Detects text in the input image and converts it into machine-readable text.
Pass the input image as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, you must pass it as a reference to an image in an Amazon S3 bucket. For the AWS CLI, passing image bytes is not supported. The image must be either a .png or .jpeg formatted file.
The DetectText operation returns text in an array of TextDetection elements, TextDetections. Each TextDetection element provides information about a single word or line of text that was detected in the image.
A word is one or more ISO basic latin script characters that are not separated by spaces. DetectText can detect up to 50 words in an image.
A line is a string of equally spaced words. A line isn't necessarily a complete sentence. For example, a driver's license number is detected as a line. A line ends when there is no aligned text after it. Also, a line ends when there is a large gap between words, relative to the length of the words. This means, depending on the gap between words, Amazon Rekognition may detect multiple lines in text aligned in the same direction. Periods don't represent the end of a line. If a sentence spans multiple lines, the DetectText operation returns multiple lines.
To determine whether a TextDetection element is a line of text or a word, use the TextDetection object Type field.
To be detected, text must be within +/- 90 degrees orientation of the horizontal axis.
For more information, see DetectText in the Amazon Rekognition Developer Guide.
" + "documentation":"Detects text in the input image and converts it into machine-readable text.
Pass the input image as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, you must pass it as a reference to an image in an Amazon S3 bucket. For the AWS CLI, passing image bytes is not supported. The image must be either a .png or .jpeg formatted file.
The DetectText operation returns text in an array of TextDetection elements, TextDetections. Each TextDetection element provides information about a single word or line of text that was detected in the image.
A word is one or more ISO basic latin script characters that are not separated by spaces. DetectText can detect up to 100 words in an image.
A line is a string of equally spaced words. A line isn't necessarily a complete sentence. For example, a driver's license number is detected as a line. A line ends when there is no aligned text after it. Also, a line ends when there is a large gap between words, relative to the length of the words. This means, depending on the gap between words, Amazon Rekognition may detect multiple lines in text aligned in the same direction. Periods don't represent the end of a line. If a sentence spans multiple lines, the DetectText operation returns multiple lines.
To determine whether a TextDetection element is a line of text or a word, use the TextDetection object Type field.
To be detected, text must be within +/- 90 degrees orientation of the horizontal axis.
For more information, see DetectText in the Amazon Rekognition Developer Guide.
" }, "GetCelebrityInfo":{ "name":"GetCelebrityInfo", @@ -455,7 +455,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"ThrottlingException"} ], - "documentation":"Gets the unsafe content analysis results for a Amazon Rekognition Video analysis started by StartContentModeration.
Unsafe content analysis of a video is an asynchronous operation. You start analysis by calling StartContentModeration which returns a job identifier (JobId). When analysis finishes, Amazon Rekognition Video publishes a completion status to the Amazon Simple Notification Service topic registered in the initial call to StartContentModeration. To get the results of the unsafe content analysis, first check that the status value published to the Amazon SNS topic is SUCCEEDED. If so, call GetContentModeration and pass the job identifier (JobId) from the initial call to StartContentModeration.
For more information, see Working with Stored Videos in the Amazon Rekognition Devlopers Guide.
GetContentModeration returns detected unsafe content labels, and the time they are detected, in an array, ModerationLabels, of ContentModerationDetection objects.
By default, the moderated labels are returned sorted by time, in milliseconds from the start of the video. You can also sort them by moderated label by specifying NAME for the SortBy input parameter.
Since video analysis can return a large number of results, use the MaxResults parameter to limit the number of labels returned in a single call to GetContentModeration. If there are more results than specified in MaxResults, the value of NextToken in the operation response contains a pagination token for getting the next set of results. To get the next page of results, call GetContentModeration and populate the NextToken request parameter with the value of NextToken returned from the previous call to GetContentModeration.
For more information, see Detecting Unsafe Content in the Amazon Rekognition Developer Guide.
" + "documentation":"Gets the inappropriate, unwanted, or offensive content analysis results for a Amazon Rekognition Video analysis started by StartContentModeration. For a list of moderation labels in Amazon Rekognition, see Using the image and video moderation APIs.
Amazon Rekognition Video inappropriate or offensive content detection in a stored video is an asynchronous operation. You start analysis by calling StartContentModeration which returns a job identifier (JobId). When analysis finishes, Amazon Rekognition Video publishes a completion status to the Amazon Simple Notification Service topic registered in the initial call to StartContentModeration. To get the results of the content analysis, first check that the status value published to the Amazon SNS topic is SUCCEEDED. If so, call GetContentModeration and pass the job identifier (JobId) from the initial call to StartContentModeration.
For more information, see Working with Stored Videos in the Amazon Rekognition Devlopers Guide.
GetContentModeration returns detected inappropriate, unwanted, or offensive content moderation labels, and the time they are detected, in an array, ModerationLabels, of ContentModerationDetection objects.
By default, the moderated labels are returned sorted by time, in milliseconds from the start of the video. You can also sort them by moderated label by specifying NAME for the SortBy input parameter.
Since video analysis can return a large number of results, use the MaxResults parameter to limit the number of labels returned in a single call to GetContentModeration. If there are more results than specified in MaxResults, the value of NextToken in the operation response contains a pagination token for getting the next set of results. To get the next page of results, call GetContentModeration and populate the NextToken request parameter with the value of NextToken returned from the previous call to GetContentModeration.
For more information, see Content moderation in the Amazon Rekognition Developer Guide.
" }, "GetFaceDetection":{ "name":"GetFaceDetection", @@ -768,7 +768,7 @@ {"shape":"LimitExceededException"}, {"shape":"ThrottlingException"} ], - "documentation":"Starts asynchronous detection of unsafe content in a stored video.
Amazon Rekognition Video can moderate content in a video stored in an Amazon S3 bucket. Use Video to specify the bucket name and the filename of the video. StartContentModeration returns a job identifier (JobId) which you use to get the results of the analysis. When unsafe content analysis is finished, Amazon Rekognition Video publishes a completion status to the Amazon Simple Notification Service topic that you specify in NotificationChannel.
To get the results of the unsafe content analysis, first check that the status value published to the Amazon SNS topic is SUCCEEDED. If so, call GetContentModeration and pass the job identifier (JobId) from the initial call to StartContentModeration.
For more information, see Detecting Unsafe Content in the Amazon Rekognition Developer Guide.
", + "documentation":"Starts asynchronous detection of inappropriate, unwanted, or offensive content in a stored video. For a list of moderation labels in Amazon Rekognition, see Using the image and video moderation APIs.
Amazon Rekognition Video can moderate content in a video stored in an Amazon S3 bucket. Use Video to specify the bucket name and the filename of the video. StartContentModeration returns a job identifier (JobId) which you use to get the results of the analysis. When content analysis is finished, Amazon Rekognition Video publishes a completion status to the Amazon Simple Notification Service topic that you specify in NotificationChannel.
To get the results of the content analysis, first check that the status value published to the Amazon SNS topic is SUCCEEDED. If so, call GetContentModeration and pass the job identifier (JobId) from the initial call to StartContentModeration.
For more information, see Content moderation in the Amazon Rekognition Developer Guide.
", "idempotent":true }, "StartFaceDetection":{ @@ -1103,6 +1103,20 @@ }, "documentation":"Indicates whether or not the face has a beard, and the confidence level in the determination.
" }, + "BlackFrame":{ + "type":"structure", + "members":{ + "MaxPixelThreshold":{ + "shape":"MaxPixelThreshold", + "documentation":"A threshold used to determine the maximum luminance value for a pixel to be considered black. In a full color range video, luminance values range from 0-255. A pixel value of 0 is pure black, and the most strict filter. The maximum black pixel value is computed as follows: max_black_pixel_value = minimum_luminance + MaxPixelThreshold *luminance_range.
For example, for a full range video with BlackPixelThreshold = 0.1, max_black_pixel_value is 0 + 0.1 * (255-0) = 25.5.
The default value of MaxPixelThreshold is 0.2, which maps to a max_black_pixel_value of 51 for a full range video. You can lower this threshold to be more strict on black levels.
" + }, + "MinCoveragePercentage":{ + "shape":"MinCoveragePercentage", + "documentation":"The minimum percentage of pixels in a frame that need to have a luminance below the max_black_pixel_value for a frame to be considered a black frame. Luminance is calculated using the BT.709 matrix.
The default value is 99, which means at least 99% of all pixels in the frame are black pixels as per the MaxPixelThreshold set. You can reduce this value to allow more noise on the black frame.
A filter that allows you to control the black frame detection by specifying the black levels and pixel coverage of black pixels in a frame. As videos can come from multiple sources, formats, and time periods, they may contain different standards and varying noise levels for black frames that need to be accounted for. For more information, see StartSegmentDetection.
" + }, "BodyPart":{ "type":"string", "enum":[ @@ -1383,14 +1397,14 @@ "members":{ "Timestamp":{ "shape":"Timestamp", - "documentation":"Time, in milliseconds from the beginning of the video, that the unsafe content label was detected.
" + "documentation":"Time, in milliseconds from the beginning of the video, that the content moderation label was detected.
" }, "ModerationLabel":{ "shape":"ModerationLabel", - "documentation":"The unsafe content label detected by in the stored video.
" + "documentation":"The content moderation label detected by in the stored video.
" } }, - "documentation":"Information about an unsafe content label detection in a stored video.
" + "documentation":"Information about an inappropriate, unwanted, or offensive content label detection in a stored video.
" }, "ContentModerationDetections":{ "type":"list", @@ -1487,7 +1501,7 @@ }, "OutputConfig":{ "shape":"OutputConfig", - "documentation":"The Amazon S3 location to store the results of training.
" + "documentation":"The Amazon S3 bucket location to store the results of training. The S3 bucket can be in any AWS account as long as the caller has s3:PutObject permissions on the S3 bucket.
The identifier for your AWS Key Management Service (AWS KMS) customer master key (CMK). You can supply the Amazon Resource Name (ARN) of your CMK, the ID of your CMK, or an alias for your CMK. The key is used to encrypt training and test images copied into the service for model training. Your source images are unaffected. The key is also used to encrypt training results and manifest files written to the output Amazon S3 bucket (OutputConfig).
If you don't specify a value for KmsKeyId, images copied into the service are encrypted using a key that AWS owns and manages.
The identifier for your AWS Key Management Service (AWS KMS) customer master key (CMK). You can supply the Amazon Resource Name (ARN) of your CMK, the ID of your CMK, an alias for your CMK, or an alias ARN. The key is used to encrypt training and test images copied into the service for model training. Your source images are unaffected. The key is also used to encrypt training results and manifest files written to the output Amazon S3 bucket (OutputConfig).
