documentation":"Represents the resources that were scanned in the scan entry.
", + "locationName":"resourceDetails" + }, + "ScanResultDetails":{ + "shape":"ScanResultDetails", + "documentation":"Represents the result of the scan.
", + "locationName":"scanResultDetails" + }, + "AccountId":{ + "shape":"AccountId", + "documentation":"The ID for the account that belongs to the scan.
", + "locationName":"accountId" + }, + "TotalBytes":{ + "shape":"PositiveLong", + "documentation":"Represents total bytes that were scanned.
", + "locationName":"totalBytes" + }, + "FileCount":{ + "shape":"PositiveLong", + "documentation":"Represents the number of files that were scanned.
", + "locationName":"fileCount" + }, + "AttachedVolumes":{ + "shape":"VolumeDetails", + "documentation":"List of volumes that were attached to the original instance to be scanned.
", + "locationName":"attachedVolumes" + } + }, + "documentation":"Contains information about a malware scan.
" + }, + "ScanCondition":{ + "type":"structure", + "required":["MapEquals"], + "members":{ + "MapEquals":{ + "shape":"MapEquals", + "documentation":"Represents an mapEqual condition to be applied to a single field when triggering for malware scan.
", + "locationName":"mapEquals" + } + }, + "documentation":"Contains information about the condition.
" + }, + "ScanConditionPair":{ + "type":"structure", + "required":["Key"], + "members":{ + "Key":{ + "shape":"TagKey", + "documentation":"Represents key in the map condition.
", + "locationName":"key" + }, + "Value":{ + "shape":"TagValue", + "documentation":"Represents optional value in the map condition. If not specified, only key will be matched.
", + "locationName":"value" + } + }, + "documentation":"Represents key, value pair to be matched against given resource property.
" + }, + "ScanCriterion":{ + "type":"map", + "key":{"shape":"ScanCriterionKey"}, + "value":{"shape":"ScanCondition"}, + "documentation":"Represents a map of resource properties that match specified conditions and values when triggering malware scans.
" + }, + "ScanCriterionKey":{ + "type":"string", + "documentation":"An enum value representing possible resource properties to match with given scan condition.
", + "enum":["EC2_INSTANCE_TAG"] + }, + "ScanDetections":{ + "type":"structure", + "members":{ + "ScannedItemCount":{ + "shape":"ScannedItemCount", + "documentation":"Total number of scanned files.
", + "locationName":"scannedItemCount" + }, + "ThreatsDetectedItemCount":{ + "shape":"ThreatsDetectedItemCount", + "documentation":"Total number of infected files.
", + "locationName":"threatsDetectedItemCount" + }, + "HighestSeverityThreatDetails":{ + "shape":"HighestSeverityThreatDetails", + "documentation":"Details of the highest severity threat detected during malware scan and number of infected files.
", + "locationName":"highestSeverityThreatDetails" + }, + "ThreatDetectedByName":{ + "shape":"ThreatDetectedByName", + "documentation":"Contains details about identified threats organized by threat name.
", + "locationName":"threatDetectedByName" + } + }, + "documentation":"Contains a complete view providing malware scan result details.
" + }, + "ScanEc2InstanceWithFindings":{ + "type":"structure", + "members":{ + "EbsVolumes":{ + "shape":"Boolean", + "documentation":"Describes the configuration for scanning EBS volumes as data source.
", + "locationName":"ebsVolumes" + } + }, + "documentation":"Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source.
" + }, + "ScanEc2InstanceWithFindingsResult":{ + "type":"structure", + "members":{ + "EbsVolumes":{ + "shape":"EbsVolumesResult", + "documentation":"Describes the configuration of scanning EBS volumes as a data source.
", + "locationName":"ebsVolumes" + } + }, + "documentation":"An object that contains information on the status of whether Malware Protection for EC2 instances with findings will be enabled as a data source.
" + }, + "ScanFilePath":{ + "type":"structure", + "members":{ + "FilePath":{ + "shape":"String", + "documentation":"The file path of the infected file.
", + "locationName":"filePath" + }, + "VolumeArn":{ + "shape":"String", + "documentation":"EBS volume Arn details of the infected file.
", + "locationName":"volumeArn" + }, + "Hash":{ + "shape":"String", + "documentation":"The hash value of the infected file.
", + "locationName":"hash" + }, + "FileName":{ + "shape":"String", + "documentation":"File name of the infected file.
", + "locationName":"fileName" + } + }, + "documentation":"Contains details of infected file including name, file path and hash.
" + }, + "ScanResourceCriteria":{ + "type":"structure", + "members":{ + "Include":{ + "shape":"ScanCriterion", + "documentation":"Represents condition that when matched will allow a malware scan for a certain resource.
", + "locationName":"include" + }, + "Exclude":{ + "shape":"ScanCriterion", + "documentation":"Represents condition that when matched will prevent a malware scan for a certain resource.
", + "locationName":"exclude" + } + }, + "documentation":"Contains information about criteria used to filter resources before triggering malware scan.
" + }, + "ScanResult":{ + "type":"string", + "enum":[ + "CLEAN", + "INFECTED" + ] + }, + "ScanResultDetails":{ + "type":"structure", + "members":{ + "ScanResult":{ + "shape":"ScanResult", + "documentation":"An enum value representing possible scan results.
", + "locationName":"scanResult" + } + }, + "documentation":"Represents the result of the scan.
" + }, + "ScanStatus":{ + "type":"string", + "enum":[ + "RUNNING", + "COMPLETED", + "FAILED" + ] + }, + "ScanThreatName":{ + "type":"structure", + "members":{ + "Name":{ + "shape":"String", + "documentation":"The name of the identified threat.
", + "locationName":"name" + }, + "Severity":{ + "shape":"String", + "documentation":"Severity of threat identified as part of the malware scan.
", + "locationName":"severity" + }, + "ItemCount":{ + "shape":"Integer", + "documentation":"Total number of files infected with given threat.
", + "locationName":"itemCount" + }, + "FilePaths":{ + "shape":"FilePaths", + "documentation":"List of infected files in EBS volume with details.
", + "locationName":"filePaths" + } + }, + "documentation":"Contains files infected with the given threat providing details of malware name and severity.
" + }, + "ScanThreatNames":{ + "type":"list", + "member":{"shape":"ScanThreatName"} + }, + "ScannedItemCount":{ + "type":"structure", + "members":{ + "TotalGb":{ + "shape":"Integer", + "documentation":"Total GB of files scanned for malware.
", + "locationName":"totalGb" + }, + "Files":{ + "shape":"Integer", + "documentation":"Number of files scanned.
", + "locationName":"files" + }, + "Volumes":{ + "shape":"Integer", + "documentation":"Total number of scanned volumes.
", + "locationName":"volumes" + } + }, + "documentation":"Total number of scanned files.
" + }, + "Scans":{ + "type":"list", + "member":{"shape":"Scan"} + }, "SecurityContext":{ "type":"structure", "members":{ @@ -4919,6 +5766,16 @@ "shape":"ServiceAdditionalInfo", "documentation":"Contains additional information about the generated finding.
", "locationName":"additionalInfo" + }, + "FeatureName":{ + "shape":"String", + "documentation":"The name of the feature that generated a finding.
", + "locationName":"featureName" + }, + "EbsVolumeScanDetails":{ + "shape":"EbsVolumeScanDetails", + "documentation":"Returns details from the malware scan that created a finding.
", + "locationName":"ebsVolumeScanDetails" } }, "documentation":"Contains additional information about the generated finding.
" @@ -4959,6 +5816,10 @@ "type":"list", "member":{"shape":"String"} }, + "Sources":{ + "type":"list", + "member":{"shape":"String"} + }, "StartMonitoringMembersRequest":{ "type":"structure", "required":[ @@ -5090,6 +5951,32 @@ "type":"list", "member":{"shape":"Tag"} }, + "ThreatDetectedByName":{ + "type":"structure", + "members":{ + "ItemCount":{ + "shape":"Integer", + "documentation":"Total number of infected files identified.
", + "locationName":"itemCount" + }, + "UniqueThreatNameCount":{ + "shape":"Integer", + "documentation":"Total number of unique threats by name identified, as part of the malware scan.
", + "locationName":"uniqueThreatNameCount" + }, + "Shortened":{ + "shape":"Boolean", + "documentation":"Flag to determine if the finding contains every single infected file-path and/or every threat.
", + "locationName":"shortened" + }, + "ThreatNames":{ + "shape":"ScanThreatNames", + "documentation":"List of identified threats with details, organized by threat name.
", + "locationName":"threatNames" + } + }, + "documentation":"Contains details about identified threats organized by threat name.
" + }, "ThreatIntelSetFormat":{ "type":"string", "enum":[ @@ -5147,6 +6034,17 @@ "type":"list", "member":{"shape":"String"} }, + "ThreatsDetectedItemCount":{ + "type":"structure", + "members":{ + "Files":{ + "shape":"Integer", + "documentation":"Total number of infected files.
", + "locationName":"files" + } + }, + "documentation":"Contains total number of infected files.
" + }, "Timestamp":{"type":"timestamp"}, "Total":{ "type":"structure", @@ -5164,6 +6062,22 @@ }, "documentation":"Contains the total usage with the corresponding currency unit for that value.
" }, + "TriggerDetails":{ + "type":"structure", + "members":{ + "GuardDutyFindingId":{ + "shape":"NonEmptyString", + "documentation":"The ID of the GuardDuty finding that triggered the BirdDog scan.
", + "locationName":"guardDutyFindingId" + }, + "Description":{ + "shape":"NonEmptyString", + "documentation":"The description of the scan trigger.
", + "locationName":"description" + } + }, + "documentation":"Represents the reason the scan was triggered.
" + }, "UnarchiveFindingsRequest":{ "type":"structure", "required":[ @@ -5402,6 +6316,33 @@ "members":{ } }, + "UpdateMalwareScanSettingsRequest":{ + "type":"structure", + "required":["DetectorId"], + "members":{ + "DetectorId":{ + "shape":"DetectorId", + "documentation":"The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.
", + "location":"uri", + "locationName":"detectorId" + }, + "ScanResourceCriteria":{ + "shape":"ScanResourceCriteria", + "documentation":"Represents the criteria to be used in the filter for selecting resources to scan.
", + "locationName":"scanResourceCriteria" + }, + "EbsSnapshotPreservation":{ + "shape":"EbsSnapshotPreservation", + "documentation":"An enum value representing possible snapshot preservations.
", + "locationName":"ebsSnapshotPreservation" + } + } + }, + "UpdateMalwareScanSettingsResponse":{ + "type":"structure", + "members":{ + } + }, "UpdateMemberDetectorsRequest":{ "type":"structure", "required":[ @@ -5673,6 +6614,51 @@ }, "documentation":"Volume used by the Kubernetes workload.
" }, + "VolumeDetail":{ + "type":"structure", + "members":{ + "VolumeArn":{ + "shape":"String", + "documentation":"EBS volume Arn information.
", + "locationName":"volumeArn" + }, + "VolumeType":{ + "shape":"String", + "documentation":"The EBS volume type.
", + "locationName":"volumeType" + }, + "DeviceName":{ + "shape":"String", + "documentation":"The device name for the EBS volume.
", + "locationName":"deviceName" + }, + "VolumeSizeInGB":{ + "shape":"Integer", + "documentation":"EBS volume size in GB.
", + "locationName":"volumeSizeInGB" + }, + "EncryptionType":{ + "shape":"String", + "documentation":"EBS volume encryption type.
", + "locationName":"encryptionType" + }, + "SnapshotArn":{ + "shape":"String", + "documentation":"Snapshot Arn of the EBS volume.
", + "locationName":"snapshotArn" + }, + "KmsKeyArn":{ + "shape":"String", + "documentation":"KMS key Arn used to encrypt the EBS volume.
", + "locationName":"kmsKeyArn" + } + }, + "documentation":"Contains EBS volume details.
" + }, + "VolumeDetails":{ + "type":"list", + "member":{"shape":"VolumeDetail"} + }, "VolumeMount":{ "type":"structure", "members":{ diff --git a/botocore/data/lookoutvision/2020-11-20/service-2.json b/botocore/data/lookoutvision/2020-11-20/service-2.json index 5f91371524..c217384416 100644 --- a/botocore/data/lookoutvision/2020-11-20/service-2.json +++ b/botocore/data/lookoutvision/2020-11-20/service-2.json @@ -285,7 +285,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"ThrottlingException"} ], - "documentation":"Lists the Amazon Lookout for Vision projects in your AWS account.
The ListProjects operation is eventually consistent. Recent calls to CreateProject and DeleteProject might take a while to appear in the response from ListProjects.