If you choose to use your own CMK, you need the following permissions on the CMK.
kms:CreateGrant
kms:DescribeKey
kms:GenerateDataKey
kms:Decrypt
If you don't specify a value for KmsKeyId, images copied into the service are encrypted using a key that AWS owns and manages.
The identifier for the unsafe content job. Use JobId to identify the job in a subsequent call to GetContentModeration.
The identifier for the inappropriate, unwanted, or offensive content moderation job. Use JobId to identify the job in a subsequent call to GetContentModeration.
If the previous response was incomplete (because there is more data to retrieve), Amazon Rekognition returns a pagination token in the response. You can use this pagination token to retrieve the next set of unsafe content labels.
" + "documentation":"If the previous response was incomplete (because there is more data to retrieve), Amazon Rekognition returns a pagination token in the response. You can use this pagination token to retrieve the next set of content moderation labels.
" }, "SortBy":{ "shape":"ContentModerationSortBy", @@ -2492,7 +2506,7 @@ "members":{ "JobStatus":{ "shape":"VideoJobStatus", - "documentation":"The current status of the unsafe content analysis job.
" + "documentation":"The current status of the content moderation analysis job.
" }, "StatusMessage":{ "shape":"StatusMessage", @@ -2504,15 +2518,15 @@ }, "ModerationLabels":{ "shape":"ContentModerationDetections", - "documentation":"The detected unsafe content labels and the time(s) they were detected.
" + "documentation":"The detected inappropriate, unwanted, or offensive content moderation labels and the time(s) they were detected.
" }, "NextToken":{ "shape":"PaginationToken", - "documentation":"If the response is truncated, Amazon Rekognition Video returns this token that you can use in the subsequent request to retrieve the next set of unsafe content labels.
" + "documentation":"If the response is truncated, Amazon Rekognition Video returns this token that you can use in the subsequent request to retrieve the next set of content moderation labels.
" }, "ModerationModelVersion":{ "shape":"String", - "documentation":"Version number of the moderation detection model that was used to detect unsafe content.
" + "documentation":"Version number of the moderation detection model that was used to detect inappropriate, unwanted, or offensive content.
" } } }, @@ -3339,10 +3353,20 @@ "type":"integer", "min":1 }, + "MaxPixelThreshold":{ + "type":"float", + "max":1, + "min":0 + }, "MaxResults":{ "type":"integer", "min":1 }, + "MinCoveragePercentage":{ + "type":"float", + "max":100, + "min":0 + }, "ModerationLabel":{ "type":"structure", "members":{ @@ -3359,7 +3383,7 @@ "documentation":"The name for the parent label. Labels at the top level of the hierarchy have the parent label \"\".
Provides information about a single type of unsafe content found in an image or video. Each type of moderated content has a label within a hierarchical taxonomy. For more information, see Detecting Unsafe Content in the Amazon Rekognition Developer Guide.
" + "documentation":"Provides information about a single type of inappropriate, unwanted, or offensive content found in an image or video. Each type of moderated content has a label within a hierarchical taxonomy. For more information, see Content moderation in the Amazon Rekognition Developer Guide.
" }, "ModerationLabels":{ "type":"list", @@ -3409,7 +3433,7 @@ "documentation":"The ARN of an IAM role that gives Amazon Rekognition publishing permissions to the Amazon SNS topic.
" } }, - "documentation":"The Amazon Simple Notification Service topic to which Amazon Rekognition publishes the completion status of a video analysis operation. For more information, see api-video.
" + "documentation":"The Amazon Simple Notification Service topic to which Amazon Rekognition publishes the completion status of a video analysis operation. For more information, see api-video. Note that the Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy to access the topic. For more information, see Giving access to multiple Amazon SNS topics.
" }, "OrientationCorrection":{ "type":"string", @@ -4088,6 +4112,18 @@ "ShotSegment":{ "shape":"ShotSegment", "documentation":"If the segment is a shot detection, contains information about the shot detection.
" + }, + "StartFrameNumber":{ + "shape":"ULong", + "documentation":"The frame number of the start of a video segment, using a frame index that starts with 0.
" + }, + "EndFrameNumber":{ + "shape":"ULong", + "documentation":"The frame number at the end of a video segment, using a frame index that starts with 0.
" + }, + "DurationFrames":{ + "shape":"ULong", + "documentation":"The duration of a video segment, expressed in frames.
" } }, "documentation":"A technical cue or shot detection segment detected in a video. An array of SegmentDetection objects containing all segments detected in a stored video is returned by GetSegmentDetection.
The Amazon SNS topic ARN that you want Amazon Rekognition Video to publish the completion status of the celebrity recognition analysis to.
" + "documentation":"The Amazon SNS topic ARN that you want Amazon Rekognition Video to publish the completion status of the celebrity recognition analysis to. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy.
" }, "JobTag":{ "shape":"JobTag", @@ -4198,7 +4234,7 @@ "members":{ "Video":{ "shape":"Video", - "documentation":"The video in which you want to detect unsafe content. The video must be stored in an Amazon S3 bucket.
" + "documentation":"The video in which you want to detect inappropriate, unwanted, or offensive content. The video must be stored in an Amazon S3 bucket.
" }, "MinConfidence":{ "shape":"Percent", @@ -4210,7 +4246,7 @@ }, "NotificationChannel":{ "shape":"NotificationChannel", - "documentation":"The Amazon SNS topic ARN that you want Amazon Rekognition Video to publish the completion status of the unsafe content analysis to.
" + "documentation":"The Amazon SNS topic ARN that you want Amazon Rekognition Video to publish the completion status of the content analysis to. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy to access the topic.
" }, "JobTag":{ "shape":"JobTag", @@ -4223,7 +4259,7 @@ "members":{ "JobId":{ "shape":"JobId", - "documentation":"The identifier for the unsafe content analysis job. Use JobId to identify the job in a subsequent call to GetContentModeration.
The identifier for the content analysis job. Use JobId to identify the job in a subsequent call to GetContentModeration.
The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the face detection operation.
" + "documentation":"The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the face detection operation. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy.
" }, "FaceAttributes":{ "shape":"FaceAttributes", @@ -4287,7 +4323,7 @@ }, "NotificationChannel":{ "shape":"NotificationChannel", - "documentation":"The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the search.
" + "documentation":"The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the search. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy to access the topic.
" }, "JobTag":{ "shape":"JobTag", @@ -4322,7 +4358,7 @@ }, "NotificationChannel":{ "shape":"NotificationChannel", - "documentation":"The Amazon SNS topic ARN you want Amazon Rekognition Video to publish the completion status of the label detection operation to.
" + "documentation":"The Amazon SNS topic ARN you want Amazon Rekognition Video to publish the completion status of the label detection operation to. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy.
" }, "JobTag":{ "shape":"JobTag", @@ -4353,7 +4389,7 @@ }, "NotificationChannel":{ "shape":"NotificationChannel", - "documentation":"The Amazon SNS topic ARN you want Amazon Rekognition Video to publish the completion status of the people detection operation to.
" + "documentation":"The Amazon SNS topic ARN you want Amazon Rekognition Video to publish the completion status of the people detection operation to. The Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy.
" }, "JobTag":{ "shape":"JobTag", @@ -4424,7 +4460,7 @@ }, "NotificationChannel":{ "shape":"NotificationChannel", - "documentation":"The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the segment detection operation.
" + "documentation":"The ARN of the Amazon SNS topic to which you want Amazon Rekognition Video to publish the completion status of the segment detection operation. Note that the Amazon SNS topic must have a topic name that begins with AmazonRekognition if you are using the AmazonRekognitionServiceRole permissions policy to access the topic.
" }, "JobTag":{ "shape":"JobTag", @@ -4480,6 +4516,10 @@ "MinSegmentConfidence":{ "shape":"SegmentConfidence", "documentation":"Specifies the minimum confidence that Amazon Rekognition Video must have in order to return a detected segment. Confidence represents how certain Amazon Rekognition is that a segment is correctly identified. 0 is the lowest confidence. 100 is the highest confidence. Amazon Rekognition Video doesn't return any segments with a confidence level lower than this specified value.
If you don't specify MinSegmentConfidence, GetSegmentDetection returns segments with confidence values greater than or equal to 50 percent.
A filter that allows you to control the black frame detection by specifying the black levels and pixel coverage of black pixels in a frame. Videos can come from multiple sources, formats, and time periods, with different standards and varying noise levels for black frames that need to be accounted for.
" } }, "documentation":"Filters for the technical segments returned by GetSegmentDetection. For more information, see StartSegmentDetectionFilters.
" @@ -4718,7 +4758,11 @@ "enum":[ "ColorBars", "EndCredits", - "BlackFrames" + "BlackFrames", + "OpeningCredits", + "StudioLogo", + "Slate", + "Content" ] }, "TestingData":{ @@ -4935,6 +4979,13 @@ }, "documentation":"Video file stored in an Amazon S3 bucket. Amazon Rekognition video start operations such as StartLabelDetection use Video to specify a video for analysis. The supported file formats are .mp4, .mov and .avi.
Horizontal pixel dimension of the video.
" + }, + "ColorRange":{ + "shape":"VideoColorRange", + "documentation":"A description of the range of luminance values in a video, either LIMITED (16 to 235) or FULL (0 to 255).
" } }, "documentation":"Information about a video that Amazon Rekognition analyzed. Videometadata is returned in every page of paginated responses from a Amazon Rekognition video operation.
A resource data sync helps you view data from multiple sources in a single location. Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination and SyncFromSource.
You can configure Systems Manager Inventory to use the SyncToDestination type to synchronize Inventory data from multiple Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple accounts and Regions or EntireOrganization by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
A resource data sync helps you view data from multiple sources in a single location. Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination and SyncFromSource.
You can configure Systems Manager Inventory to use the SyncToDestination type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified instance.
When you disassociate a document from an instance, it doesn't change the configuration of the instance. To change the configuration state of an instance after you disassociate a document, you must create a new document with the desired configuration and associate it with the instance.
" + "documentation":"Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified instance. If you created the association by using the Targets parameter, then you must delete the association by using the association ID.
When you disassociate a document from an instance, it doesn't change the configuration of the instance. To change the configuration state of an instance after you disassociate a document, you must create a new document with the desired configuration and associate it with the instance.
" }, "DeleteDocument":{ "name":"DeleteDocument", @@ -339,7 +339,7 @@ {"shape":"InternalServerError"}, {"shape":"ParameterNotFound"} ], - "documentation":"Delete a parameter from the system.
" + "documentation":"Delete a parameter from the system. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
" }, "DeleteParameters":{ "name":"DeleteParameters", @@ -352,7 +352,7 @@ "errors":[ {"shape":"InternalServerError"} ], - "documentation":"Delete a list of parameters.
" + "documentation":"Delete a list of parameters. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
" }, "DeletePatchBaseline":{ "name":"DeletePatchBaseline", @@ -470,7 +470,7 @@ {"shape":"InvalidDocument"}, {"shape":"InvalidInstanceId"} ], - "documentation":"Describes the association for the specified target or instance. If you created the association by using the Targets parameter, then you must retrieve the association by using the association ID. If you created the association by specifying an instance ID and an Amazon Web Services Systems Manager document (SSM document), then you retrieve the association by specifying the document name and the instance ID.
Describes the association for the specified target or instance. If you created the association by using the Targets parameter, then you must retrieve the association by using the association ID.
Describes the permissions for a Amazon Web Services Systems Manager document (SSM document). If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's account ID) or publicly (All).
" + "documentation":"Describes the permissions for a Amazon Web Services Systems Manager document (SSM document). If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's Amazon Web Services account ID) or publicly (All).
" }, "DescribeEffectiveInstanceAssociations":{ "name":"DescribeEffectiveInstanceAssociations", @@ -798,7 +798,7 @@ "errors":[ {"shape":"InternalServerError"} ], - "documentation":"Retrieves the maintenance windows in an account.
" + "documentation":"Retrieves the maintenance windows in an Amazon Web Services account.
" }, "DescribeMaintenanceWindowsForTarget":{ "name":"DescribeMaintenanceWindowsForTarget", @@ -854,7 +854,7 @@ "errors":[ {"shape":"InternalServerError"} ], - "documentation":"Lists the patch baselines in your account.
" + "documentation":"Lists the patch baselines in your Amazon Web Services account.
" }, "DescribePatchGroupState":{ "name":"DescribePatchGroupState", @@ -1013,7 +1013,7 @@ {"shape":"UnsupportedOperatingSystem"}, {"shape":"UnsupportedFeatureRequiredException"} ], - "documentation":"Retrieves the current snapshot for the patch baseline the instance uses. This API is primarily used by the AWS-RunPatchBaseline Systems Manager document (SSM document).
If you run the command locally, such as with the Command Line Interface (CLI), the system attempts to use your local AWS credentials and the operation fails. To avoid this, you can run the command in the Amazon Web Services Systems Manager console. Use Run Command, a capability of Amazon Web Services Systems Manager, with an SSM document that enables you to target an instance with a script or command. For example, run the command using the AWS-RunShellScript document or the AWS-RunPowerShellScript document.
Retrieves the current snapshot for the patch baseline the instance uses. This API is primarily used by the AWS-RunPatchBaseline Systems Manager document (SSM document).
If you run the command locally, such as with the Command Line Interface (CLI), the system attempts to use your local Amazon Web Services credentials and the operation fails. To avoid this, you can run the command in the Amazon Web Services Systems Manager console. Use Run Command, a capability of Amazon Web Services Systems Manager, with an SSM document that enables you to target an instance with a script or command. For example, run the command using the AWS-RunShellScript document or the AWS-RunPowerShellScript document.
Query inventory information.
" + "documentation":"Query inventory information. This includes instance status, such as Stopped or Terminated.
Get information about a parameter by using the parameter name. Don't confuse this API operation with the GetParameters API operation.
" + "documentation":"Get information about a single parameter by specifying the parameter name.
To get information about more than one parameter at a time, use the GetParameters operation.
Get details of a parameter. Don't confuse this API operation with the GetParameter API operation.
" + "documentation":"Get information about one or more parameters by specifying multiple parameter names.
To get information about a single parameter, you can use the GetParameter operation instead.
ServiceSetting is an account-level setting for an Amazon Web Services service. This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of false. This means the user can't use this feature unless they change the setting to true and intentionally opt in for a paid feature.
Services map a SettingId object to a setting value. Amazon Web Services services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the UpdateServiceSetting API operation to change the default setting. Or use the ResetServiceSetting to change the value back to the original value defined by the Amazon Web Services service team.
Query the current service setting for the account.
" + "documentation":" ServiceSetting is an account-level setting for an Amazon Web Services service. This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of false. This means the user can't use this feature unless they change the setting to true and intentionally opt in for a paid feature.
Services map a SettingId object to a setting value. Amazon Web Services services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the UpdateServiceSetting API operation to change the default setting. Or use the ResetServiceSetting to change the value back to the original value defined by the Amazon Web Services service team.
Query the current service setting for the Amazon Web Services account.
" }, "LabelParameterVersion":{ "name":"LabelParameterVersion", @@ -1331,7 +1331,7 @@ {"shape":"InternalServerError"}, {"shape":"InvalidNextToken"} ], - "documentation":"Returns all State Manager associations in the current account and Region. You can limit the results to a specific State Manager association document or instance by specifying a filter. State Manager is a capability of Amazon Web Services Systems Manager.
" + "documentation":"Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results to a specific State Manager association document or instance by specifying a filter. State Manager is a capability of Amazon Web Services Systems Manager.
" }, "ListCommandInvocations":{ "name":"ListCommandInvocations", @@ -1365,7 +1365,7 @@ {"shape":"InvalidFilterKey"}, {"shape":"InvalidNextToken"} ], - "documentation":"Lists the commands requested by users of the account.
" + "documentation":"Lists the commands requested by users of the Amazon Web Services account.
" }, "ListComplianceItems":{ "name":"ListComplianceItems", @@ -1413,7 +1413,7 @@ {"shape":"InvalidDocumentVersion"}, {"shape":"InvalidNextToken"} ], - "documentation":"Information about approval reviews for a version of an SSM document.
" + "documentation":"Information about approval reviews for a version of a change template in Change Manager.
" }, "ListDocumentVersions":{ "name":"ListDocumentVersions", @@ -1443,7 +1443,7 @@ {"shape":"InvalidNextToken"}, {"shape":"InvalidFilterKey"} ], - "documentation":"Returns all Systems Manager (SSM) documents in the current account and Region. You can limit the results of this request by using a filter.
" + "documentation":"Returns all Systems Manager (SSM) documents in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results of this request by using a filter.
" }, "ListInventoryEntries":{ "name":"ListInventoryEntries", @@ -1476,7 +1476,7 @@ {"shape":"OpsItemLimitExceededException"}, {"shape":"OpsItemInvalidParameterException"} ], - "documentation":"Returns a list of all OpsItem events in the current Region and account. You can limit the results to events associated with specific OpsItems by specifying a filter.
" + "documentation":"Returns a list of all OpsItem events in the current Amazon Web Services Region and Amazon Web Services account. You can limit the results to events associated with specific OpsItems by specifying a filter.
" }, "ListOpsItemRelatedItems":{ "name":"ListOpsItemRelatedItems", @@ -1939,7 +1939,7 @@ {"shape":"StatusUnchanged"}, {"shape":"TooManyUpdates"} ], - "documentation":"Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified instance.
" + "documentation":"Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified instance.
UpdateAssociationStatus is primarily used by the Amazon Web Services Systems Manager Agent (SSM Agent) to report status updates about your associations and is only used for associations created with the InstanceId legacy parameter.
Updates information related to approval reviews for a specific version of a document.
" + "documentation":"Updates information related to approval reviews for a specific version of a change template in Change Manager.
" }, "UpdateMaintenanceWindow":{ "name":"UpdateMaintenanceWindow", @@ -2147,19 +2147,19 @@ "members":{ "AccountId":{ "shape":"AccountId", - "documentation":"The account ID where the current document is shared.
" + "documentation":"The Amazon Web Services account ID where the current document is shared.
" }, "SharedDocumentVersion":{ "shape":"SharedDocumentVersion", "documentation":"The version of the current document shared with the account.
" } }, - "documentation":"Information includes the account ID where the current document is shared and the version shared with that account.
" + "documentation":"Information includes the Amazon Web Services account ID where the current document is shared and the version shared with that account.
" }, "AccountSharingInfoList":{ "type":"list", "member":{"shape":"AccountSharingInfo"}, - "documentation":"A list of of accounts where the current document is shared and the version shared with each account.
" + "documentation":"A list of of Amazon Web Services accounts where the current document is shared and the version shared with each account.
" }, "Accounts":{ "type":"list", @@ -2334,7 +2334,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance.
" + "documentation":"The instance ID.
" }, "AssociationId":{ "shape":"AssociationId", @@ -2397,7 +2397,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance.
" + "documentation":"The instance ID.
" }, "AssociationVersion":{ "shape":"AssociationVersion", @@ -2485,7 +2485,7 @@ }, "TargetLocations":{ "shape":"TargetLocations", - "documentation":"The combination of Regions and accounts where you want to run the association.
" + "documentation":"The combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association.
" } }, "documentation":"Describes the parameters for a document.
" @@ -2898,7 +2898,7 @@ }, "TargetLocations":{ "shape":"TargetLocations", - "documentation":"The combination of Regions and accounts where you wanted to run the association when this association version was created.
" + "documentation":"The combination of Amazon Web Services Regions and Amazon Web Services accounts where you wanted to run the association when this association version was created.
" } }, "documentation":"Information about the association version.
" @@ -3155,7 +3155,7 @@ }, "TargetLocations":{ "shape":"TargetLocations", - "documentation":"The combination of Regions and/or accounts where you want to run the Automation.
", + "documentation":"The combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the Automation.
", "box":true }, "ProgressCounters":{ @@ -3343,7 +3343,7 @@ }, "AutomationType":{ "shape":"AutomationType", - "documentation":"Use this filter with DescribeAutomationExecutions. Specify either Local or CrossAccount. CrossAccount is an Automation that runs in multiple Regions and accounts. For more information, see Running Automation workflows in multiple Regions and accounts in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"Use this filter with DescribeAutomationExecutions. Specify either Local or CrossAccount. CrossAccount is an Automation that runs in multiple Amazon Web Services Regions and Amazon Web Services accounts. For more information, see Running Automation workflows in multiple Amazon Web Services Regions and accounts in the Amazon Web Services Systems Manager User Guide.
" }, "AutomationSubtype":{ "shape":"AutomationSubtype", @@ -3645,7 +3645,7 @@ }, "OutputS3Region":{ "shape":"S3Region", - "documentation":"(Deprecated) You can no longer specify this parameter. The system ignores it. Instead, Systems Manager automatically determines the Region of the S3 bucket.
" + "documentation":"(Deprecated) You can no longer specify this parameter. The system ignores it. Instead, Systems Manager automatically determines the Amazon Web Services Region of the S3 bucket.
" }, "OutputS3BucketName":{ "shape":"S3BucketName", @@ -4222,7 +4222,7 @@ }, "IamRole":{ "shape":"IamRole", - "documentation":"The Identity and Access Management (IAM) role that you want to assign to the managed instance. This IAMrole must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com. For more information, see Create an IAM service role for a hybrid environment in the Amazon Web Services Systems Manager User Guide.