This operation requires permissions to perform the lookoutvision:ListProjects operation.
Lists the Amazon Lookout for Vision projects in your AWS account that are in the AWS Region in which you call ListProjects.
The ListProjects operation is eventually consistent. Recent calls to CreateProject and DeleteProject might take a while to appear in the response from ListProjects.
This operation requires permissions to perform the lookoutvision:ListProjects operation.
The identifer for the AWS Key Management Service (AWS KMS) key that was used to encrypt the model during training.
" + }, + "MinInferenceUnits":{ + "shape":"InferenceUnits", + "documentation":"The minimum number of inference units used by the model. For more information, see StartModel
" + }, + "MaxInferenceUnits":{ + "shape":"InferenceUnits", + "documentation":"The maximum number of inference units Amazon Lookout for Vision uses to auto-scale the model. For more information, see StartModel.
" } }, "documentation":"Describes an Amazon Lookout for Vision model.
" @@ -1924,6 +1932,10 @@ "idempotencyToken":true, "location":"header", "locationName":"X-Amzn-Client-Token" + }, + "MaxInferenceUnits":{ + "shape":"InferenceUnits", + "documentation":"The maximum number of inference units to use for auto-scaling the model. If you don't specify a value, Amazon Lookout for Vision doesn't auto-scale the model.
" } } }, diff --git a/botocore/data/macie2/2020-01-01/service-2.json b/botocore/data/macie2/2020-01-01/service-2.json index 1c80dbe745..01e42f4035 100644 --- a/botocore/data/macie2/2020-01-01/service-2.json +++ b/botocore/data/macie2/2020-01-01/service-2.json @@ -1618,6 +1618,116 @@ ], "documentation": "Retrieves information about an account that's associated with an Amazon Macie administrator account.
" }, + "GetRevealConfiguration": { + "name": "GetRevealConfiguration", + "http": { + "method": "GET", + "requestUri": "/reveal-configuration", + "responseCode": 200 + }, + "input": { + "shape": "GetRevealConfigurationRequest" + }, + "output": { + "shape": "GetRevealConfigurationResponse", + "documentation": "The request succeeded.
" + }, + "errors": [ + { + "shape": "ThrottlingException", + "documentation": "The request failed because you sent too many requests during a certain amount of time.
" + }, + { + "shape": "ValidationException", + "documentation": "The request failed because it contains a syntax error.
" + }, + { + "shape": "InternalServerException", + "documentation": "The request failed due to an unknown internal server error, exception, or failure.
" + }, + { + "shape": "AccessDeniedException", + "documentation": "The request was denied because you don't have sufficient access to the specified resource.
" + } + ], + "documentation": "Retrieves the status and configuration settings for retrieving (revealing) occurrences of sensitive data reported by findings.
" + }, + "GetSensitiveDataOccurrences": { + "name": "GetSensitiveDataOccurrences", + "http": { + "method": "GET", + "requestUri": "/findings/{findingId}/reveal", + "responseCode": 200 + }, + "input": { + "shape": "GetSensitiveDataOccurrencesRequest" + }, + "output": { + "shape": "GetSensitiveDataOccurrencesResponse", + "documentation": "The request succeeded.
" + }, + "errors": [ + { + "shape": "UnprocessableEntityException", + "documentation": "The request failed because it contains instructions that Amazon Macie can't process (Unprocessable Entity).
" + }, + { + "shape": "InternalServerException", + "documentation": "The request failed due to an unknown internal server error, exception, or failure.
" + }, + { + "shape": "ServiceQuotaExceededException", + "documentation": "The request failed because fulfilling the request would exceed one or more service quotas for your account.
" + }, + { + "shape": "AccessDeniedException", + "documentation": "The request was denied because you don't have sufficient access to the specified resource.
" + }, + { + "shape": "ResourceNotFoundException", + "documentation": "The request failed because the specified resource wasn't found.
" + }, + { + "shape": "ThrottlingException", + "documentation": "The request failed because you sent too many requests during a certain amount of time.
" + } + ], + "documentation": "Retrieves (reveals) occurrences of sensitive data reported by a finding.
" + }, + "GetSensitiveDataOccurrencesAvailability": { + "name": "GetSensitiveDataOccurrencesAvailability", + "http": { + "method": "GET", + "requestUri": "/findings/{findingId}/reveal/availability", + "responseCode": 200 + }, + "input": { + "shape": "GetSensitiveDataOccurrencesAvailabilityRequest" + }, + "output": { + "shape": "GetSensitiveDataOccurrencesAvailabilityResponse", + "documentation": "The request succeeded.
" + }, + "errors": [ + { + "shape": "ResourceNotFoundException", + "documentation": "The request failed because the specified resource wasn't found.
" + }, + { + "shape": "ThrottlingException", + "documentation": "The request failed because you sent too many requests during a certain amount of time.
" + }, + { + "shape": "InternalServerException", + "documentation": "The request failed due to an unknown internal server error, exception, or failure.
" + }, + { + "shape": "AccessDeniedException", + "documentation": "The request was denied because you don't have sufficient access to the specified resource.
" + } + ], + "documentation": "Checks whether occurrences of sensitive data can be retrieved (revealed) for a finding.
" + }, "GetUsageStatistics": { "name": "GetUsageStatistics", "http": { @@ -2513,6 +2623,40 @@ } ], "documentation": "Updates the Amazon Macie configuration settings for an organization in Organizations.
" + }, + "UpdateRevealConfiguration": { + "name": "UpdateRevealConfiguration", + "http": { + "method": "PUT", + "requestUri": "/reveal-configuration", + "responseCode": 200 + }, + "input": { + "shape": "UpdateRevealConfigurationRequest" + }, + "output": { + "shape": "UpdateRevealConfigurationResponse", + "documentation": "The request succeeded.
" + }, + "errors": [ + { + "shape": "ThrottlingException", + "documentation": "The request failed because you sent too many requests during a certain amount of time.
" + }, + { + "shape": "ValidationException", + "documentation": "The request failed because it contains a syntax error.
" + }, + { + "shape": "InternalServerException", + "documentation": "The request failed due to an unknown internal server error, exception, or failure.
" + }, + { + "shape": "AccessDeniedException", + "documentation": "The request was denied because you don't have sufficient access to the specified resource.
" + } + ], + "documentation": "Updates the status and configuration settings for retrieving (revealing) occurrences of sensitive data reported by findings.
" } }, "shapes": { @@ -2694,6 +2838,14 @@ }, "documentation": "Provides information about an identity that performed an action on an affected resource by using temporary security credentials. The credentials were obtained using the AssumeRole operation of the Security Token Service (STS) API.
" }, + "AvailabilityCode": { + "type": "string", + "documentation": "Specifies whether occurrences of sensitive data can be retrieved for a finding. Possible values are:
", + "enum": [ + "AVAILABLE", + "UNAVAILABLE" + ] + }, "AwsAccount": { "type": "structure", "members": { @@ -3443,12 +3595,12 @@ "keywords": { "shape": "__listOf__string", "locationName": "keywords", - "documentation": "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
" + "documentation": "An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
" }, "maximumMatchDistance": { "shape": "__integer", "locationName": "maximumMatchDistance", - "documentation": "The maximum number of characters that can exist between text that matches the regular expression and the character sequences specified by the keywords array. Amazon Macie includes or excludes a result based on the proximity of a keyword to text that matches the regular expression. The distance can be 1-300 characters. The default value is 50.
" + "documentation": "The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. The distance can be 1-300 characters. The default value is 50.
" }, "name": { "shape": "__string", @@ -4052,7 +4204,7 @@ "lastRunTime": { "shape": "__timestampIso8601", "locationName": "lastRunTime", - "documentation": "The date and time, in UTC and extended ISO 8601 format, when the job started. If the job is a recurring job, this value indicates when the most recent run started.
" + "documentation": "The date and time, in UTC and extended ISO 8601 format, when the job started. If the job is a recurring job, this value indicates when the most recent run started or, if the job hasn't run yet, when the job was created.
" }, "managedDataIdentifierIds": { "shape": "__listOf__string", @@ -4120,6 +4272,20 @@ } } }, + "DetectedDataDetails": { + "type": "structure", + "members": { + "value": { + "shape": "__stringMin1Max128", + "locationName": "value", + "documentation": "An occurrence of the specified type of sensitive data. Each occurrence can contain 1-128 characters.
" + } + }, + "documentation": "Specifies 1-10 occurrences of a specific type of sensitive data reported by a finding.
", + "required": [ + "value" + ] + }, "DisableMacieRequest": { "type": "structure", "members": {} @@ -4706,12 +4872,12 @@ "keywords": { "shape": "__listOf__string", "locationName": "keywords", - "documentation": "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. Keywords aren't case sensitive.
" + "documentation": "An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. Keywords aren't case sensitive.
" }, "maximumMatchDistance": { "shape": "__integer", "locationName": "maximumMatchDistance", - "documentation": "The maximum number of characters that can exist between text that matches the regular expression and the character sequences specified by the keywords array. Amazon Macie includes or excludes a result based on the proximity of a keyword to text that matches the regular expression.
" + "documentation": "The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. Otherwise, Macie excludes the result.
" }, "name": { "shape": "__string", @@ -5000,6 +5166,83 @@ } } }, + "GetRevealConfigurationRequest": { + "type": "structure", + "members": {} + }, + "GetRevealConfigurationResponse": { + "type": "structure", + "members": { + "configuration": { + "shape": "RevealConfiguration", + "locationName": "configuration", + "documentation": "The current configuration settings and the status of the configuration for the account.
" + } + } + }, + "GetSensitiveDataOccurrencesAvailabilityRequest": { + "type": "structure", + "members": { + "findingId": { + "shape": "__string", + "location": "uri", + "locationName": "findingId", + "documentation": "The unique identifier for the finding.
" + } + }, + "required": [ + "findingId" + ] + }, + "GetSensitiveDataOccurrencesAvailabilityResponse": { + "type": "structure", + "members": { + "code": { + "shape": "AvailabilityCode", + "locationName": "code", + "documentation": "Specifies whether occurrences of sensitive data can be retrieved for the finding. Possible values are: AVAILABLE, the sensitive data can be retrieved; and, UNAVAILABLE, the sensitive data can't be retrieved. If this value is UNAVAILABLE, the reasons array indicates why the data can't be retrieved.
" + }, + "reasons": { + "shape": "__listOfUnavailabilityReasonCode", + "locationName": "reasons", + "documentation": "Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:
INVALID_CLASSIFICATION_RESULT - Amazon Macie can't verify the location of the sensitive data to retrieve. There isn't a corresponding sensitive data discovery result for the finding. Or the sensitive data discovery result specified by the ClassificationDetails.detailedResultsLocation field of the finding isn't available, is malformed or corrupted, or uses an unsupported storage format.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object might have been renamed, moved, or deleted. Or the object was changed after Amazon Macie created the finding.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
This value is null if sensitive data can be retrieved for the finding.
" + } + } + }, + "GetSensitiveDataOccurrencesRequest": { + "type": "structure", + "members": { + "findingId": { + "shape": "__string", + "location": "uri", + "locationName": "findingId", + "documentation": "The unique identifier for the finding.
" + } + }, + "required": [ + "findingId" + ] + }, + "GetSensitiveDataOccurrencesResponse": { + "type": "structure", + "members": { + "error": { + "shape": "__string", + "locationName": "error", + "documentation": "If an error occurred when Amazon Macie attempted to retrieve occurrences of sensitive data reported by the finding, a description of the error that occurred. This value is null if the status (status) of the request is PROCESSING or SUCCESS.
" + }, + "sensitiveDataOccurrences": { + "shape": "SensitiveDataOccurrences", + "locationName": "sensitiveDataOccurrences", + "documentation": "A map that specifies 1-100 types of sensitive data reported by the finding and, for each type, 1-10 occurrences of sensitive data.
" + }, + "status": { + "shape": "RevealRequestStatus", + "locationName": "status", + "documentation": "The status of the request to retrieve occurrences of sensitive data reported by the finding. Possible values are:
ERROR - An error occurred when Amazon Macie attempted to locate, retrieve, or encrypt the sensitive data. The error value indicates the nature of the error that occurred.
PROCESSING - Macie is processing the request.
SUCCESS - Macie successfully located, retrieved, and encrypted the sensitive data.
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
An array of objects, one for each occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file. This value is null for all other types of files.
For an Avro object container or Parquet file, each Record object specifies a record index and the path to a field in a record that contains the sensitive data. For a JSON or JSON Lines file, each Record object specifies the path to a field or array that contains the sensitive data. For a JSON Lines file, it also specifies the index of the line that contains the data.