The name of the Identity and Access Management (IAM) role that you want to assign to the managed instance. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com. For more information, see Create an IAM service role for a hybrid environment in the Amazon Web Services Systems Manager User Guide.
The name of the SSM document that contains the configuration information for the instance. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM document that contains the configuration information for the instance. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The ID of the instance.
" + "documentation":"The instance ID.
InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager documents (SSM documents) that are shared with you from other accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager documents (SSM documents) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The targets for the association. You can target instances by using tags, Amazon Web Services resource groups, all instances in an account, or individual instance IDs. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"The targets for the association. You can target instances by using tags, Amazon Web Services resource groups, all instances in an Amazon Web Services account, or individual instance IDs. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the Amazon Web Services Systems Manager User Guide.
" }, "ScheduleExpression":{ "shape":"ScheduleExpression", @@ -4417,7 +4417,7 @@ }, "TargetLocations":{ "shape":"TargetLocations", - "documentation":"A location is a combination of Regions and accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
" + "documentation":"A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
" } } }, @@ -4652,7 +4652,7 @@ }, "Tags":{ "shape":"TagList", - "documentation":"Optional metadata that you assign to a resource. You can specify a maximum of five tags for an OpsMetadata object. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an OpsMetadata object to identify an environment or target Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
Optional metadata that you assign to a resource. You can specify a maximum of five tags for an OpsMetadata object. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an OpsMetadata object to identify an environment or target Amazon Web Services Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
Specify SyncToDestination to create a resource data sync that synchronizes data to an S3 bucket for Inventory. If you specify SyncToDestination, you must provide a value for S3Destination. Specify SyncFromSource to synchronize data from a single account and multiple Regions, or multiple accounts and Regions, as listed in Organizations for Explorer. If you specify SyncFromSource, you must provide a value for SyncSource. The default value is SyncToDestination.
Specify SyncToDestination to create a resource data sync that synchronizes data to an S3 bucket for Inventory. If you specify SyncToDestination, you must provide a value for S3Destination. Specify SyncFromSource to synchronize data from a single account and multiple Regions, or multiple Amazon Web Services accounts and Amazon Web Services Regions, as listed in Organizations for Explorer. If you specify SyncFromSource, you must provide a value for SyncSource. The default value is SyncToDestination.
The ID of the instance.
" + "documentation":"The instance ID.
InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The names of the parameters to delete.
" + "documentation":"The names of the parameters to delete. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
" } } }, @@ -5152,7 +5152,7 @@ "members":{ "ActivationList":{ "shape":"ActivationList", - "documentation":"A list of activations for your account.
" + "documentation":"A list of activations for your Amazon Web Services account.
" }, "NextToken":{ "shape":"NextToken", @@ -5403,11 +5403,11 @@ "members":{ "AccountIds":{ "shape":"AccountIdList", - "documentation":"The account IDs that have permission to use this document. The ID can be either an account or All.
" + "documentation":"The account IDs that have permission to use this document. The ID can be either an Amazon Web Services account or All.
" }, "AccountSharingInfoList":{ "shape":"AccountSharingInfoList", - "documentation":"A list of accounts where the current document is shared and the version shared with each account.
" + "documentation":"A list of Amazon Web Services accounts where the current document is shared and the version shared with each account.
" }, "NextToken":{ "shape":"NextToken", @@ -7188,7 +7188,7 @@ "members":{ "Target":{ "shape":"SessionTarget", - "documentation":"The ID of the instance.
" + "documentation":"The instance ID.
" } } }, @@ -7253,7 +7253,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance.
" + "documentation":"The instance ID.
" }, "SnapshotId":{ "shape":"SnapshotId", @@ -7869,7 +7869,7 @@ "members":{ "Entities":{ "shape":"OpsEntityList", - "documentation":"The list of aggregated and filtered OpsData.
" + "documentation":"The list of aggregated details and filtered OpsData.
" }, "NextToken":{ "shape":"NextToken", @@ -7920,7 +7920,7 @@ "members":{ "Name":{ "shape":"PSParameterName", - "documentation":"The name of the parameter you want to query.
" + "documentation":"The name of the parameter you want to query.
To query by parameter label, use \"Name\": \"name:label\". To query by parameter version, use \"Name\": \"name:version\".
Names of the parameters for which you want to query information.
" + "documentation":"Names of the parameters for which you want to query information.
To query by parameter label, use \"Name\": \"name:label\". To query by parameter version, use \"Name\": \"name:version\".
The ID of the patch baseline to retrieve.
" + "documentation":"The ID of the patch baseline to retrieve.
To retrieve information about an Amazon Web Services managed patch baseline, specify the full Amazon Resource Name (ARN) of the baseline. For example, for the baseline AWS-AmazonLinuxDefaultPatchBaseline, specify arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0e392de35e7c563b7 instead of pb-0e392de35e7c563b7.
The name of the document.
" + "documentation":"The name of the change template.
" }, "DocumentVersion":{ "shape":"DocumentVersion", - "documentation":"The version of the document.
" + "documentation":"The version of the change template.
" }, "Metadata":{ "shape":"DocumentMetadataEnum", @@ -9808,19 +9808,19 @@ "members":{ "Name":{ "shape":"DocumentName", - "documentation":"The name of the document.
" + "documentation":"The name of the change template.
" }, "DocumentVersion":{ "shape":"DocumentVersion", - "documentation":"The version of the document.
" + "documentation":"The version of the change template.
" }, "Author":{ "shape":"DocumentAuthor", - "documentation":"The user ID of the person in the organization who requested the document review.
" + "documentation":"The user ID of the person in the organization who requested the review of the change template.
" }, "Metadata":{ "shape":"DocumentMetadataResponseInfo", - "documentation":"Information about the response to the document approval request.
" + "documentation":"Information about the response to the change template approval request.
" }, "NextToken":{ "shape":"NextToken", @@ -10090,7 +10090,7 @@ "members":{ "SyncType":{ "shape":"ResourceDataSyncType", - "documentation":"View a list of resource data syncs according to the sync type. Specify SyncToDestination to view resource data syncs that synchronize data to an Amazon S3 bucket. Specify SyncFromSource to view resource data syncs from Organizations or from multiple Regions.
View a list of resource data syncs according to the sync type. Specify SyncToDestination to view resource data syncs that synchronize data to an Amazon S3 bucket. Specify SyncFromSource to view resource data syncs from Organizations or from multiple Amazon Web Services Regions.
The Region where the S3 bucket is located.
" + "documentation":"The Amazon Web Services Region where the S3 bucket is located.
" } }, "documentation":"Information about an Amazon Simple Storage Service (Amazon S3) bucket to write instance-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
The ARN of the account that created the OpsItem.
" + "documentation":"The ARN of the Amazon Web Services account that created the OpsItem.
" }, "OpsItemType":{ "shape":"OpsItemType", @@ -11206,7 +11206,7 @@ }, "LastModifiedBy":{ "shape":"String", - "documentation":"The ARN of the account that last updated the OpsItem.
" + "documentation":"The ARN of the Amazon Web Services account that last updated the OpsItem.
" }, "LastModifiedTime":{ "shape":"DateTime", @@ -11273,7 +11273,7 @@ "documentation":"The time specified in a change request for a runbook workflow to end. Currently supported only for the OpsItem type /aws/changerequest.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see OpsCenter in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational work items (OpsItems) impacting the performance and health of their Amazon Web Services resources. OpsCenter is integrated with Amazon EventBridge and Amazon CloudWatch. This means you can configure these services to automatically create an OpsItem in OpsCenter when a CloudWatch alarm enters the ALARM state or when EventBridge processes an event from any Amazon Web Services service that publishes events. Configuring Amazon CloudWatch alarms and EventBridge events to automatically create OpsItems allows you to quickly diagnose and remediate issues with Amazon Web Services resources from a single console.
To help you diagnose issues, each OpsItem includes contextually relevant information such as the name and ID of the Amazon Web Services resource that generated the OpsItem, alarm or event details, alarm history, and an alarm timeline graph. For the Amazon Web Services resource, OpsCenter aggregates information from Config, CloudTrail logs, and EventBridge, so you don't have to navigate across multiple console pages during your investigation. For more information, see OpsCenter in the Amazon Web Services Systems Manager User Guide.
" }, "OpsItemAlreadyExistsException":{ "type":"structure", @@ -12148,7 +12148,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"You have exceeded the number of parameters for this account. Delete one or more parameters and try again.
", + "documentation":"You have exceeded the number of parameters for this Amazon Web Services account. Delete one or more parameters and try again.
", "exception":true }, "ParameterList":{ @@ -12982,23 +12982,23 @@ "members":{ "TotalSteps":{ "shape":"Integer", - "documentation":"The total number of steps run in all specified Regions and accounts for the current Automation execution.
" + "documentation":"The total number of steps run in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
" }, "SuccessSteps":{ "shape":"Integer", - "documentation":"The total number of steps that successfully completed in all specified Regions and accounts for the current Automation execution.
" + "documentation":"The total number of steps that successfully completed in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
" }, "FailedSteps":{ "shape":"Integer", - "documentation":"The total number of steps that failed to run in all specified Regions and accounts for the current Automation execution.
" + "documentation":"The total number of steps that failed to run in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
" }, "CancelledSteps":{ "shape":"Integer", - "documentation":"The total number of steps that the system cancelled in all specified Regions and accounts for the current Automation execution.
" + "documentation":"The total number of steps that the system cancelled in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
" }, "TimedOutSteps":{ "shape":"Integer", - "documentation":"The total number of steps that timed out in all specified Regions and accounts for the current Automation execution.
" + "documentation":"The total number of steps that timed out in all specified Amazon Web Services Regions and Amazon Web Services accounts for the current Automation execution.
" } }, "documentation":"An aggregate of step execution statuses displayed in the Amazon Web Services Systems Manager console for a multi-Region and multi-account Automation execution.
" @@ -13085,7 +13085,7 @@ "members":{ "Name":{ "shape":"PSParameterName", - "documentation":"The fully qualified name of the parameter that you want to add to the system. The fully qualified name includes the complete hierarchy of the parameter path and name. For parameters in a hierarchy, you must include a leading forward slash character (/) when you create or reference a parameter. For example: /Dev/DBServer/MySQL/db-string13
Naming Constraints:
Parameter names are case sensitive.
A parameter name must be unique within an Region
A parameter name can't be prefixed with \"aws\" or \"ssm\" (case-insensitive).
Parameter names can include only the following symbols and letters: a-zA-Z0-9_.-
In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example: /Dev/Production/East/Project-ABC/MyParameter
A parameter name can't include spaces.