" } }, - "documentation": "Specifies the location of 1-15 occurrences of sensitive data that was detected by a managed data identifier or a custom data identifier and produced a sensitive data finding.
" + "documentation": "Specifies the location of 1-15 occurrences of sensitive data that was detected by a managed data identifier or a custom data identifier and produced a sensitive data finding. Depending on the file or storage format of the affected S3 object, you can optionally retrieve (reveal) sample occurrences of the sensitive data that was detected.
" }, "OrderBy": { "type": "string", @@ -6337,6 +6580,42 @@ }, "documentation": "Provides information about the resources that a finding applies to.
" }, + "RevealConfiguration": { + "type": "structure", + "members": { + "kmsKeyId": { + "shape": "__stringMin1Max2048", + "locationName": "kmsKeyId", + "documentation": "The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.
If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.
" + }, + "status": { + "shape": "RevealStatus", + "locationName": "status", + "documentation": "The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
" + } + }, + "documentation": "Specifies the configuration settings for retrieving occurrences of sensitive data reported by findings, and the status of the configuration for an Amazon Macie account. When you enable the configuration for the first time, your request must specify an AWS Key Management Service (AWS KMS) key. Otherwise, an error occurs. Macie uses the specified key to encrypt the sensitive data that you retrieve.
", + "required": [ + "status" + ] + }, + "RevealRequestStatus": { + "type": "string", + "documentation": "The status of a request to retrieve occurrences of sensitive data reported by a finding. Possible values are:
", + "enum": [ + "SUCCESS", + "PROCESSING", + "ERROR" + ] + }, + "RevealStatus": { + "type": "string", + "documentation": "The status of the configuration for the Amazon Macie account. In a request, valid values are:
", + "enum": [ + "ENABLED", + "DISABLED" + ] + }, "S3Bucket": { "type": "structure", "members": { @@ -6451,7 +6730,7 @@ "kmsKeyArn": { "shape": "__string", "locationName": "kmsKeyArn", - "documentation": "The Amazon Resource Name (ARN) of the KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric, customer managed KMS key that's in the same Amazon Web Services Region as the bucket.
" + "documentation": "The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.
" } }, "documentation": "Specifies an S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
", @@ -6811,6 +7090,16 @@ "CUSTOM_IDENTIFIER" ] }, + "SensitiveDataOccurrences": { + "type": "map", + "documentation": "Specifies a type of sensitive data reported by a finding and provides occurrences of the specified type of sensitive data.
", + "key": { + "shape": "__string" + }, + "value": { + "shape": "__listOfDetectedDataDetails" + } + }, "ServerSideEncryption": { "type": "structure", "members": { @@ -7210,12 +7499,12 @@ "keywords": { "shape": "__listOf__string", "locationName": "keywords", - "documentation": "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
" + "documentation": "An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
" }, "maximumMatchDistance": { "shape": "__integer", "locationName": "maximumMatchDistance", - "documentation": "The maximum number of characters that can exist between text that matches the regular expression and the character sequences specified by the keywords array. Amazon Macie includes or excludes a result based on the proximity of a keyword to text that matches the regular expression. The distance can be 1-300 characters. The default value is 50.
" + "documentation": "The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. The distance can be 1-300 characters. The default value is 50.
" }, "regex": { "shape": "__string", @@ -7274,12 +7563,41 @@ "aws:kms" ] }, + "UnavailabilityReasonCode": { + "type": "string", + "documentation": "Specifies why occurrences of sensitive data can't be retrieved for a finding. Possible values are:
", + "enum": [ + "OBJECT_EXCEEDS_SIZE_QUOTA", + "UNSUPPORTED_OBJECT_TYPE", + "UNSUPPORTED_FINDING_TYPE", + "INVALID_CLASSIFICATION_RESULT", + "OBJECT_UNAVAILABLE" + ] + }, "Unit": { "type": "string", "enum": [ "TERABYTES" ] }, + "UnprocessableEntityException": { + "type": "structure", + "members": { + "message": { + "shape": "__string", + "locationName": "message", + "documentation": "The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:
INVALID_CLASSIFICATION_RESULT - Amazon Macie can't verify the location of the sensitive data to retrieve. There isn't a corresponding sensitive data discovery result for the finding. Or the sensitive data discovery result specified by the ClassificationDetails.detailedResultsLocation field of the finding isn't available, is malformed or corrupted, or uses an unsupported storage format.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object might have been renamed, moved, or deleted. Or the object was changed after Amazon Macie created the finding.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding..
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Amazon Macie doesn't support for retrieving occurrences of sensitive data.
Provides information about an error that occurred due to an unprocessable entity.
", + "required": [ + "message" + ], + "exception": true, + "error": { + "httpStatusCode": 422 + } + }, "UnprocessedAccount": { "type": "structure", "members": { @@ -7470,6 +7788,29 @@ "type": "structure", "members": {} }, + "UpdateRevealConfigurationRequest": { + "type": "structure", + "members": { + "configuration": { + "shape": "RevealConfiguration", + "locationName": "configuration", + "documentation": "The new configuration settings and the status of the configuration for the account.
" + } + }, + "required": [ + "configuration" + ] + }, + "UpdateRevealConfigurationResponse": { + "type": "structure", + "members": { + "configuration": { + "shape": "RevealConfiguration", + "locationName": "configuration", + "documentation": "The new configuration settings and the status of the configuration for the account.
" + } + } + }, "UsageByAccount": { "type": "structure", "members": { @@ -7776,6 +8117,12 @@ "shape": "CustomDataIdentifierSummary" } }, + "__listOfDetectedDataDetails": { + "type": "list", + "member": { + "shape": "DetectedDataDetails" + } + }, "__listOfFinding": { "type": "list", "member": { @@ -7878,6 +8225,13 @@ "shape": "TagValuePair" } }, + "__listOfUnavailabilityReasonCode": { + "type": "list", + "min": 0, + "member": { + "shape": "UnavailabilityReasonCode" + } + }, "__listOfUnprocessedAccount": { "type": "list", "member": { @@ -7920,6 +8274,16 @@ "__string": { "type": "string" }, + "__stringMin1Max128": { + "type": "string", + "min": 1, + "max": 128 + }, + "__stringMin1Max2048": { + "type": "string", + "min": 1, + "max": 2048 + }, "__timestampIso8601": { "type": "timestamp", "timestampFormat": "iso8601" diff --git a/botocore/data/macie2/2020-01-01/waiters-2.json b/botocore/data/macie2/2020-01-01/waiters-2.json new file mode 100644 index 0000000000..12c4a4a83d --- /dev/null +++ b/botocore/data/macie2/2020-01-01/waiters-2.json @@ -0,0 +1,25 @@ +{ + "version": 2, + "waiters": { + "FindingRevealed": { + "description": "Wait until the sensitive data occurrences are ready.", + "delay": 2, + "maxAttempts": 60, + "operation": "GetSensitiveDataOccurrences", + "acceptors": [ + { + "matcher": "path", + "argument": "status", + "state": "success", + "expected": "SUCCESS" + }, + { + "matcher": "path", + "argument": "status", + "state": "success", + "expected": "ERROR" + } + ] + } + } +} \ No newline at end of file diff --git a/botocore/data/rds/2014-10-31/service-2.json b/botocore/data/rds/2014-10-31/service-2.json index 8afbcfa801..1659183440 100644 --- a/botocore/data/rds/2014-10-31/service-2.json +++ b/botocore/data/rds/2014-10-31/service-2.json @@ -4060,7 +4060,7 @@ }, "EngineFamily":{ "shape":"EngineFamily", - "documentation":"The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL and RDS for MySQL databases, specify MYSQL. For Aurora PostgreSQL and RDS for PostgreSQL databases, specify POSTGRESQL.
The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify MYSQL. For Aurora PostgreSQL and RDS for PostgreSQL databases, specify POSTGRESQL.
The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. MYSQL supports Aurora MySQL and RDS for MySQL databases. POSTGRESQL supports Aurora PostgreSQL and RDS for PostgreSQL databases.
The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. MYSQL supports Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases. POSTGRESQL supports Aurora PostgreSQL and RDS for PostgreSQL databases.
Starts the running of the version of a model. Starting a model takes a while to complete. To check the current state of the model, use DescribeProjectVersions.
Once the model is running, you can detect custom labels in new images by calling DetectCustomLabels.
You are charged for the amount of time that the model is running. To stop a running model, call StopProjectVersion.
This operation requires permissions to perform the rekognition:StartProjectVersion action.
Starts the running of the version of a model. Starting a model takes a while to complete. To check the current state of the model, use DescribeProjectVersions.
Once the model is running, you can detect custom labels in new images by calling DetectCustomLabels.
You are charged for the amount of time that the model is running. To stop a running model, call StopProjectVersion.
For more information, see Running a trained Amazon Rekognition Custom Labels model in the Amazon Rekognition Custom Labels Guide.
This operation requires permissions to perform the rekognition:StartProjectVersion action.
Specifies locations in the frames where Amazon Rekognition checks for objects or people. You can specify up to 10 regions of interest. This is an optional parameter for label detection stream processors and should not be used to create a face search stream processor.
" + "documentation":"Specifies locations in the frames where Amazon Rekognition checks for objects or people. You can specify up to 10 regions of interest, and each region has either a polygon or a bounding box. This is an optional parameter for label detection stream processors and should not be used to create a face search stream processor.
" }, "DataSharingPreference":{ "shape":"StreamProcessorDataSharingPreference", @@ -4378,6 +4378,10 @@ "KmsKeyId":{ "shape":"KmsKeyId", "documentation":"The identifer for the AWS Key Management Service key (AWS KMS key) that was used to encrypt the model during training.
" + }, + "MaxInferenceUnits":{ + "shape":"InferenceUnits", + "documentation":"The maximum number of inference units Amazon Rekognition Custom Labels uses to auto-scale the model. For more information, see StartProjectVersion.
" } }, "documentation":"A description of a version of an Amazon Rekognition Custom Labels model.
" @@ -4584,7 +4588,7 @@ "documentation":" Specifies a shape made up of up to 10 Point objects to define a region of interest.
Specifies a location within the frame that Rekognition checks for objects of interest such as text, labels, or faces. It uses a BoundingBox or object or Polygon to set a region of the screen.
A word, face, or label is included in the region if it is more than half in that region. If there is more than one region, the word, face, or label is compared with all regions of the screen. Any object of interest that is more than half in a region is kept in the results.
" + "documentation":"Specifies a location within the frame that Rekognition checks for objects of interest such as text, labels, or faces. It uses a BoundingBox or Polygon to set a region of the screen.
A word, face, or label is included in the region if it is more than half in that region. If there is more than one region, the word, face, or label is compared with all regions of the screen. Any object of interest that is more than half in a region is kept in the results.
" }, "RegionsOfInterest":{ "type":"list", @@ -5131,7 +5135,11 @@ }, "MinInferenceUnits":{ "shape":"InferenceUnits", - "documentation":"The minimum number of inference units to use. A single inference unit represents 1 hour of processing and can support up to 5 Transaction Pers Second (TPS). Use a higher number to increase the TPS throughput of your model. You are charged for the number of inference units that you use.
" + "documentation":"The minimum number of inference units to use. A single inference unit represents 1 hour of processing.
For information about the number of transactions per second (TPS) that an inference unit can support, see Running a trained Amazon Rekognition Custom Labels model in the Amazon Rekognition Custom Labels Guide.
Use a higher number to increase the TPS throughput of your model. You are charged for the number of inference units that you use.
" + }, + "MaxInferenceUnits":{ + "shape":"InferenceUnits", + "documentation":"The maximum number of inference units to use for auto-scaling the model. If you don't specify a value, Amazon Rekognition Custom Labels doesn't auto-scale the model.
" } } }, diff --git a/botocore/data/securityhub/2018-10-26/service-2.json b/botocore/data/securityhub/2018-10-26/service-2.json index ac9835e698..0e1c2af27e 100644 --- a/botocore/data/securityhub/2018-10-26/service-2.json +++ b/botocore/data/securityhub/2018-10-26/service-2.json @@ -10990,7 +10990,7 @@ "documentation":"Specifies the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, RegexMatchSet, GeoMatchSet, and SizeConstraintSet objects that you want to add to a rule and, for each object, indicates whether you want to negate the settings.
Describes the action that AWS WAF should take on a web request when it matches the criteria defined in the rule.
" + "documentation":"Describes the action that WAF should take on a web request when it matches the criteria defined in the rule.