Parameter hierarchies are limited to a maximum depth of fifteen levels.
For additional information about valid values for parameter names, see Creating Systems Manager parameters in the Amazon Web Services Systems Manager User Guide.
The maximum length constraint listed below includes capacity for additional system attributes that aren't part of the name. The maximum length for a parameter name, including the full length of the parameter ARN, is 1011 characters. For example, the length of the following parameter name is 65 characters, not 20 characters:
arn:aws:ssm:us-east-2:111122223333:parameter/ExampleParameterName
The fully qualified name of the parameter that you want to add to the system. The fully qualified name includes the complete hierarchy of the parameter path and name. For parameters in a hierarchy, you must include a leading forward slash character (/) when you create or reference a parameter. For example: /Dev/DBServer/MySQL/db-string13
Naming Constraints:
Parameter names are case sensitive.
A parameter name must be unique within an Amazon Web Services Region
A parameter name can't be prefixed with \"aws\" or \"ssm\" (case-insensitive).
Parameter names can include only the following symbols and letters: a-zA-Z0-9_.-
In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example: /Dev/Production/East/Project-ABC/MyParameter
A parameter name can't include spaces.
Parameter hierarchies are limited to a maximum depth of fifteen levels.
For additional information about valid values for parameter names, see Creating Systems Manager parameters in the Amazon Web Services Systems Manager User Guide.
The maximum length constraint listed below includes capacity for additional system attributes that aren't part of the name. The maximum length for a parameter name, including the full length of the parameter ARN, is 1011 characters. For example, the length of the following parameter name is 65 characters, not 20 characters:
arn:aws:ssm:us-east-2:111122223333:parameter/ExampleParameterName
The Key Management Service (KMS) ID that you want to use to encrypt a parameter. Either the default KMS key automatically assigned to your account or a custom key. Required for parameters that use the SecureString data type.
If you don't specify a key ID, the system uses the default key associated with your account.
To use your default KMS key, choose the SecureString data type, and do not specify the Key ID when you create the parameter. The system automatically populates Key ID with your default KMS key.
To use a custom KMS key, choose the SecureString data type with the Key ID parameter.
The Key Management Service (KMS) ID that you want to use to encrypt a parameter. Either the default KMS key automatically assigned to your Amazon Web Services account or a custom key. Required for parameters that use the SecureString data type.
If you don't specify a key ID, the system uses the default key associated with your Amazon Web Services account.
To use your default KMS key, choose the SecureString data type, and do not specify the Key ID when you create the parameter. The system automatically populates Key ID with your default KMS key.
To use a custom KMS key, choose the SecureString data type with the Key ID parameter.
The parameter tier to assign to a parameter.
Parameter Store offers a standard tier and an advanced tier for parameters. Standard parameters have a content size limit of 4 KB and can't be configured to use parameter policies. You can create a maximum of 10,000 standard parameters for each Region in an account. Standard parameters are offered at no additional cost.
Advanced parameters have a content size limit of 8 KB and can be configured to use parameter policies. You can create a maximum of 100,000 advanced parameters for each Region in an account. Advanced parameters incur a charge. For more information, see Standard and advanced parameter tiers in the Amazon Web Services Systems Manager User Guide.
You can change a standard parameter to an advanced parameter any time. But you can't revert an advanced parameter to a standard parameter. Reverting an advanced parameter to a standard parameter would result in data loss because the system would truncate the size of the parameter from 8 KB to 4 KB. Reverting would also remove any policies attached to the parameter. Lastly, advanced parameters use a different form of encryption than standard parameters.
If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, you must delete it and recreate it as a new standard parameter.
Using the Default Tier Configuration
In PutParameter requests, you can specify the tier to create the parameter in. Whenever you specify a tier in the request, Parameter Store creates or updates the parameter according to that request. However, if you don't specify a tier in a request, Parameter Store assigns the tier based on the current Parameter Store default tier configuration.
The default tier when you begin using Parameter Store is the standard-parameter tier. If you use the advanced-parameter tier, you can specify one of the following as the default:
Advanced: With this option, Parameter Store evaluates all requests as advanced parameters.
Intelligent-Tiering: With this option, Parameter Store evaluates each request to determine if the parameter is standard or advanced.
If the request doesn't include any options that require an advanced parameter, the parameter is created in the standard-parameter tier. If one or more options requiring an advanced parameter are included in the request, Parameter Store create a parameter in the advanced-parameter tier.
This approach helps control your parameter-related costs by always creating standard parameters unless an advanced parameter is necessary.
Options that require an advanced parameter include the following:
The content size of the parameter is more than 4 KB.
The parameter uses a parameter policy.
More than 10,000 parameters already exist in your account in the current Region.
For more information about configuring the default tier option, see Specifying a default parameter tier in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"The parameter tier to assign to a parameter.
Parameter Store offers a standard tier and an advanced tier for parameters. Standard parameters have a content size limit of 4 KB and can't be configured to use parameter policies. You can create a maximum of 10,000 standard parameters for each Region in an Amazon Web Services account. Standard parameters are offered at no additional cost.
Advanced parameters have a content size limit of 8 KB and can be configured to use parameter policies. You can create a maximum of 100,000 advanced parameters for each Region in an Amazon Web Services account. Advanced parameters incur a charge. For more information, see Standard and advanced parameter tiers in the Amazon Web Services Systems Manager User Guide.
You can change a standard parameter to an advanced parameter any time. But you can't revert an advanced parameter to a standard parameter. Reverting an advanced parameter to a standard parameter would result in data loss because the system would truncate the size of the parameter from 8 KB to 4 KB. Reverting would also remove any policies attached to the parameter. Lastly, advanced parameters use a different form of encryption than standard parameters.
If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, you must delete it and recreate it as a new standard parameter.
Using the Default Tier Configuration
In PutParameter requests, you can specify the tier to create the parameter in. Whenever you specify a tier in the request, Parameter Store creates or updates the parameter according to that request. However, if you don't specify a tier in a request, Parameter Store assigns the tier based on the current Parameter Store default tier configuration.
The default tier when you begin using Parameter Store is the standard-parameter tier. If you use the advanced-parameter tier, you can specify one of the following as the default:
Advanced: With this option, Parameter Store evaluates all requests as advanced parameters.
Intelligent-Tiering: With this option, Parameter Store evaluates each request to determine if the parameter is standard or advanced.
If the request doesn't include any options that require an advanced parameter, the parameter is created in the standard-parameter tier. If one or more options requiring an advanced parameter are included in the request, Parameter Store create a parameter in the advanced-parameter tier.
This approach helps control your parameter-related costs by always creating standard parameters unless an advanced parameter is necessary.
Options that require an advanced parameter include the following:
The content size of the parameter is more than 4 KB.
The parameter uses a parameter policy.
More than 10,000 parameters already exist in your Amazon Web Services account in the current Amazon Web Services Region.
For more information about configuring the default tier option, see Specifying a default parameter tier in the Amazon Web Services Systems Manager User Guide.
" }, "Policies":{ "shape":"ParameterPolicies", @@ -13126,7 +13126,7 @@ }, "DataType":{ "shape":"ParameterDataType", - "documentation":"The data type for a String parameter. Supported data types include plain text and Amazon Machine Image (AMI) IDs.
The following data type values are supported.
text
aws:ec2:image
When you create a String parameter and specify aws:ec2:image, Amazon Web Services Systems Manager validates the parameter value is in the required format, such as ami-12345abcdeEXAMPLE, and that the specified AMI is available in your account. For more information, see Native parameter support for Amazon Machine Image (AMI) IDs in the Amazon Web Services Systems Manager User Guide.
The data type for a String parameter. Supported data types include plain text and Amazon Machine Image (AMI) IDs.
The following data type values are supported.
text
aws:ec2:image
When you create a String parameter and specify aws:ec2:image, Amazon Web Services Systems Manager validates the parameter value is in the required format, such as ami-12345abcdeEXAMPLE, and that the specified AMI is available in your Amazon Web Services account. For more information, see Native parameter support for Amazon Machine Image (AMI) IDs in the Amazon Web Services Systems Manager User Guide.
The Organizations organization units included in the sync.
" } }, - "documentation":"Information about the AwsOrganizationsSource resource data sync source. A sync source of this type can synchronize data from Organizations or, if an Amazon Web Services organization isn't present, from multiple Regions.
Information about the AwsOrganizationsSource resource data sync source. A sync source of this type can synchronize data from Organizations or, if an Amazon Web Services organization isn't present, from multiple Amazon Web Services Regions.
The sharing data type. Only Organization is supported.
Synchronize Amazon Web Services Systems Manager Inventory data from multiple accounts defined in Organizations to a centralized Amazon S3 bucket. Data is synchronized to individual key prefixes in the central bucket. Each key prefix represents a different account ID.
" + "documentation":"Synchronize Amazon Web Services Systems Manager Inventory data from multiple Amazon Web Services accounts defined in Organizations to a centralized Amazon S3 bucket. Data is synchronized to individual key prefixes in the central bucket. Each key prefix represents a different Amazon Web Services account ID.
" }, "ResourceDataSyncDestinationDataSharingType":{ "type":"string", @@ -13546,7 +13546,7 @@ }, "SyncType":{ "shape":"ResourceDataSyncType", - "documentation":"The type of resource data sync. If SyncType is SyncToDestination, then the resource data sync synchronizes data to an S3 bucket. If the SyncType is SyncFromSource then the resource data sync synchronizes data from Organizations or from multiple Regions.
The type of resource data sync. If SyncType is SyncToDestination, then the resource data sync synchronizes data to an S3 bucket. If the SyncType is SyncFromSource then the resource data sync synchronizes data from Organizations or from multiple Amazon Web Services Regions.
The Region with the S3 bucket targeted by the resource data sync.
" + "documentation":"The Amazon Web Services Region with the S3 bucket targeted by the resource data sync.
" }, "AWSKMSKeyARN":{ "shape":"ResourceDataSyncAWSKMSKeyARN", @@ -13701,15 +13701,15 @@ }, "SourceRegions":{ "shape":"ResourceDataSyncSourceRegionList", - "documentation":"The SyncSource Regions included in the resource data sync.
The SyncSource Amazon Web Services Regions included in the resource data sync.
Whether to automatically synchronize and aggregate data from new Regions when those Regions come online.
" + "documentation":"Whether to automatically synchronize and aggregate data from new Amazon Web Services Regions when those Regions come online.
" }, "EnableAllOpsDataSources":{ "shape":"ResourceDataSyncEnableAllOpsDataSources", - "documentation":"When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Regions for all accounts in your organization (or in the selected organization units). For more information, see About multiple account and Region resource data syncs in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Amazon Web Services Regions for all Amazon Web Services accounts in your organization (or in the selected organization units). For more information, see About multiple account and Region resource data syncs in the Amazon Web Services Systems Manager User Guide.