" }, "AwsWafRegionalRuleGroupRulesDetails":{ "type":"structure", @@ -11085,7 +11085,7 @@ "members":{ "Action":{ "shape":"AwsWafRegionalWebAclRulesListActionDetails", - "documentation":"The action that AWS WAF takes when a web request matches all conditions in the rule, such as allow, block, or count the request.
" + "documentation":"The action that WAF takes when a web request matches all conditions in the rule, such as allow, block, or count the request.
" }, "OverrideAction":{ "shape":"AwsWafRegionalWebAclRulesListOverrideActionDetails", @@ -11441,11 +11441,11 @@ }, "ErrorCode":{ "shape":"NonEmptyString", - "documentation":"The code associated with the error.
" + "documentation":"The code associated with the error. Possible values are:
ConcurrentUpdateError - Another process or request attempted to update the finding while this request was being processed
DuplicatedFindingIdentifier - The request included two or more findings with the same FindingIdentifier
FindingNotFound - The FindingIdentifier included in the request did not match an existing finding
FindingSizeExceeded - The finding size was greater than the permissible value of 240 KB
InternalFailure - An internal service failure occurred when updating the finding
InvalidInput - The finding update contained an invalid value that did not satisfy the Amazon Web Services Security Finding Format syntax
The message associated with the error.
" + "documentation":"The message associated with the error. Possible values are:
Concurrent finding updates detected
Finding Identifier is duplicated
Finding Not Found
Finding size exceeded 240 KB
Internal service failure
Invalid Input
A finding from a BatchUpdateFindings request that Security Hub was unable to update.
Used by administrators to choose which groups in the directory should have access to upload and download files over the enabled protocols using Amazon Web Services Transfer Family. For example, a Microsoft Active Directory might contain 50,000 users, but only a small fraction might need the ability to transfer files to the server. An administrator can use CreateAccess to limit the access to the correct set of users who need this ability.
Used by administrators to choose which groups in the directory should have access to upload and download files over the enabled protocols using Transfer Family. For example, a Microsoft Active Directory might contain 50,000 users, but only a small fraction might need the ability to transfer files to the server. An administrator can use CreateAccess to limit the access to the correct set of users who need this ability.
Creates an agreement. An agreement is a bilateral trading partner agreement, or partnership, between an Transfer Family server and an AS2 process. The agreement defines the file and message transfer relationship between the server and the AS2 process. To define an agreement, Transfer Family combines a server, local profile, partner profile, certificate, and other attributes.
The partner is identified with the PartnerProfileId, and the AS2 process is identified with the LocalProfileId.
Creates the connector, which captures the parameters for an outbound connection for the AS2 protocol. The connector is required for sending files from a customer's non Amazon Web Services server.
" + }, + "CreateProfile":{ + "name":"CreateProfile", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"CreateProfileRequest"}, + "output":{"shape":"CreateProfileResponse"}, + "errors":[ + {"shape":"ServiceUnavailableException"}, + {"shape":"InternalServiceError"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Creates the profile for the AS2 process. The agreement is between the partner and the AS2 process.
" }, "CreateServer":{ "name":"CreateServer", @@ -65,7 +115,7 @@ {"shape":"ResourceExistsException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Creates a user and associates them with an existing file transfer protocol-enabled server. You can only create and associate users with servers that have the IdentityProviderType set to SERVICE_MANAGED. Using parameters for CreateUser, you can specify the user name, set the home directory, store the user's public key, and assign the user's Amazon Web Services Identity and Access Management (IAM) role. You can also optionally add a session policy, and assign metadata with tags that can be used to group and search for users.
Creates a user and associates them with an existing file transfer protocol-enabled server. You can only create and associate users with servers that have the IdentityProviderType set to SERVICE_MANAGED. Using parameters for CreateUser, you can specify the user name, set the home directory, store the user's public key, and assign the user's Identity and Access Management (IAM) role. You can also optionally add a session policy, and assign metadata with tags that can be used to group and search for users.
Allows you to delete the access specified in the ServerID and ExternalID parameters.
Delete the agreement that's specified in the provided AgreementId.
Deletes the certificate that's specified in the CertificateId parameter.
Deletes the agreement that's specified in the provided ConnectorId.
Deletes the profile that's specified in the ProfileId parameter.
Describes the access that is assigned to the specific file transfer protocol-enabled server, as identified by its ServerId property and its ExternalID.
The response from this call returns the properties of the access that is associated with the ServerId value that was specified.
Describes the access that is assigned to the specific file transfer protocol-enabled server, as identified by its ServerId property and its ExternalId.
The response from this call returns the properties of the access that is associated with the ServerId value that was specified.
Describes the agreement that's identified by the AgreementId.
Describes the certificate that's identified by the CertificateId.
Describes the connector that's identified by the ConnectorId.
You can use DescribeExecution to check the details of the execution of the specified workflow.
Returns the details of the profile that's specified by the ProfileId.
Describes the specified workflow.
" }, + "ImportCertificate":{ + "name":"ImportCertificate", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ImportCertificateRequest"}, + "output":{"shape":"ImportCertificateResponse"}, + "errors":[ + {"shape":"ServiceUnavailableException"}, + {"shape":"InternalServiceError"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Imports the signing and encryption certificates that you need to create local (AS2) profiles and partner profiles.
" + }, "ImportSshPublicKey":{ "name":"ImportSshPublicKey", "http":{ @@ -294,6 +484,57 @@ ], "documentation":"Lists the details for all the accesses you have on your server.
" }, + "ListAgreements":{ + "name":"ListAgreements", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListAgreementsRequest"}, + "output":{"shape":"ListAgreementsResponse"}, + "errors":[ + {"shape":"ServiceUnavailableException"}, + {"shape":"InternalServiceError"}, + {"shape":"InvalidNextTokenException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Returns a list of the agreements for the server that's identified by the ServerId that you supply. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for NextToken, you can supply that value to continue listing agreements from where you left off.
Returns a list of the current certificates that have been imported into Transfer Family. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for the NextToken parameter, you can supply that value to continue listing certificates from where you left off.
Lists the connectors for the specified Region.
" + }, "ListExecutions":{ "name":"ListExecutions", "http":{ @@ -311,6 +552,23 @@ ], "documentation":"Lists all executions for the specified workflow.
" }, + "ListProfiles":{ + "name":"ListProfiles", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListProfilesRequest"}, + "output":{"shape":"ListProfilesResponse"}, + "errors":[ + {"shape":"ServiceUnavailableException"}, + {"shape":"InternalServiceError"}, + {"shape":"InvalidNextTokenException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Returns a list of the profiles for your system. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for NextToken, you can supply that value to continue listing profiles from where you left off.
Sends a callback for asynchronous custom steps.
The ExecutionId, WorkflowId, and Token are passed to the target resource during execution of a custom step of a workflow. You must include those with their callback as well as providing a status.
Begins an outbound file transfer. You specify the ConnectorId and the file paths for where to send the files.
Changes the state of a file transfer protocol-enabled server from ONLINE to OFFLINE. An OFFLINE server cannot accept and process file transfer jobs. Information tied to your server, such as server and user properties, are not affected by stopping your server.
Stopping the server will not reduce or impact your file transfer protocol endpoint billing; you must delete the server to stop being billed.
The state of STOPPING indicates that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of STOP_FAILED can indicate an error condition.
No response is returned from this call.
" + "documentation":"Changes the state of a file transfer protocol-enabled server from ONLINE to OFFLINE. An OFFLINE server cannot accept and process file transfer jobs. Information tied to your server, such as server and user properties, are not affected by stopping your server.
Stopping the server does not reduce or impact your file transfer protocol endpoint billing; you must delete the server to stop being billed.
The state of STOPPING indicates that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of STOP_FAILED can indicate an error condition.
No response is returned from this call.
" }, "TagResource":{ "name":"TagResource", @@ -505,6 +780,72 @@ ], "documentation":"Allows you to update parameters for the access specified in the ServerID and ExternalID parameters.
Updates some of the parameters for an existing agreement. Provide the AgreementId and the ServerId for the agreement that you want to update, along with the new values for the parameters to update.
Updates the active and inactive dates for a certificate.
" + }, + "UpdateConnector":{ + "name":"UpdateConnector", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"UpdateConnectorRequest"}, + "output":{"shape":"UpdateConnectorResponse"}, + "errors":[ + {"shape":"ServiceUnavailableException"}, + {"shape":"InternalServiceError"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceExistsException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Updates some of the parameters for an existing connector. Provide the ConnectorId for the connector that you want to update, along with the new values for the parameters to update.
Updates some of the parameters for an existing profile. Provide the ProfileId for the profile that you want to update, along with the new values for the parameters to update.
A unique identifier for the AS2 process.
" + }, + "PartnerProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the partner for the connector.
" + }, + "MessageSubject":{ + "shape":"MessageSubject", + "documentation":"A short description to help identify the connector.
" + }, + "Compression":{ + "shape":"CompressionEnum", + "documentation":"Specifies whether the AS2 file is compressed.
" + }, + "EncryptionAlgorithm":{ + "shape":"EncryptionAlg", + "documentation":"The algorithm that is used to encrypt the file.
" + }, + "SigningAlgorithm":{ + "shape":"SigningAlg", + "documentation":"The algorithm that is used to sign the AS2 transfers for this partner profile.
" + }, + "MdnSigningAlgorithm":{ + "shape":"MdnSigningAlg", + "documentation":"The signing algorithm for the MDN response.
" + }, + "MdnResponse":{ + "shape":"MdnResponse", + "documentation":"Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:
SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).
NONE: Specifies that no MDN response is required.
Contains the details for a connector object. The connector object is used for AS2 outbound processes, to connect the Transfer Family customer with the trading partner.
" + }, + "As2Id":{ + "type":"string", + "max":128, + "min":1, + "pattern":"^[\\p{Print}\\s]*" + }, + "As2Transport":{ + "type":"string", + "enum":["HTTP"] + }, + "As2Transports":{ + "type":"list", + "member":{"shape":"As2Transport"}, + "max":1, + "min":1 + }, "CallbackToken":{ "type":"string", "max":64, "min":1, "pattern":"\\w+" }, + "CertDate":{"type":"timestamp"}, + "CertSerial":{ + "type":"string", + "max":48, + "min":0, + "pattern":"^[\\p{XDigit}{2}:?]*" + }, "Certificate":{ "type":"string", "max":1600 }, + "CertificateBodyType":{ + "type":"string", + "max":16384, + "min":1, + "pattern":"^[\\u0009\\u000A\\u000D\\u0020-\\u00FF]*", + "sensitive":true + }, + "CertificateChainType":{ + "type":"string", + "max":2097152, + "min":1, + "pattern":"^[\\u0009\\u000A\\u000D\\u0020-\\u00FF]*", + "sensitive":true + }, + "CertificateId":{ + "type":"string", + "max":22, + "min":22, + "pattern":"^cert-([0-9a-f]{17})$" + }, + "CertificateIds":{ + "type":"list", + "member":{"shape":"CertificateId"} + }, + "CertificateStatusType":{ + "type":"string", + "enum":[ + "ACTIVE", + "PENDING_ROTATION", + "INACTIVE" + ] + }, + "CertificateType":{ + "type":"string", + "enum":[ + "CERTIFICATE", + "CERTIFICATE_WITH_PRIVATE_KEY" + ] + }, + "CertificateUsageType":{ + "type":"string", + "enum":[ + "SIGNING", + "ENCRYPTION" + ] + }, + "CompressionEnum":{ + "type":"string", + "enum":[ + "ZLIB", + "DISABLED" + ] + }, "ConflictException":{ "type":"structure", "required":["Message"], @@ -583,6 +1051,12 @@ "documentation":"This exception is thrown when the UpdateServer is called for a file transfer protocol-enabled server that has VPC as the endpoint type and the server's VpcEndpointID is not in the available state.
Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow.
Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value.
Enter ${original.file} to use the originally-uploaded file location as input for this step.
Each step type has its own StepDetails structure.
Each step type has its own StepDetails structure.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory example is /bucket_name/home/mydirectory.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This policy applies only when the domain of ServerId is Amazon S3. Amazon EFS does not use session policies.
For session policies, Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Security Token Service API Reference.
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + }, + "ServerId":{ + "shape":"ServerId", + "documentation":"A system-assigned unique identifier for a server instance. This is the specific server that you added your user to.
" + }, + "ExternalId":{ + "shape":"ExternalId", + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + } + } + }, + "CreateAccessResponse":{ + "type":"structure", + "required":[ + "ServerId", + "ExternalId" + ], + "members":{ + "ServerId":{ + "shape":"ServerId", + "documentation":"The ID of the server that the user is attached to.
" + }, + "ExternalId":{ + "shape":"ExternalId", + "documentation":"The external ID of the group whose users have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family.
" + } + } + }, + "CreateAgreementRequest":{ + "type":"structure", + "required":[ + "ServerId", + "LocalProfileId", + "PartnerProfileId", + "BaseDirectory", + "AccessRole" + ], + "members":{ + "Description":{ + "shape":"Description", + "documentation":"A name or short description to identify the agreement.
" + }, + "ServerId":{ + "shape":"ServerId", + "documentation":"A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.
" + }, + "LocalProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the AS2 local profile.
" + }, + "PartnerProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the partner profile used in the agreement.
" + }, + "BaseDirectory":{ + "shape":"HomeDirectory", + "documentation":"The landing directory (folder) for files transferred by using the AS2 protocol.
A BaseDirectory example is /DOC-EXAMPLE-BUCKET/home/mydirectory .
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.
The status of the agreement. The agreement can be either ACTIVE or INACTIVE.
Key-value pairs that can be used to group and search for agreements.
" + } + } + }, + "CreateAgreementResponse":{ + "type":"structure", + "required":["AgreementId"], + "members":{ + "AgreementId":{ + "shape":"AgreementId", + "documentation":"The unique identifier for the agreement. Use this ID for deleting, or updating an agreement, as well as in any other API calls that require that you specify the agreement ID.
" + } + } }, - "CreateAccessRequest":{ + "CreateConnectorRequest":{ "type":"structure", "required":[ - "Role", - "ServerId", - "ExternalId" + "Url", + "As2Config", + "AccessRole" ], "members":{ - "HomeDirectory":{ - "shape":"HomeDirectory", - "documentation":"The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory example is /bucket_name/home/mydirectory.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
The URL of the partner's AS2 endpoint.
" }, - "Policy":{ - "shape":"Policy", - "documentation":"A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This only applies when the domain of ServerId is S3. EFS does not use session policies.
For session policies, Amazon Web Services Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Amazon Web Services Security Token Service API Reference.
A structure that contains the parameters for a connector object.
" }, - "PosixProfile":{"shape":"PosixProfile"}, - "Role":{ + "AccessRole":{ "shape":"Role", - "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.
A system-assigned unique identifier for a server instance. This is the specific server that you added your user to.
" + "LoggingRole":{ + "shape":"Role", + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
" }, - "ExternalId":{ - "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for connectors. Tags are metadata attached to connectors for any purpose.
" } } }, - "CreateAccessResponse":{ + "CreateConnectorResponse":{ + "type":"structure", + "required":["ConnectorId"], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector, returned after the API call succeeds.
" + } + } + }, + "CreateProfileRequest":{ "type":"structure", "required":[ - "ServerId", - "ExternalId" + "As2Id", + "ProfileType" ], "members":{ - "ServerId":{ - "shape":"ServerId", - "documentation":"The ID of the server that the user is attached to.
" + "As2Id":{ + "shape":"As2Id", + "documentation":"The As2Id is the AS2-name, as defined in the defined in the RFC 4130. For inbound transfers, this is the AS2-From header for the AS2 messages sent from the partner. For outbound connectors, this is the AS2-To header for the AS2 messages sent to the partner using the StartFileTransfer API operation. This ID cannot include spaces.
The external ID of the group whose users have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family.
" + "ProfileType":{ + "shape":"ProfileType", + "documentation":"Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.
An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for AS2 profiles.
" + } + } + }, + "CreateProfileResponse":{ + "type":"structure", + "required":["ProfileId"], + "members":{ + "ProfileId":{ + "shape":"ProfileId", + "documentation":"The unique identifier for the AS2 profile, returned after the API call succeeds.
" } } }, @@ -666,7 +1269,7 @@ "members":{ "Certificate":{ "shape":"Certificate", - "documentation":"The Amazon Resource Name (ARN) of the Amazon Web Services Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS.
To request a new public certificate, see Request a public certificate in the Amazon Web Services Certificate Manager User Guide.
To import an existing certificate into ACM, see Importing certificates into ACM in the Amazon Web Services Certificate Manager User Guide.
To request a private certificate to use FTPS through private IP addresses, see Request a private certificate in the Amazon Web Services Certificate Manager User Guide.
Certificates with the following cryptographic algorithms and key sizes are supported:
2048-bit RSA (RSA_2048)
4096-bit RSA (RSA_4096)
Elliptic Prime Curve 256 bit (EC_prime256v1)
Elliptic Prime Curve 384 bit (EC_secp384r1)
Elliptic Prime Curve 521 bit (EC_secp521r1)
The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.
The Amazon Resource Name (ARN) of the Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS.
To request a new public certificate, see Request a public certificate in the Certificate Manager User Guide.
To import an existing certificate into ACM, see Importing certificates into ACM in the Certificate Manager User Guide.
To request a private certificate to use FTPS through private IP addresses, see Request a private certificate in the Certificate Manager User Guide.
Certificates with the following cryptographic algorithms and key sizes are supported:
2048-bit RSA (RSA_2048)
4096-bit RSA (RSA_4096)
Elliptic Prime Curve 256 bit (EC_prime256v1)
Elliptic Prime Curve 384 bit (EC_secp384r1)
Elliptic Prime Curve 521 bit (EC_secp521r1)
The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.
The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IP addresses and make it accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" + "documentation":"The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" }, "EndpointType":{ "shape":"EndpointType", @@ -682,7 +1285,7 @@ }, "HostKey":{ "shape":"HostKey", - "documentation":"The RSA, ECDSA, or ED25519 private key to use for your server.
Use the following command to generate an RSA 2048 bit key with no passphrase:
ssh-keygen -t rsa -b 2048 -N \"\" -m PEM -f my-new-server-key.
Use a minimum value of 2048 for the -b option: you can create a stronger key using 3072 or 4096.
Use the following command to generate an ECDSA 256 bit key with no passphrase:
ssh-keygen -t ecdsa -b 256 -N \"\" -m PEM -f my-new-server-key.
Valid values for the -b option for ECDSA are 256, 384, and 521.
Use the following command to generate an ED25519 key with no passphrase:
ssh-keygen -t ed25519 -N \"\" -f my-new-server-key.
For all of these commands, you can replace my-new-server-key with a string of your choice.
If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.
For more information, see Change the host key for your SFTP-enabled server in the Amazon Web Services Transfer Family User Guide.
" + "documentation":"The RSA, ECDSA, or ED25519 private key to use for your server.
Use the following command to generate an RSA 2048 bit key with no passphrase:
ssh-keygen -t rsa -b 2048 -N \"\" -m PEM -f my-new-server-key.
Use a minimum value of 2048 for the -b option. You can create a stronger key by using 3072 or 4096.
Use the following command to generate an ECDSA 256 bit key with no passphrase:
ssh-keygen -t ecdsa -b 256 -N \"\" -m PEM -f my-new-server-key.
Valid values for the -b option for ECDSA are 256, 384, and 521.
Use the following command to generate an ED25519 key with no passphrase:
ssh-keygen -t ed25519 -N \"\" -f my-new-server-key.
For all of these commands, you can replace my-new-server-key with a string of your choice.
If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.
For more information, see Change the host key for your SFTP-enabled server in the Transfer Family User Guide.
" }, "IdentityProviderDetails":{ "shape":"IdentityProviderDetails", @@ -690,27 +1293,27 @@ }, "IdentityProviderType":{ "shape":"IdentityProviderType", - "documentation":"Specifies the mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Amazon Web Services Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Amazon Web Services Managed Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connectors. This option also requires you to provide a Directory ID using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the Function parameter for the IdentityProviderDetails data type.
The mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connector. This option also requires you to provide a Directory ID by using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use an Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the Function parameter or the IdentityProviderDetails data type.
Specifies the Amazon Resource Name (ARN) of the Amazon Web Services Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.
" }, "PostAuthenticationLoginBanner":{ "shape":"PostAuthenticationLoginBanner", - "documentation":"Specify a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specify a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system.
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:
SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH
FTPS (File Transfer Protocol Secure): File transfer with TLS encryption
FTP (File Transfer Protocol): Unencrypted file transfer
If you select FTPS, you must choose a certificate stored in Amazon Web Services Certificate Manager (ACM) which is used to identify your server when clients connect to it over FTPS.
If Protocol includes either FTP or FTPS, then the EndpointType must be VPC and the IdentityProviderType must be AWS_DIRECTORY_SERVICE or API_GATEWAY.
If Protocol includes FTP, then AddressAllocationIds cannot be associated.
If Protocol is set only to SFTP, the EndpointType can be set to PUBLIC and the IdentityProviderType can be set to SERVICE_MANAGED.
Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:
SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH
FTPS (File Transfer Protocol Secure): File transfer with TLS encryption
FTP (File Transfer Protocol): Unencrypted file transfer
AS2 (Applicability Statement 2): used for transporting structured business-to-business data
If you select FTPS, you must choose a certificate stored in Certificate Manager (ACM) which is used to identify your server when clients connect to it over FTPS.
If Protocol includes either FTP or FTPS, then the EndpointType must be VPC and the IdentityProviderType must be AWS_DIRECTORY_SERVICE or API_GATEWAY.
If Protocol includes FTP, then AddressAllocationIds cannot be associated.
If Protocol is set only to SFTP, the EndpointType can be set to PUBLIC and the IdentityProviderType can be set to SERVICE_MANAGED.
If Protocol includes AS2, then the EndpointType must be VPC, and domain must be Amazon S3.
The protocol settings that are configured for your server.
Use the PassiveIp parameter to indicate passive mode (for FTP and FTPS protocols). Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.
Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket. Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. Note that with SetStatOption set to ENABLE_NO_OP, Transfer generates a log entry to CloudWatch Logs, so you can determine when the client is making a SETSTAT call.
Use the TlsSessionResumptionMode parameter to determine whether or not your Transfer server resumes recent, negotiated sessions through a unique session ID.
The protocol settings that are configured for your server.
To indicate passive mode (for FTP and FTPS protocols), use the PassiveIp parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.
To ignore the error that is generated when the client attempts to use the SETSTAT command on a file that you are uploading to an Amazon S3 bucket, use the SetStatOption parameter. To have the Transfer Family server ignore the SETSTAT command and upload files without needing to make any changes to your SFTP client, set the value to ENABLE_NO_OP. If you set the SetStatOption parameter to ENABLE_NO_OP, Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a SETSTAT call.
To determine whether your Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the TlsSessionResumptionMode parameter.
As2Transports indicates the transport method for the AS2 messages. Currently, only HTTP is supported.
Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.
" + "documentation":"Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.
" } } }, @@ -750,15 +1353,15 @@ }, "HomeDirectoryType":{ "shape":"HomeDirectoryType", - "documentation":"The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This only applies when the domain of ServerId is S3. EFS does not use session policies.
For session policies, Amazon Web Services Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Amazon Web Services Security Token Service API Reference.
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This policy applies only when the domain of ServerId is Amazon S3. Amazon EFS does not use session policies.
For session policies, Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Amazon Web Services Security Token Service API Reference.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -813,7 +1416,7 @@ }, "Steps":{ "shape":"WorkflowSteps", - "documentation":"Specifies the details for the steps that are in the specified workflow.
The TYPE specifies which of the following actions is being taken for this step.
COPY: copy the file to another location
CUSTOM: custom step with a lambda target
DELETE: delete the file
TAG: add a tag to the file
Currently, copying and tagging are supported only on S3.
For file location, you specify either the S3 bucket and key, or the EFS filesystem ID and path.
" + "documentation":"Specifies the details for the steps that are in the specified workflow.
The TYPE specifies which of the following actions is being taken for this step.
COPY: Copy the file to another location.
CUSTOM: Perform a custom step with an Lambda function target.
DELETE: Delete the file.
TAG: Add a tag to the file.
Currently, copying and tagging are supported only on S3.
For file location, you specify either the S3 bucket and key, or the EFS file system ID and path.
" }, "OnExceptionSteps":{ "shape":"WorkflowSteps", @@ -888,7 +1491,54 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + } + } + }, + "DeleteAgreementRequest":{ + "type":"structure", + "required":[ + "AgreementId", + "ServerId" + ], + "members":{ + "AgreementId":{ + "shape":"AgreementId", + "documentation":"A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + }, + "ServerId":{ + "shape":"ServerId", + "documentation":"The server ID associated with the agreement that you are deleting.
" + } + } + }, + "DeleteCertificateRequest":{ + "type":"structure", + "required":["CertificateId"], + "members":{ + "CertificateId":{ + "shape":"CertificateId", + "documentation":"The ID of the certificate object that you are deleting.