" } }, "documentation":"Information about the source of the data included in the resource data sync.
" @@ -13741,11 +13741,11 @@ }, "SourceRegions":{ "shape":"ResourceDataSyncSourceRegionList", - "documentation":"The SyncSource Regions included in the resource data sync.
The SyncSource Amazon Web Services Regions included in the resource data sync.
Whether to automatically synchronize and aggregate data from new Regions when those Regions come online.
" + "documentation":"Whether to automatically synchronize and aggregate data from new Amazon Web Services Regions when those Regions come online.
" }, "State":{ "shape":"ResourceDataSyncState", @@ -13753,7 +13753,7 @@ }, "EnableAllOpsDataSources":{ "shape":"ResourceDataSyncEnableAllOpsDataSources", - "documentation":"When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Regions for all accounts in your organization (or in the selected organization units). For more information, see About multiple account and Region resource data syncs in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Amazon Web Services Regions for all Amazon Web Services accounts in your organization (or in the selected organization units). For more information, see About multiple account and Region resource data syncs in the Amazon Web Services Systems Manager User Guide.
" } }, "documentation":"The data type name for including resource data sync state. There are four sync states:
OrganizationNotExists (Your organization doesn't exist)
NoPermissions (The system can't locate the service-linked role. This role is automatically created when a user creates a resource data sync in Amazon Web Services Systems Manager Explorer.)
InvalidOrganizationalUnit (You specified or selected an invalid unit in the resource data sync configuration.)
TrustedAccessDisabled (You disabled Systems Manager access in the organization in Organizations.)
A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output).
region represents the Region identifier for an Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output).
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
Information about the Regions and accounts targeted by the current Runbook operation.
", + "documentation":"Information about the Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Runbook operation.
", "box":true } }, @@ -14072,7 +14072,7 @@ }, "OutputS3Region":{ "shape":"S3Region", - "documentation":"(Deprecated) You can no longer specify this parameter. The system ignores it. Instead, Systems Manager automatically determines the Region of the S3 bucket.
" + "documentation":"(Deprecated) You can no longer specify this parameter. The system ignores it. Instead, Systems Manager automatically determines the Amazon Web Services Region of the S3 bucket.
" }, "OutputS3BucketName":{ "shape":"S3BucketName", @@ -14457,7 +14457,7 @@ }, "TargetLocations":{ "shape":"TargetLocations", - "documentation":"A location is a combination of Regions and/or accounts where you want to run the automation. Use this operation to start an automation in multiple Regions and multiple accounts. For more information, see Running Automation workflows in multiple Regions and accounts in the Amazon Web Services Systems Manager User Guide.
", + "documentation":"A location is a combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the automation. Use this operation to start an automation in multiple Amazon Web Services Regions and multiple Amazon Web Services accounts. For more information, see Running Automation workflows in multiple Amazon Web Services Regions and Amazon Web Services accounts in the Amazon Web Services Systems Manager User Guide.
", "box":true }, "Tags":{ @@ -14513,7 +14513,7 @@ }, "Tags":{ "shape":"TagList", - "documentation":"Optional metadata that you assign to a resource. You can specify a maximum of five tags for a change request. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a change request to identify an environment or target Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
Optional metadata that you assign to a resource. You can specify a maximum of five tags for a change request. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a change request to identify an environment or target Amazon Web Services Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=Production
Key=Region,Value=us-east-2
A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output)
region represents the Region identifier for an Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output)
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
The combination of Regions and accounts targeted by the current Automation execution.
", + "documentation":"The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
", "box":true } }, @@ -14833,7 +14833,7 @@ "documentation":"User-defined criteria that maps to Key. For example, if you specified tag:ServerRole, you could specify value:WebServer to run a command on instances that include EC2 tags of ServerRole,WebServer.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
" } }, - "documentation":"An array of search criteria that targets instances using a key-value pair that you specify.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Supported formats include the following.
Key=InstanceIds,Values=instance-id-1,instance-id-2,instance-id-3
Key=tag:my-tag-key,Values=my-tag-value-1,my-tag-value-2
Key=tag-key,Values=my-tag-key-1,my-tag-key-2
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=resource-group-name
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=resource-type-1,resource-type-2
Automation targets only: Key=ResourceGroup;Values=resource-group-name
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.
Automation targets only: Key=ResourceGroup,Values=MyResourceGroup
State Manager association targets only: Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Region where the association was created.
For more information about how to send commands that target instances using Key,Value parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide.
An array of search criteria that targets instances using a key-value pair that you specify.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Supported formats include the following.
Key=InstanceIds,Values=instance-id-1,instance-id-2,instance-id-3
Key=tag:my-tag-key,Values=my-tag-value-1,my-tag-value-2
Key=tag-key,Values=my-tag-key-1,my-tag-key-2
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=resource-group-name
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=resource-type-1,resource-type-2
Automation targets only: Key=ResourceGroup;Values=resource-group-name
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.
Automation targets only: Key=ResourceGroup,Values=MyResourceGroup
State Manager association targets only: Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.
For more information about how to send commands that target instances using Key,Value parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide.
The accounts targeted by the current Automation execution.
" + "documentation":"The Amazon Web Services accounts targeted by the current Automation execution.
" }, "Regions":{ "shape":"Regions", - "documentation":"The Regions targeted by the current Automation execution.
" + "documentation":"The Amazon Web Services Regions targeted by the current Automation execution.
" }, "TargetLocationMaxConcurrency":{ "shape":"MaxConcurrency", - "documentation":"The maximum number of Regions and accounts allowed to run the Automation concurrently.
", + "documentation":"The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.
", "box":true }, "TargetLocationMaxErrors":{ @@ -14877,7 +14877,7 @@ "box":true } }, - "documentation":"The combination of Regions and accounts targeted by the current Automation execution.
" + "documentation":"The combination of Amazon Web Services Regions and Amazon Web Services accounts targeted by the current Automation execution.
" }, "TargetLocations":{ "type":"list", @@ -15120,7 +15120,7 @@ }, "Name":{ "shape":"DocumentARN", - "documentation":"The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager document (SSM document) that are shared with you from other accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager document (SSM document) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
A location is a combination of Regions and accounts where you want to run the association. Use this action to update an association in multiple Regions and multiple accounts.
" + "documentation":"A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to update an association in multiple Regions and multiple accounts.
" } } }, @@ -15191,7 +15191,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance.
" + "documentation":"The instance ID.
" }, "AssociationStatus":{ "shape":"AssociationStatus", @@ -15243,15 +15243,15 @@ "members":{ "Name":{ "shape":"DocumentName", - "documentation":"The name of the document for which a version is to be updated.
" + "documentation":"The name of the change template for which a version's metadata is to be updated.
" }, "DocumentVersion":{ "shape":"DocumentVersion", - "documentation":"The version of a document to update.
" + "documentation":"The version of a change template in which to update approval metadata.
" }, "DocumentReviews":{ "shape":"DocumentReviews", - "documentation":"The document review details to update.
" + "documentation":"The change template review details to update.
" } } }, diff --git a/services/ssmcontacts/pom.xml b/services/ssmcontacts/pom.xml index f7f3692ae753..fb159c9782d6 100644 --- a/services/ssmcontacts/pom.xml +++ b/services/ssmcontacts/pom.xml @@ -21,7 +21,7 @@Returns the web ACL capacity unit (WCU) requirements for a specified scope and set of rules. You can use this to check the capacity requirements for the rules you want to use in a RuleGroup or WebACL.
WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.
" }, @@ -278,7 +279,8 @@ {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidResourceException"}, {"shape":"WAFNonexistentItemException"}, - {"shape":"WAFInvalidOperationException"} + {"shape":"WAFInvalidOperationException"}, + {"shape":"WAFExpiredManagedRuleGroupVersionException"} ], "documentation":"Provides high-level information for a managed rule group, including descriptions of the rules.
" }, @@ -330,6 +332,22 @@ ], "documentation":"Returns the LoggingConfiguration for the specified web ACL.
" }, + "GetManagedRuleSet":{ + "name":"GetManagedRuleSet", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetManagedRuleSetRequest"}, + "output":{"shape":"GetManagedRuleSetResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFNonexistentItemException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"Retrieves the specified managed rule set.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
Retrieves the WebACL for the specified resource.
" }, + "ListAvailableManagedRuleGroupVersions":{ + "name":"ListAvailableManagedRuleGroupVersions", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListAvailableManagedRuleGroupVersionsRequest"}, + "output":{"shape":"ListAvailableManagedRuleGroupVersionsResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"Returns a list of the available versions for the specified managed rule group.
" + }, "ListAvailableManagedRuleGroups":{ "name":"ListAvailableManagedRuleGroups", "http":{ @@ -454,7 +487,7 @@ {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"Retrieves an array of managed rule groups that are available for you to use. This list includes all Amazon Web Services Managed Rules rule groups and the Marketplace managed rule groups that you're subscribed to.
" + "documentation":"Retrieves an array of managed rule groups that are available for you to use. This list includes all Amazon Web Services Managed Rules rule groups and all of the Marketplace managed rule groups that you're subscribed to.
" }, "ListIPSets":{ "name":"ListIPSets", @@ -486,6 +519,21 @@ ], "documentation":"Retrieves an array of your LoggingConfiguration objects.
" }, + "ListManagedRuleSets":{ + "name":"ListManagedRuleSets", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListManagedRuleSetsRequest"}, + "output":{"shape":"ListManagedRuleSetsResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"Retrieves the managed rule sets that you own.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
Enables the specified LoggingConfiguration, to start logging from a web ACL, according to the configuration provided.
You can access information about all traffic that WAF inspects using the following steps:
Create an Amazon Kinesis Data Firehose.
Create the data firehose with a PUT source and in the Region that you are operating. If you are capturing logs for Amazon CloudFront, always create the firehose in US East (N. Virginia).
Give the data firehose a name that starts with the prefix aws-waf-logs-. For example, aws-waf-logs-us-east-2-analytics.
Do not create the data firehose using a Kinesis stream as your source.
Associate that firehose to your web ACL using a PutLoggingConfiguration request.
When you successfully enable logging using a PutLoggingConfiguration request, WAF will create a service linked role with the necessary permissions to write logs to the Amazon Kinesis Data Firehose. For more information, see Logging Web ACL Traffic Information in the WAF Developer Guide.
This operation completely replaces the mutable specifications that you already have for the logging configuration with the ones that you provide to this call. To modify the logging configuration, retrieve it by calling GetLoggingConfiguration, update the settings as needed, and then provide the complete logging configuration specification to this call.