" + } + } + }, + "DeleteConnectorRequest":{ + "type":"structure", + "required":["ConnectorId"], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + } + } + }, + "DeleteProfileRequest":{ + "type":"structure", + "required":["ProfileId"], + "members":{ + "ProfileId":{ + "shape":"ProfileId", + "documentation":"The ID of the profile that you are deleting.
" } } }, @@ -978,7 +1628,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -999,6 +1649,73 @@ } } }, + "DescribeAgreementRequest":{ + "type":"structure", + "required":[ + "AgreementId", + "ServerId" + ], + "members":{ + "AgreementId":{ + "shape":"AgreementId", + "documentation":"A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + }, + "ServerId":{ + "shape":"ServerId", + "documentation":"The server ID that's associated with the agreement.
" + } + } + }, + "DescribeAgreementResponse":{ + "type":"structure", + "required":["Agreement"], + "members":{ + "Agreement":{ + "shape":"DescribedAgreement", + "documentation":"The details for the specified agreement, returned as a DescribedAgreement object.
An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + } + } + }, + "DescribeCertificateResponse":{ + "type":"structure", + "required":["Certificate"], + "members":{ + "Certificate":{ + "shape":"DescribedCertificate", + "documentation":"The details for the specified certificate, returned as an object.
" + } + } + }, + "DescribeConnectorRequest":{ + "type":"structure", + "required":["ConnectorId"], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + } + } + }, + "DescribeConnectorResponse":{ + "type":"structure", + "required":["Connector"], + "members":{ + "Connector":{ + "shape":"DescribedConnector", + "documentation":"The structure that contains the details of the connector.
" + } + } + }, "DescribeExecutionRequest":{ "type":"structure", "required":[ @@ -1033,6 +1750,26 @@ } } }, + "DescribeProfileRequest":{ + "type":"structure", + "required":["ProfileId"], + "members":{ + "ProfileId":{ + "shape":"ProfileId", + "documentation":"The identifier of the profile that you want described.
" + } + } + }, + "DescribeProfileResponse":{ + "type":"structure", + "required":["Profile"], + "members":{ + "Profile":{ + "shape":"DescribedProfile", + "documentation":"The details of the specified profile, returned as an object.
" + } + } + }, "DescribeSecurityPolicyRequest":{ "type":"structure", "required":["SecurityPolicyName"], @@ -1086,7 +1823,7 @@ }, "UserName":{ "shape":"UserName", - "documentation":"The name of the user assigned to one or more servers. User names are part of the sign-in credentials to use the Amazon Web Services Transfer Family service and perform file transfer tasks.
" + "documentation":"The name of the user assigned to one or more servers. User names are part of the sign-in credentials to use the Transfer Family service and perform file transfer tasks.
" } } }, @@ -1136,28 +1873,173 @@ }, "HomeDirectoryMappings":{ "shape":"HomeDirectoryMappings", - "documentation":"Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
In most cases, you can use this value instead of the session policy to lock down the associated access to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
In most cases, you can use this value instead of the session policy to lock down the associated access to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "documentation":"Describes the properties of the access that was specified.
" }, + "DescribedAgreement":{ + "type":"structure", + "required":["Arn"], + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The unique Amazon Resource Name (ARN) for the agreement.
" + }, + "AgreementId":{ + "shape":"AgreementId", + "documentation":"A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The name or short description that's used to identify the agreement.
" + }, + "Status":{ + "shape":"AgreementStatusType", + "documentation":"The current status of the agreement, either ACTIVE or INACTIVE.
A system-assigned unique identifier for a server instance. This identifier indicates the specific server that the agreement uses.
" + }, + "LocalProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the AS2 process.
" + }, + "PartnerProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the partner in the agreement.
" + }, + "BaseDirectory":{ + "shape":"HomeDirectory", + "documentation":"The landing directory (folder) for files that are transferred by using the AS2 protocol.
" + }, + "AccessRole":{ + "shape":"Role", + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.
Key-value pairs that can be used to group and search for agreements.
" + } + }, + "documentation":"Describes the properties of an agreement.
" + }, + "DescribedCertificate":{ + "type":"structure", + "required":["Arn"], + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The unique Amazon Resource Name (ARN) for the certificate.
" + }, + "CertificateId":{ + "shape":"CertificateId", + "documentation":"An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + }, + "Usage":{ + "shape":"CertificateUsageType", + "documentation":"Specifies whether this certificate is used for signing or encryption.
" + }, + "Status":{ + "shape":"CertificateStatusType", + "documentation":"The certificate can be either ACTIVE, PENDING_ROTATION, or INACTIVE. PENDING_ROTATION means that this certificate will replace the current certificate when it expires.
The file name for the certificate.
" + }, + "CertificateChain":{ + "shape":"CertificateChainType", + "documentation":"The list of certificates that make up the chain for the certificate.
" + }, + "ActiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes active.
" + }, + "InactiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes inactive.
" + }, + "Serial":{ + "shape":"CertSerial", + "documentation":"The serial number for the certificate.
" + }, + "NotBeforeDate":{ + "shape":"CertDate", + "documentation":"The earliest date that the certificate is valid.
" + }, + "NotAfterDate":{ + "shape":"CertDate", + "documentation":"The final date that the certificate is valid.
" + }, + "Type":{ + "shape":"CertificateType", + "documentation":"If a private key has been specified for the certificate, its type is CERTIFICATE_WITH_PRIVATE_KEY. If there is no private key, the type is CERTIFICATE.
The name or description that's used to identity the certificate.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for certificates.
" + } + }, + "documentation":"Describes the properties of a certificate.
" + }, + "DescribedConnector":{ + "type":"structure", + "required":["Arn"], + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The unique Amazon Resource Name (ARN) for the connector.
" + }, + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + }, + "Url":{ + "shape":"Url", + "documentation":"The URL of the partner's AS2 endpoint.
" + }, + "As2Config":{ + "shape":"As2ConnectorConfig", + "documentation":"A structure that contains the parameters for a connector object.
" + }, + "AccessRole":{ + "shape":"Role", + "documentation":"With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for connectors.
" + } + }, + "documentation":"Describes the parameters for the connector, as identified by the ConnectorId.
A container object for the session details associated with a workflow.
" + "documentation":"A container object for the session details that are associated with a workflow.
" }, "ExecutionRole":{ "shape":"Role", @@ -1193,6 +2075,37 @@ }, "documentation":"The details for an execution object.
" }, + "DescribedProfile":{ + "type":"structure", + "required":["Arn"], + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The unique Amazon Resource Name (ARN) for the profile.
" + }, + "ProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the local or partner AS2 profile.
" + }, + "ProfileType":{ + "shape":"ProfileType", + "documentation":"Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.
The unique identifier for the AS2 process.
" + }, + "CertificateIds":{ + "shape":"CertificateIds", + "documentation":"An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for profiles.
" + } + }, + "documentation":"The details for a local or partner AS2 profile. profile.
" + }, "DescribedSecurityPolicy":{ "type":"structure", "required":["SecurityPolicyName"], @@ -1246,7 +2159,7 @@ }, "EndpointDetails":{ "shape":"EndpointDetails", - "documentation":"The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IP addresses and make it accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" + "documentation":"The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" }, "EndpointType":{ "shape":"EndpointType", @@ -1262,19 +2175,19 @@ }, "IdentityProviderType":{ "shape":"IdentityProviderType", - "documentation":"Specifies the mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Amazon Web Services Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Amazon Web Services Managed Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connectors. This option also requires you to provide a Directory ID using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the Function parameter for the IdentityProviderDetails data type.
The mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connector. This option also requires you to provide a Directory ID by using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use an Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the Function parameter or the IdentityProviderDetails data type.
Specifies the Amazon Resource Name (ARN) of the Amazon Web Services Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.
" }, "PostAuthenticationLoginBanner":{ "shape":"PostAuthenticationLoginBanner", - "documentation":"Specify a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specify a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system.
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies the condition of a server for the server that was described. A value of ONLINE indicates that the server can accept jobs and transfer files. A State value of OFFLINE means that the server cannot perform file transfer operations.
The states of STARTING and STOPPING indicate that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicate an error condition.
The condition of the server that was described. A value of ONLINE indicates that the server can accept jobs and transfer files. A State value of OFFLINE means that the server cannot perform file transfer operations.
The states of STARTING and STOPPING indicate that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicate an error condition.
Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.
" + "documentation":"Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.
" } }, "documentation":"Describes the properties of a file transfer protocol-enabled server that was specified.
" @@ -1321,15 +2234,15 @@ }, "HomeDirectoryMappings":{ "shape":"HomeDirectoryMappings", - "documentation":"Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
In most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "SshPublicKeys":{ "shape":"SshPublicKeys", @@ -1385,6 +2298,12 @@ }, "documentation":"Describes the properties of the specified workflow
" }, + "Description":{ + "type":"string", + "max":200, + "min":1, + "pattern":"^[\\p{Graph}]+" + }, "DirectoryId":{ "type":"string", "max":12, @@ -1423,6 +2342,14 @@ "min":1, "pattern":"^[^\\x00]+$" }, + "EncryptionAlg":{ + "type":"string", + "enum":[ + "AES128_CBC", + "AES192_CBC", + "AES256_CBC" + ] + }, "EndpointDetails":{ "type":"structure", "members":{ @@ -1523,7 +2450,7 @@ "members":{ "StepType":{ "shape":"WorkflowStepType", - "documentation":"One of the available step types.
COPY: copy the file to another location
CUSTOM: custom step with a lambda target
DELETE: delete the file
TAG: add a tag to the file
One of the available step types.
COPY: Copy the file to another location.
CUSTOM: Perform a custom step with an Lambda function target.
DELETE: Delete the file.
TAG: Add a tag to the file.
Specifies the details for an error, if it occurred during execution of the specified workfow step.
" + "documentation":"Specifies the details for an error, if it occurred during execution of the specified workflow step.
" } }, "documentation":"Specifies the following details for the step: error (if any), outputs (if any), and the step type.
" @@ -1553,7 +2480,7 @@ "members":{ "S3FileLocation":{ "shape":"S3FileLocation", - "documentation":"Specifies the S3 details for the file being used, such as bucket, Etag, and so forth.
" + "documentation":"Specifies the S3 details for the file being used, such as bucket, ETag, and so forth.
" }, "EfsFileLocation":{ "shape":"EfsFileLocation", @@ -1562,6 +2489,18 @@ }, "documentation":"Specifies the Amazon S3 or EFS file details to be used in the step.
" }, + "FilePath":{ + "type":"string", + "max":1024, + "min":1, + "pattern":"^(.)+" + }, + "FilePaths":{ + "type":"list", + "member":{"shape":"FilePath"}, + "max":10, + "min":1 + }, "Fips":{"type":"boolean"}, "Function":{ "type":"string", @@ -1624,7 +2563,7 @@ }, "DirectoryId":{ "shape":"DirectoryId", - "documentation":"The identifier of the Amazon Web Services Directory Service directory that you want to stop sharing.
" + "documentation":"The identifier of the Directory Service directory that you want to stop sharing.
" }, "Function":{ "shape":"Function", @@ -1643,6 +2582,57 @@ "AWS_LAMBDA" ] }, + "ImportCertificateRequest":{ + "type":"structure", + "required":[ + "Usage", + "Certificate" + ], + "members":{ + "Usage":{ + "shape":"CertificateUsageType", + "documentation":"Specifies whether this certificate is used for signing or encryption.
" + }, + "Certificate":{ + "shape":"CertificateBodyType", + "documentation":"The file that contains the certificate to import.
" + }, + "CertificateChain":{ + "shape":"CertificateChainType", + "documentation":"An optional list of certificates that make up the chain for the certificate that's being imported.
" + }, + "PrivateKey":{ + "shape":"PrivateKeyType", + "documentation":"The file that contains the private key for the certificate that's being imported.
" + }, + "ActiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes active.
" + }, + "InactiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes inactive.
" + }, + "Description":{ + "shape":"Description", + "documentation":"A short description that helps identify the certificate.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"Key-value pairs that can be used to group and search for certificates.
" + } + } + }, + "ImportCertificateResponse":{ + "type":"structure", + "required":["CertificateId"], + "members":{ + "CertificateId":{ + "shape":"CertificateId", + "documentation":"An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + } + } + }, "ImportSshPublicKeyRequest":{ "type":"structure", "required":[ @@ -1769,17 +2759,103 @@ } } }, + "ListAgreementsRequest":{ + "type":"structure", + "required":["ServerId"], + "members":{ + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of agreements to return.
" + }, + "NextToken":{ + "shape":"NextToken", + "documentation":"When you can get additional results from the ListAgreements call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional agreements.
The identifier of the server for which you want a list of agreements.
" + } + } + }, + "ListAgreementsResponse":{ + "type":"structure", + "required":["Agreements"], + "members":{ + "NextToken":{ + "shape":"NextToken", + "documentation":"Returns a token that you can use to call ListAgreements again and receive additional results, if there are any.
Returns an array, where each item contains the details of an agreement.
" + } + } + }, + "ListCertificatesRequest":{ + "type":"structure", + "members":{ + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of certificates to return.
" + }, + "NextToken":{ + "shape":"NextToken", + "documentation":"When you can get additional results from the ListCertificates call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional certificates.
Returns the next token, which you can use to list the next certificate.
" + }, + "Certificates":{ + "shape":"ListedCertificates", + "documentation":"Returns an array of the certificates that are specified in the ListCertificates call.
The maximum number of connectors to return.
" + }, + "NextToken":{ + "shape":"NextToken", + "documentation":"When you can get additional results from the ListConnectors call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional connectors.
Returns a token that you can use to call ListConnectors again and receive additional results, if there are any.
Returns an array, where each item contains the details of a connector.
" + } + } + }, "ListExecutionsRequest":{ "type":"structure", "required":["WorkflowId"], "members":{ "MaxResults":{ "shape":"MaxResults", - "documentation":"Specifies the aximum number of executions to return.
" + "documentation":"Specifies the maximum number of executions to return.
" }, "NextToken":{ "shape":"NextToken", - "documentation":" ListExecutions returns the NextToken parameter in the output. You can then pass the NextToken parameter in a subsequent command to continue listing additional executions.
This is useful for pagination, for instance. If you have 100 executions for a workflow, you might only want to list first 10. If so, callthe API by specifing the max-results:
aws transfer list-executions --max-results 10
This returns details for the first 10 executions, as well as the pointer (NextToken) to the eleventh execution. You can now call the API again, suppling the NextToken value you received:
aws transfer list-executions --max-results 10 --next-token $somePointerReturnedFromPreviousListResult
This call returns the next 10 executions, the 11th through the 20th. You can then repeat the call until the details for all 100 executions have been returned.
" + "documentation":" ListExecutions returns the NextToken parameter in the output. You can then pass the NextToken parameter in a subsequent command to continue listing additional executions.
This is useful for pagination, for instance. If you have 100 executions for a workflow, you might only want to list first 10. If so, call the API by specifying the max-results:
aws transfer list-executions --max-results 10
This returns details for the first 10 executions, as well as the pointer (NextToken) to the eleventh execution. You can now call the API again, supplying the NextToken value you received:
aws transfer list-executions --max-results 10 --next-token $somePointerReturnedFromPreviousListResult
This call returns the next 10 executions, the 11th through the 20th. You can then repeat the call until the details for all 100 executions have been returned.
" }, "WorkflowId":{ "shape":"WorkflowId", @@ -1808,6 +2884,37 @@ } } }, + "ListProfilesRequest":{ + "type":"structure", + "members":{ + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of profiles to return.
" + }, + "NextToken":{ + "shape":"NextToken", + "documentation":"When there are additional results that were not returned, a NextToken parameter is returned. You can use that value for a subsequent call to ListProfiles to continue listing results.
Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.
Returns a token that you can use to call ListProfiles again and receive additional results, if there are any.
Returns an array, where each item contains the details of a profile.
" + } + } + }, "ListSecurityPoliciesRequest":{ "type":"structure", "members":{ @@ -1972,15 +3079,15 @@ }, "HomeDirectoryType":{ "shape":"HomeDirectoryType", - "documentation":"The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "documentation":"Lists the properties for one or more specified associated accesses.
" @@ -1989,6 +3096,108 @@ "type":"list", "member":{"shape":"ListedAccess"} }, + "ListedAgreement":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the specified agreement.
" + }, + "AgreementId":{ + "shape":"AgreementId", + "documentation":"A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The current description for the agreement. You can change it by calling the UpdateAgreement operation and providing a new description.
The agreement can be either ACTIVE or INACTIVE.
The unique identifier for the agreement.
" + }, + "LocalProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the AS2 process.
" + }, + "PartnerProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the partner process.
" + } + }, + "documentation":"Describes the properties of an agreement.
" + }, + "ListedAgreements":{ + "type":"list", + "member":{"shape":"ListedAgreement"} + }, + "ListedCertificate":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the specified certificate.
" + }, + "CertificateId":{ + "shape":"CertificateId", + "documentation":"An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + }, + "Usage":{ + "shape":"CertificateUsageType", + "documentation":"Specifies whether this certificate is used for signing or encryption.
" + }, + "Status":{ + "shape":"CertificateStatusType", + "documentation":"The certificate can be either ACTIVE, PENDING_ROTATION, or INACTIVE. PENDING_ROTATION means that this certificate will replace the current certificate when it expires.
An optional date that specifies when the certificate becomes active.
" + }, + "InactiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes inactive.
" + }, + "Type":{ + "shape":"CertificateType", + "documentation":"The type for the certificate. If a private key has been specified for the certificate, its type is CERTIFICATE_WITH_PRIVATE_KEY. If there is no private key, the type is CERTIFICATE.
The name or short description that's used to identify the certificate.
" + } + }, + "documentation":"Describes the properties of a certificate.
" + }, + "ListedCertificates":{ + "type":"list", + "member":{"shape":"ListedCertificate"} + }, + "ListedConnector":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the specified connector.
" + }, + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + }, + "Url":{ + "shape":"Url", + "documentation":"The URL of the partner's AS2 endpoint.
" + } + }, + "documentation":"Returns details of the connector that is specified.
" + }, + "ListedConnectors":{ + "type":"list", + "member":{"shape":"ListedConnector"} + }, "ListedExecution":{ "type":"structure", "members":{ @@ -2002,7 +3211,7 @@ }, "ServiceMetadata":{ "shape":"ServiceMetadata", - "documentation":"A container object for the session details associated with a workflow.
" + "documentation":"A container object for the session details that are associated with a workflow.
" }, "Status":{ "shape":"ExecutionStatus", @@ -2015,6 +3224,32 @@ "type":"list", "member":{"shape":"ListedExecution"} }, + "ListedProfile":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the specified profile.
" + }, + "ProfileId":{ + "shape":"ProfileId", + "documentation":"A unique identifier for the local or partner AS2 profile.
" + }, + "As2Id":{ + "shape":"As2Id", + "documentation":"The unique identifier for the AS2 process.
" + }, + "ProfileType":{ + "shape":"ProfileType", + "documentation":"Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.
Returns the properties of the profile that was specified.
" + }, + "ListedProfiles":{ + "type":"list", + "member":{"shape":"ListedProfile"} + }, "ListedServer":{ "type":"structure", "required":["Arn"], @@ -2029,7 +3264,7 @@ }, "IdentityProviderType":{ "shape":"IdentityProviderType", - "documentation":"Specifies the mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Amazon Web Services Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Amazon Web Services Managed Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connectors. This option also requires you to provide a Directory ID using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the Function parameter for the IdentityProviderDetails data type.
The mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the Transfer Family service.
Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connector. This option also requires you to provide a Directory ID by using the IdentityProviderDetails parameter.
Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the IdentityProviderDetails parameter.
Use the AWS_LAMBDA value to directly use an Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the Function parameter or the IdentityProviderDetails data type.
Specifies the Amazon Resource Name (ARN) of the Amazon Web Services Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.
" }, "ServerId":{ "shape":"ServerId", @@ -2045,7 +3280,7 @@ }, "State":{ "shape":"State", - "documentation":"Specifies the condition of a server for the server that was described. A value of ONLINE indicates that the server can accept jobs and transfer files. A State value of OFFLINE means that the server cannot perform file transfer operations.
The states of STARTING and STOPPING indicate that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicate an error condition.
The condition of the server that was described. A value of ONLINE indicates that the server can accept jobs and transfer files. A State value of OFFLINE means that the server cannot perform file transfer operations.
The states of STARTING and STOPPING indicate that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicate an error condition.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
The IAM role that controls your users' access to your Amazon S3 bucket for servers with Domain=S3, or your EFS file system for servers with Domain=EFS.
The policies attached to this role determine the level of access you want to provide your users when transferring files into and out of your S3 buckets or EFS file systems.
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
The IAM role that controls your users' access to your Amazon S3 bucket for servers with Domain=S3, or your EFS file system for servers with Domain=EFS.
The policies attached to this role determine the level of access you want to provide your users when transferring files into and out of your S3 buckets or EFS file systems.
Specifies the Amazon Resource Name (ARN) of the Amazon Web Services Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.
" }, "LogGroupName":{ "shape":"LogGroupName", - "documentation":"The name of the CloudWatch logging group for the Amazon Web Services Transfer server to which this workflow belongs.
" + "documentation":"The name of the CloudWatch logging group for the Transfer Family server to which this workflow belongs.
" } }, "documentation":"Consists of the logging role and the log group name.
" @@ -2150,7 +3385,31 @@ "max":1000, "min":1 }, + "MdnResponse":{ + "type":"string", + "enum":[ + "SYNC", + "NONE" + ] + }, + "MdnSigningAlg":{ + "type":"string", + "enum":[ + "SHA256", + "SHA384", + "SHA512", + "SHA1", + "NONE", + "DEFAULT" + ] + }, "Message":{"type":"string"}, + "MessageSubject":{ + "type":"string", + "max":1024, + "min":1, + "pattern":"^[\\p{Print}\\p{Blank}]+" + }, "NextToken":{ "type":"string", "max":6144, @@ -2218,12 +3477,33 @@ "max":512, "pattern":"[\\x09-\\x0D\\x20-\\x7E]*" }, + "PrivateKeyType":{ + "type":"string", + "max":16384, + "min":1, + "pattern":"^[\\u0009\\u000A\\u000D\\u0020-\\u00FF]*", + "sensitive":true + }, + "ProfileId":{ + "type":"string", + "max":19, + "min":19, + "pattern":"^p-([0-9a-f]{17})$" + }, + "ProfileType":{ + "type":"string", + "enum":[ + "LOCAL", + "PARTNER" + ] + }, "Protocol":{ "type":"string", "enum":[ "SFTP", "FTP", - "FTPS" + "FTPS", + "AS2" ] }, "ProtocolDetails":{ @@ -2240,6 +3520,10 @@ "SetStatOption":{ "shape":"SetStatOption", "documentation":"Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket.
Some SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as SETSTAT when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.
Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. While the SetStatOption ENABLE_NO_OP setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a SETSTAT call.
If you want to preserve the original timestamp for your file, and modify other file attributes using SETSTAT, you can use Amazon EFS as backend storage with Transfer Family.
Indicates the transport method for the AS2 messages. Currently, only HTTP is supported.
" } }, "documentation":"The protocol settings that are configured for your server.
" @@ -2247,7 +3531,7 @@ "Protocols":{ "type":"list", "member":{"shape":"Protocol"}, - "max":3, + "max":4, "min":1 }, "Resource":{"type":"string"}, @@ -2311,7 +3595,7 @@ }, "Key":{ "shape":"S3Key", - "documentation":"The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
" + "documentation":"The name assigned to the file when it was created in Amazon S3. You use the object key to retrieve the object.
" }, "VersionId":{ "shape":"S3VersionId", @@ -2322,7 +3606,7 @@ "documentation":"The entity tag is a hash of the object. The ETag reflects changes only to the contents of an object, not its metadata.
" } }, - "documentation":"Specifies the details for the file location for the file being used in the workflow. Only applicable if you are using S3 storage.
" + "documentation":"Specifies the details for the file location for the file that's being used in the workflow. Only applicable if you are using S3 storage.
" }, "S3InputFileLocation":{ "type":"structure", @@ -2333,7 +3617,7 @@ }, "Key":{ "shape":"S3Key", - "documentation":"The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
" + "documentation":"The name assigned to the file when it was created in Amazon S3. You use the object key to retrieve the object.
" } }, "documentation":"Specifies the customer input S3 file location. If it is used inside copyStepDetails.DestinationFileLocation, it should be the S3 copy destination.
You need to provide the bucket and key. The key can represent either a path or a file. This is determined by whether or not you end the key value with the forward slash (/) character. If the final character is \"/\", then your file is copied to the folder, and its name does not change. If, rather, the final character is alphanumeric, your uploaded file is renamed to the path value. In this case, if a file with that name already exists, it is overwritten.
For example, if your path is shared-files/bob/, your uploaded files are copied to the shared-files/bob/, folder. If your path is shared-files/today, each uploaded file is copied to the shared-files folder and named today: each upload overwrites the previous version of the bob file.