Defines the versions of your managed rule set that you are offering to the customers. Customers see your offerings as managed rule groups with versioning.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
Customers retrieve their managed rule group list by calling ListAvailableManagedRuleGroups. The name that you provide here for your managed rule set is the name the customer sees for the corresponding managed rule group. Customers can retrieve the available versions for a managed rule group by calling ListAvailableManagedRuleGroupVersions. You provide a rule group specification for each version. For each managed rule set, you must specify a version that you recommend using.
To initiate the expiration of a managed rule group version, use UpdateManagedRuleSetVersionExpiryDate.
" + }, "PutPermissionPolicy":{ "name":"PutPermissionPolicy", "http":{ @@ -656,6 +721,23 @@ ], "documentation":"Updates the specified IPSet.
This operation completely replaces the mutable specifications that you already have for the IP set with the ones that you provide to this call. To modify the IP set, retrieve it by calling GetIPSet, update the settings as needed, and then provide the complete IP set specification to this call.
Updates the expiration information for your managed rule set. Use this to initiate the expiration of a managed rule group version. After you initiate expiration for a version, WAF excludes it from the reponse to ListAvailableManagedRuleGroupVersions for the managed rule group.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
Updates the specified WebACL.
This operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call. To modify the web ACL, retrieve it by calling GetWebACL, update the settings as needed, and then provide the complete web ACL specification to this call.
A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AppSync GraphQL API.
" } @@ -1205,7 +1288,7 @@ }, "IPAddressVersion":{ "shape":"IPAddressVersion", - "documentation":"Specify IPV4 or IPV6.
" + "documentation":"The version of the IP addresses, either IPV4 or IPV6.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
The version of the rule group. You can only use a version that is not scheduled for expiration. If you don't provide this, WAF uses the vendor's default version.
" } } }, "DescribeManagedRuleGroupResponse":{ "type":"structure", "members":{ + "VersionName":{ + "shape":"VersionKeyString", + "documentation":"The managed rule group's version.
" + }, + "SnsTopicArn":{ + "shape":"ResourceArn", + "documentation":"The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that's used to record changes to the managed rule group. You can subscribe to the SNS topic to receive notifications when the managed rule group is modified, such as for new versions and for version expiration. For more information, see the Amazon Simple Notification Service Developer Guide.
" + }, "Capacity":{ "shape":"CapacityUnit", "documentation":"The web ACL capacity units (WCUs) required for this rule group. WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect each rule's relative cost. Rule group capacity is fixed at creation, so users can plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.
" @@ -1974,7 +2069,7 @@ }, "LockToken":{ "shape":"LockToken", - "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.
This name is assigned to the corresponding managed rule group, which your customers can access and use.
" + }, + "Scope":{ + "shape":"Scope", + "documentation":"Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.
The managed rule set that you requested.
" + }, + "LockToken":{ + "shape":"LockToken", + "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
Specify IPV4 or IPV6.
" + "documentation":"The version of the IP addresses, either IPV4 or IPV6.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
What WAF should do if it fails to completely parse the JSON body. The options are the following:
EVALUATE_AS_STRING - Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.
MATCH - Treat the web request as matching the rule statement. WAF applies the rule action to the request.
NO_MATCH - Treat the web request as not matching the rule statement.
If you don't provide this setting, WAF parses and evaluates the content only up to the first parsing failure that it encounters.
WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as characters that aren't valid, duplicate keys, truncation, and any content whose root node isn't an object or an array.
WAF parses the JSON in the following examples as two valid key, value pairs:
Missing comma: {\"key1\":\"value1\"\"key2\":\"value2\"}
Missing colon: {\"key1\":\"value1\",\"key2\"\"value2\"}
Extra colons: {\"key1\"::\"value1\",\"key2\"\"value2\"}
What WAF should do if it fails to completely parse the JSON body. The options are the following:
EVALUATE_AS_STRING - Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.
MATCH - Treat the web request as matching the rule statement. WAF applies the rule action to the request.
NO_MATCH - Treat the web request as not matching the rule statement.
If you don't provide this setting, WAF parses and evaluates the content only up to the first parsing failure that it encounters.
WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.
WAF parses the JSON in the following examples as two valid key, value pairs:
Missing comma: {\"key1\":\"value1\"\"key2\":\"value2\"}
Missing colon: {\"key1\":\"value1\",\"key2\"\"value2\"}
Extra colons: {\"key1\"::\"value1\",\"key2\"\"value2\"}
The body of a web request, inspected as JSON. The body immediately follows the request headers. This is used in the FieldToMatch specification.
Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. WAF inspects only the parts of the JSON that result from the matches that you indicate.
" @@ -2535,6 +2665,49 @@ "type":"list", "member":{"shape":"Label"} }, + "ListAvailableManagedRuleGroupVersionsRequest":{ + "type":"structure", + "required":[ + "VendorName", + "Name", + "Scope" + ], + "members":{ + "VendorName":{ + "shape":"VendorName", + "documentation":"The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.
" + }, + "Name":{ + "shape":"EntityName", + "documentation":"The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
" + }, + "Scope":{ + "shape":"Scope", + "documentation":"Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.
When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
The versions that are currently available for the specified managed rule group.
" + } + } + }, "ListAvailableManagedRuleGroupsRequest":{ "type":"structure", "required":["Scope"], @@ -2627,6 +2800,37 @@ } } }, + "ListManagedRuleSetsRequest":{ + "type":"structure", + "required":["Scope"], + "members":{ + "Scope":{ + "shape":"Scope", + "documentation":"Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.
When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
Your managed rule sets.
" + } + } + }, "ListMaxItems":{ "type":"long", "max":500, @@ -2858,6 +3062,10 @@ "shape":"EntityName", "documentation":"The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
" }, + "Version":{ + "shape":"VersionKeyString", + "documentation":"The version of the managed rule group to use. If you specify this, the version setting is fixed until you change it. If you don't specify this, WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.
" + }, "ExcludedRules":{ "shape":"ExcludedRules", "documentation":"The rules whose actions are set to COUNT by the web ACL, regardless of the action that is set on the rule. This effectively excludes the rule from acting on web requests.
High-level information about a managed rule group, returned by ListAvailableManagedRuleGroups. This provides information like the name and vendor name, that you provide when you add a ManagedRuleGroupStatement to a web ACL. Managed rule groups include Amazon Web Services Managed Rules rule groups, which are free of charge to WAF customers, and Marketplace managed rule groups, which you can subscribe to through Marketplace.
" }, + "ManagedRuleGroupVersion":{ + "type":"structure", + "members":{ + "Name":{ + "shape":"VersionKeyString", + "documentation":"The version name.
" + }, + "LastUpdateTimestamp":{ + "shape":"Timestamp", + "documentation":"The date and time that the managed rule group owner updated the rule group version information.
" + } + }, + "documentation":"Describes a single version of a managed rule group.
" + }, + "ManagedRuleGroupVersions":{ + "type":"list", + "member":{"shape":"ManagedRuleGroupVersion"} + }, + "ManagedRuleSet":{ + "type":"structure", + "required":[ + "Name", + "Id", + "ARN" + ], + "members":{ + "Name":{ + "shape":"EntityName", + "documentation":"The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.
This name is assigned to the corresponding managed rule group, which your customers can access and use.
" + }, + "Id":{ + "shape":"EntityId", + "documentation":"A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.
The Amazon Resource Name (ARN) of the entity.
" + }, + "Description":{ + "shape":"EntityDescription", + "documentation":"A description of the set that helps with identification.
" + }, + "PublishedVersions":{ + "shape":"PublishedVersions", + "documentation":"The versions of this managed rule set that are available for use by customers.
" + }, + "RecommendedVersion":{ + "shape":"VersionKeyString", + "documentation":"The version that you would like your customers to use.
" + }, + "LabelNamespace":{ + "shape":"LabelName", + "documentation":"The label namespace prefix for the managed rule groups that are offered to customers from this managed rule set. All labels that are added by rules in the managed rule group have this prefix.
The syntax for the label namespace prefix for a managed rule group is the following:
awswaf:managed:<vendor>:<rule group name>:
When a rule with a label matches a web request, WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon:
<label namespace>:<label from rule>
A set of rules that is managed by Amazon Web Services and Marketplace sellers to provide versioned managed rule groups for customers of WAF.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.
This name is assigned to the corresponding managed rule group, which your customers can access and use.
" + }, + "Id":{ + "shape":"EntityId", + "documentation":"A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.
A description of the set that helps with identification.
" + }, + "LockToken":{ + "shape":"LockToken", + "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The Amazon Resource Name (ARN) of the entity.
" + }, + "LabelNamespace":{ + "shape":"LabelName", + "documentation":"The label namespace prefix for the managed rule groups that are offered to customers from this managed rule set. All labels that are added by rules in the managed rule group have this prefix.
The syntax for the label namespace prefix for a managed rule group is the following:
awswaf:managed:<vendor>:<rule group name>:
When a rule with a label matches a web request, WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon:
<label namespace>:<label from rule>
High-level information for a managed rule set.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
The Amazon Resource Name (ARN) of the vendor rule group that's used to define the published version of your managed rule group.
" + }, + "Capacity":{ + "shape":"CapacityUnit", + "documentation":"The web ACL capacity units (WCUs) required for this rule group.
WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.
" + }, + "ForecastedLifetime":{ + "shape":"TimeWindowDay", + "documentation":"The amount of time you expect this version of your managed rule group to last, in days.
" + }, + "PublishTimestamp":{ + "shape":"Timestamp", + "documentation":"The time that you first published this version.
Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\".
" + }, + "LastUpdateTimestamp":{ + "shape":"Timestamp", + "documentation":"The last time that you updated this version.
Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\".
" + }, + "ExpiryTimestamp":{ + "shape":"Timestamp", + "documentation":"The time that this version is set to expire.
Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\".
" + } + }, + "documentation":"Information for a single version of a managed rule set.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.
This name is assigned to the corresponding managed rule group, which your customers can access and use.
" + }, + "Scope":{ + "shape":"Scope", + "documentation":"Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The version of the named managed rule group that you'd like your customers to choose, from among your version offerings.
" + }, + "VersionsToPublish":{ + "shape":"VersionsToPublish", + "documentation":"The versions of the named managed rule group that you want to offer to your customers.
" + } + } + }, + "PutManagedRuleSetVersionsResponse":{ + "type":"structure", + "members":{ + "NextLockToken":{ + "shape":"LockToken", + "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The version of the IP addresses, either IPV4 or IPV6.
The IP addresses that are currently blocked.
" @@ -3216,7 +3597,7 @@ }, "LockToken":{ "shape":"LockToken", - "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
You can specify the following transformation types:
BASE64_DECODE - Decode a Base64-encoded string.