The Server ID (ServerId), Session ID (SessionId) and user (UserName) make up the UserDetails.
A container object for the session details associated with a workflow.
" + "documentation":"A container object for the session details that are associated with a workflow.
" }, "ServiceUnavailableException":{ "type":"structure", @@ -2490,6 +3774,16 @@ "ENABLE_NO_OP" ] }, + "SigningAlg":{ + "type":"string", + "enum":[ + "SHA256", + "SHA384", + "SHA512", + "SHA1", + "NONE" + ] + }, "SourceFileLocation":{ "type":"string", "max":256, @@ -2539,6 +3833,33 @@ "member":{"shape":"SshPublicKey"}, "max":5 }, + "StartFileTransferRequest":{ + "type":"structure", + "required":[ + "ConnectorId", + "SendFilePaths" + ], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + }, + "SendFilePaths":{ + "shape":"FilePaths", + "documentation":"An array of strings. Each string represents the absolute path for one outbound file transfer. For example, DOC-EXAMPLE-BUCKET/myfile.txt .
Returns the unique identifier for this file transfer.
" + } + } + }, "StartServerRequest":{ "type":"structure", "required":["ServerId"], @@ -2724,6 +4045,12 @@ "ENFORCED" ] }, + "TransferId":{ + "type":"string", + "max":512, + "min":1, + "pattern":"^[0-9a-zA-Z./-]+$" + }, "UntagResourceRequest":{ "type":"structure", "required":[ @@ -2754,20 +4081,20 @@ }, "HomeDirectoryType":{ "shape":"HomeDirectoryType", - "documentation":"The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to / and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This only applies when the domain of ServerId is S3. EFS does not use session policies.
For session policies, Amazon Web Services Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Amazon Web ServicesSecurity Token Service API Reference.
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This policy applies only when the domain of ServerId is Amazon S3. Amazon EFS does not use session policies.
For session policies, Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Example session policy.
For more information, see AssumeRole in the Amazon Web ServicesSecurity Token Service API Reference.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -2775,7 +4102,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Amazon Web Services Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regular expression used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -2796,6 +4123,149 @@ } } }, + "UpdateAgreementRequest":{ + "type":"structure", + "required":[ + "AgreementId", + "ServerId" + ], + "members":{ + "AgreementId":{ + "shape":"AgreementId", + "documentation":"A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + }, + "ServerId":{ + "shape":"ServerId", + "documentation":"A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.
" + }, + "Description":{ + "shape":"Description", + "documentation":"To replace the existing description, provide a short description for the agreement.
" + }, + "Status":{ + "shape":"AgreementStatusType", + "documentation":"You can update the status for the agreement, either activating an inactive agreement or the reverse.
" + }, + "LocalProfileId":{ + "shape":"ProfileId", + "documentation":"To change the local profile identifier, provide a new value here.
" + }, + "PartnerProfileId":{ + "shape":"ProfileId", + "documentation":"To change the partner profile identifier, provide a new value here.
" + }, + "BaseDirectory":{ + "shape":"HomeDirectory", + "documentation":"To change the landing directory (folder) for files that are transferred, provide the bucket folder that you want to use; for example, /DOC-EXAMPLE-BUCKET/home/mydirectory .
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.
A unique identifier for the agreement. This identifier is returned when you create an agreement.
" + } + } + }, + "UpdateCertificateRequest":{ + "type":"structure", + "required":["CertificateId"], + "members":{ + "CertificateId":{ + "shape":"CertificateId", + "documentation":"The identifier of the certificate object that you are updating.
" + }, + "ActiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes active.
" + }, + "InactiveDate":{ + "shape":"CertDate", + "documentation":"An optional date that specifies when the certificate becomes inactive.
" + }, + "Description":{ + "shape":"Description", + "documentation":"A short description to help identify the certificate.
" + } + } + }, + "UpdateCertificateResponse":{ + "type":"structure", + "required":["CertificateId"], + "members":{ + "CertificateId":{ + "shape":"CertificateId", + "documentation":"Returns the identifier of the certificate object that you are updating.
" + } + } + }, + "UpdateConnectorRequest":{ + "type":"structure", + "required":["ConnectorId"], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"The unique identifier for the connector.
" + }, + "Url":{ + "shape":"Url", + "documentation":"The URL of the partner's AS2 endpoint.
" + }, + "As2Config":{ + "shape":"As2ConnectorConfig", + "documentation":"A structure that contains the parameters for a connector object.
" + }, + "AccessRole":{ + "shape":"Role", + "documentation":"With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
" + } + } + }, + "UpdateConnectorResponse":{ + "type":"structure", + "required":["ConnectorId"], + "members":{ + "ConnectorId":{ + "shape":"ConnectorId", + "documentation":"Returns the identifier of the connector object that you are updating.
" + } + } + }, + "UpdateProfileRequest":{ + "type":"structure", + "required":["ProfileId"], + "members":{ + "ProfileId":{ + "shape":"ProfileId", + "documentation":"The identifier of the profile object that you are updating.
" + }, + "CertificateIds":{ + "shape":"CertificateIds", + "documentation":"An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.
" + } + } + }, + "UpdateProfileResponse":{ + "type":"structure", + "required":["ProfileId"], + "members":{ + "ProfileId":{ + "shape":"ProfileId", + "documentation":"Returns the identifier for the profile that's being updated.
" + } + } + }, "UpdateServerRequest":{ "type":"structure", "required":["ServerId"], @@ -2806,11 +4276,11 @@ }, "ProtocolDetails":{ "shape":"ProtocolDetails", - "documentation":"The protocol settings that are configured for your server.
Use the PassiveIp parameter to indicate passive mode (for FTP and FTPS protocols). Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.
Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket. Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. Note that with SetStatOption set to ENABLE_NO_OP, Transfer generates a log entry to CloudWatch Logs, so you can determine when the client is making a SETSTAT call.
Use the TlsSessionResumptionMode parameter to determine whether or not your Transfer server resumes recent, negotiated sessions through a unique session ID.
The protocol settings that are configured for your server.
To indicate passive mode (for FTP and FTPS protocols), use the PassiveIp parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.
To ignore the error that is generated when the client attempts to use the SETSTAT command on a file that you are uploading to an Amazon S3 bucket, use the SetStatOption parameter. To have the Transfer Family server ignore the SETSTAT command and upload files without needing to make any changes to your SFTP client, set the value to ENABLE_NO_OP. If you set the SetStatOption parameter to ENABLE_NO_OP, Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a SETSTAT call.
To determine whether your Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the TlsSessionResumptionMode parameter.
As2Transports indicates the transport method for the AS2 messages. Currently, only HTTP is supported.
The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IP addresses and make it accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" + "documentation":"The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.
" }, "EndpointType":{ "shape":"EndpointType", @@ -2818,7 +4288,7 @@ }, "HostKey":{ "shape":"HostKey", - "documentation":"The RSA, ECDSA, or ED25519 private key to use for your server.
Use the following command to generate an RSA 2048 bit key with no passphrase:
ssh-keygen -t rsa -b 2048 -N \"\" -m PEM -f my-new-server-key.
Use a minimum value of 2048 for the -b option: you can create a stronger key using 3072 or 4096.
Use the following command to generate an ECDSA 256 bit key with no passphrase:
ssh-keygen -t ecdsa -b 256 -N \"\" -m PEM -f my-new-server-key.
Valid values for the -b option for ECDSA are 256, 384, and 521.
Use the following command to generate an ED25519 key with no passphrase:
ssh-keygen -t ed25519 -N \"\" -f my-new-server-key.
For all of these commands, you can replace my-new-server-key with a string of your choice.
If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.
For more information, see Change the host key for your SFTP-enabled server in the Amazon Web Services Transfer Family User Guide.
" + "documentation":"The RSA, ECDSA, or ED25519 private key to use for your server.
Use the following command to generate an RSA 2048 bit key with no passphrase:
ssh-keygen -t rsa -b 2048 -N \"\" -m PEM -f my-new-server-key.
Use a minimum value of 2048 for the -b option. You can create a stronger key by using 3072 or 4096.
Use the following command to generate an ECDSA 256 bit key with no passphrase:
ssh-keygen -t ecdsa -b 256 -N \"\" -m PEM -f my-new-server-key.
Valid values for the -b option for ECDSA are 256, 384, and 521.
Use the following command to generate an ED25519 key with no passphrase:
ssh-keygen -t ed25519 -N \"\" -f my-new-server-key.
For all of these commands, you can replace my-new-server-key with a string of your choice.
If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.
For more information, see Change the host key for your SFTP-enabled server in the Transfer Family User Guide.
" }, "IdentityProviderDetails":{ "shape":"IdentityProviderDetails", @@ -2826,15 +4296,15 @@ }, "LoggingRole":{ "shape":"NullableRole", - "documentation":"Specifies the Amazon Resource Name (ARN) of the Amazon Web Services Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.
" }, "PostAuthenticationLoginBanner":{ "shape":"PostAuthenticationLoginBanner", - "documentation":"Specify a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.
The SFTP protocol does not support post-authentication display banners.
Specify a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system.
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.
Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.
To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.
aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{\"OnUpload\":[]}'
Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.
To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.
aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{\"OnUpload\":[]}'
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL, you need to provide mappings in the HomeDirectoryMappings for how you want to make Amazon S3 or Amazon EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Amazon Web Services Identity and Access Management (IAM) role provides access to paths in Target. This value can only be set when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry and Target pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your Identity and Access Management (IAM) role provides access to paths in Target. This value can be set only when HomeDirectoryType is set to LOGICAL.
The following is an Entry and Target pair example.
[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
In most cases, you can use this value instead of the session policy to lock down your user to the designated home directory (\"chroot\"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.
The following is an Entry and Target pair example for chroot.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
A session policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This only applies when the domain of ServerId is S3. EFS does not use session policies.
For session policies, Amazon Web Services Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Creating a session policy.
For more information, see AssumeRole in the Amazon Web Services Security Token Service API Reference.
A session policy for your user so that you can use the same Identity and Access Management (IAM) role across multiple users. This policy scopes down a user's access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.
This policy applies only when the domain of ServerId is Amazon S3. Amazon EFS does not use session policies.
For session policies, Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.
For an example of a session policy, see Creating a session policy.
For more information, see AssumeRole in the Amazon Web Services Security Token Service API Reference.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -2989,7 +4459,7 @@ "documentation":"Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources
" } }, - "documentation":"Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.
" + "documentation":"Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.
" }, "WorkflowDetails":{ "type":"structure", @@ -3013,7 +4483,7 @@ "members":{ "Type":{ "shape":"WorkflowStepType", - "documentation":"Currently, the following step types are supported.
COPY: copy the file to another location
CUSTOM: custom step with a lambda target
DELETE: delete the file
TAG: add a tag to the file
Currently, the following step types are supported.
COPY: Copy the file to another location.
CUSTOM: Perform a custom step with an Lambda function target.
DELETE: Delete the file.
TAG: Add a tag to the file.
Amazon Web Services Transfer Family is a fully managed service that enables the transfer of files over the File Transfer Protocol (FTP), File Transfer Protocol over SSL (FTPS), or Secure Shell (SSH) File Transfer Protocol (SFTP) directly into and out of Amazon Simple Storage Service (Amazon S3). Amazon Web Services helps you seamlessly migrate your file transfer workflows to Amazon Web Services Transfer Family by integrating with existing authentication systems, and providing DNS routing with Amazon Route 53 so nothing changes for your customers and partners, or their applications. With your data in Amazon S3, you can use it with Amazon Web Services services for processing, analytics, machine learning, and archiving. Getting started with Amazon Web Services Transfer Family is easy since there is no infrastructure to buy and set up.
" + "documentation":"Transfer Family is a fully managed service that enables the transfer of files over the File Transfer Protocol (FTP), File Transfer Protocol over SSL (FTPS), or Secure Shell (SSH) File Transfer Protocol (SFTP) directly into and out of Amazon Simple Storage Service (Amazon S3). Amazon Web Services helps you seamlessly migrate your file transfer workflows to Transfer Family by integrating with existing authentication systems, and providing DNS routing with Amazon Route 53 so nothing changes for your customers and partners, or their applications. With your data in Amazon S3, you can use it with Amazon Web Services for processing, analytics, machine learning, and archiving. Getting started with Transfer Family is easy since there is no infrastructure to buy and set up.
" } diff --git a/docs/source/conf.py b/docs/source/conf.py index dbc070691a..ac46a2cdd7 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -54,7 +54,7 @@ # The short X.Y version. version = '1.27.' # The full version, including alpha/beta/rc tags. -release = '1.27.37' +release = '1.27.38' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.