BASE64_DECODE_EXT - Decode a Base64-encoded string, but use a forgiving implementation that ignores characters that aren't valid.
CMD_LINE - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.
Delete the following characters: \\ \" ' ^
Delete spaces before the following characters: / (
Replace the following characters with a space: , ;
Replace multiple spaces with one space
Convert uppercase letters (A-Z) to lowercase (a-z)
COMPRESS_WHITE_SPACE - Replace these characters with a space character (decimal 32):
\\f, formfeed, decimal 12
\\t, tab, decimal 9
\\n, newline, decimal 10
\\r, carriage return, decimal 13
\\v, vertical tab, decimal 11
Non-breaking space, decimal 160
COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.
CSS_DECODE - Decode characters that were encoded using CSS 2.x escape rules syndata.html#characters. This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn’t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, ja\\vascript for javascript.
ESCAPE_SEQ_DECODE - Decode the following ANSI C escape sequences: \\a, \\b, \\f, \\n, \\r, \\t, \\v, \\\\, \\?, \\', \\\", \\xHH (hexadecimal), \\0OOO (octal). Encodings that aren't valid remain in the output.
HEX_DECODE - Decode a string of hexadecimal characters into a binary.
HTML_ENTITY_DECODE - Replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs these operations:
Replaces (ampersand)quot; with \"
Replaces (ampersand)nbsp; with a non-breaking space, decimal 160
Replaces (ampersand)lt; with a \"less than\" symbol
Replaces (ampersand)gt; with >
Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh;, with the corresponding characters
Replaces characters that are represented in decimal format, (ampersand)#nnnn;, with the corresponding characters
JS_DECODE - Decode JavaScript escape sequences. If a \\ u HHHH code is in the full-width ASCII code range of FF01-FF5E, then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.
LOWERCASE - Convert uppercase letters (A-Z) to lowercase (a-z).
MD5 - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.
NONE - Specify NONE if you don't want any text transformations.
NORMALIZE_PATH - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.
NORMALIZE_PATH_WIN - This is the same as NORMALIZE_PATH, but first converts backslash characters to forward slashes.
REMOVE_NULLS - Remove all NULL bytes from the input.
REPLACE_COMMENTS - Replace each occurrence of a C-style comment (/* ... */) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment (*/) is not acted upon.
REPLACE_NULLS - Replace NULL bytes in the input with space characters (ASCII 0x20).
SQL_HEX_DECODE - Decode the following ANSI C escape sequences: \\a, \\b, \\f, \\n, \\r, \\t, \\v, \\\\, \\?, \\', \\\", \\xHH (hexadecimal), \\0OOO (octal). Encodings that aren't valid remain in the output.
URL_DECODE - Decode a URL-encoded value.
URL_DECODE_UNI - Like URL_DECODE, but with support for Microsoft-specific %u encoding. If the code is in the full-width ASCII code range of FF01-FF5E, the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.
UTF8_TO_UNICODE - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.
" + "documentation":"You can specify the following transformation types:
BASE64_DECODE - Decode a Base64-encoded string.
BASE64_DECODE_EXT - Decode a Base64-encoded string, but use a forgiving implementation that ignores characters that aren't valid.
CMD_LINE - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.
Delete the following characters: \\ \" ' ^
Delete spaces before the following characters: / (
Replace the following characters with a space: , ;
Replace multiple spaces with one space
Convert uppercase letters (A-Z) to lowercase (a-z)
COMPRESS_WHITE_SPACE - Replace these characters with a space character (decimal 32):
\\f, formfeed, decimal 12
\\t, tab, decimal 9
\\n, newline, decimal 10
\\r, carriage return, decimal 13
\\v, vertical tab, decimal 11
Non-breaking space, decimal 160
COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.
CSS_DECODE - Decode characters that were encoded using CSS 2.x escape rules syndata.html#characters. This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn’t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, ja\\vascript for javascript.
ESCAPE_SEQ_DECODE - Decode the following ANSI C escape sequences: \\a, \\b, \\f, \\n, \\r, \\t, \\v, \\\\, \\?, \\', \\\", \\xHH (hexadecimal), \\0OOO (octal). Encodings that aren't valid remain in the output.
HEX_DECODE - Decode a string of hexadecimal characters into a binary.
HTML_ENTITY_DECODE - Replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs these operations:
Replaces (ampersand)quot; with \"
Replaces (ampersand)nbsp; with a non-breaking space, decimal 160
Replaces (ampersand)lt; with a \"less than\" symbol
Replaces (ampersand)gt; with >
Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh;, with the corresponding characters
Replaces characters that are represented in decimal format, (ampersand)#nnnn;, with the corresponding characters
JS_DECODE - Decode JavaScript escape sequences. If a \\ u HHHH code is in the full-width ASCII code range of FF01-FF5E, then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.
LOWERCASE - Convert uppercase letters (A-Z) to lowercase (a-z).
MD5 - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.
NONE - Specify NONE if you don't want any text transformations.
NORMALIZE_PATH - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.
NORMALIZE_PATH_WIN - This is the same as NORMALIZE_PATH, but first converts backslash characters to forward slashes.
REMOVE_NULLS - Remove all NULL bytes from the input.
REPLACE_COMMENTS - Replace each occurrence of a C-style comment (/* ... */) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment (*/) is not acted upon.
REPLACE_NULLS - Replace NULL bytes in the input with space characters (ASCII 0x20).
SQL_HEX_DECODE - Decode SQL hex data. Example (0x414243) will be decoded to (ABC).
URL_DECODE - Decode a URL-encoded value.
URL_DECODE_UNI - Like URL_DECODE, but with support for Microsoft-specific %u encoding. If the code is in the full-width ASCII code range of FF01-FF5E, the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.
UTF8_TO_UNICODE - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.
" } }, "documentation":"Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
" @@ -3802,6 +4183,10 @@ }, "documentation":"In a GetSampledRequests request, the StartTime and EndTime objects specify the time range for which you want WAF to return a sample of web requests.
You must specify the times in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\". You can specify any time range in the previous three hours.
In a GetSampledRequests response, the StartTime and EndTime objects specify the time range for which WAF actually returned a sample of web requests. WAF gets the specified number of requests from among the first 5,000 requests that your Amazon Web Services resource receives during the specified time period. If your resource receives more than 5,000 requests during that period, WAF stops sampling after the 5,000th request. In that case, EndTime is the time that WAF received the 5,000th request.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.
This name is assigned to the corresponding managed rule group, which your customers can access and use.
" + }, + "Scope":{ + "shape":"Scope", + "documentation":"Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The version that you want to remove from your list of offerings for the named managed rule group.
" + }, + "ExpiryTimestamp":{ + "shape":"Timestamp", + "documentation":"The time that you want the version to expire.
Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\".
" + } + } + }, + "UpdateManagedRuleSetVersionExpiryDateResponse":{ + "type":"structure", + "members":{ + "ExpiringVersion":{ + "shape":"VersionKeyString", + "documentation":"The version that is set to expire.
" + }, + "ExpiryTimestamp":{ + "shape":"Timestamp", + "documentation":"The time that the version will expire.
Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, \"2016-09-27T14:50Z\".
" + }, + "NextLockToken":{ + "shape":"LockToken", + "documentation":"A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
The Amazon Resource Name (ARN) of the vendor's rule group that's used in the published managed rule group version.
" + }, + "ForecastedLifetime":{ + "shape":"TimeWindowDay", + "documentation":"The amount of time the vendor expects this version of the managed rule group to last, in days.
" + } + }, + "documentation":"A version of the named managed rule group, that the rule group's vendor publishes for use by customers.
This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Marketplace sellers.
Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.
WAF couldn’t perform the operation because the resource that you tried to save is a duplicate of an existing one.
", "exception":true }, + "WAFExpiredManagedRuleGroupVersionException":{ + "type":"structure", + "members":{ + "Message":{"shape":"ErrorMessage"} + }, + "documentation":"The operation failed because the specified version for the managed rule group has expired. You can retrieve the available versions for the managed rule group by calling ListAvailableManagedRuleGroupVersions.
", + "exception":true + }, "WAFInternalErrorException":{ "type":"structure", "members":{ @@ -4099,9 +4571,18 @@ "type":"structure", "members":{ "message":{"shape":"ErrorMessage"}, - "Field":{"shape":"ParameterExceptionField"}, - "Parameter":{"shape":"ParameterExceptionParameter"}, - "Reason":{"shape":"ErrorReason"} + "Field":{ + "shape":"ParameterExceptionField", + "documentation":"The settings where the invalid parameter was found.
" + }, + "Parameter":{ + "shape":"ParameterExceptionParameter", + "documentation":"The invalid parameter that resulted in the exception.
" + }, + "Reason":{ + "shape":"ErrorReason", + "documentation":"Additional information about the exception.
" + } }, "documentation":"The operation failed because WAF didn't recognize a parameter in the request. For example:
You specified a parameter name or value that isn't valid.
Your nested statement isn't valid. You might have tried to nest a statement that can’t be nested.
You tried to update a WebACL with a DefaultAction that isn't among the types available at DefaultAction.
Your request references an ARN that is malformed, or corresponds to a resource with which a web ACL can't be associated.
WAF couldn’t perform the operation because you exceeded your resource limit. For example, the maximum number of WebACL objects that you can create for an account. For more information, see Limits in the WAF Developer Guide.
WAF couldn’t perform the operation because you exceeded your resource limit. For example, the maximum number of WebACL objects that you can create for an Amazon Web Services account. For more information, see WAF quotas in the WAF Developer Guide.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A rule statement that defines a cross-site scripting (XSS) match search for WAF to apply to web requests. XSS attacks are those where the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers. The XSS match statement provides the location in requests that you want WAF to search and text transformations to use on the search area before WAF searches for character sequences that are likely to be malicious strings.
" } }, - "documentation":"This is the latest version of the WAF API, released in November, 2019. The names of the entities that you use to access this API, like endpoints and namespaces, all have the versioning information added, like \"V2\" or \"v2\", to distinguish from the prior version. We recommend migrating your resources to this version, because it has a number of significant improvements.
If you used WAF prior to this release, you can't use this WAFV2 API to access any WAF resources that you created before. You can access your old rules, web ACLs, and other WAF resources only through the WAF Classic APIs. The WAF Classic APIs have retained the prior names, endpoints, and namespaces.
For information, including how to migrate your WAF resources to this version, see the WAF Developer Guide.
WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, or an AppSync GraphQL API. WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, or the AppSync GraphQL API responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is blocked.
This API guide is for developers who need detailed information about WAF API actions, data types, and errors. For detailed information about WAF features and an overview of how to use WAF, see the WAF Developer Guide.
You can make calls using the endpoints listed in Amazon Web Services Service Endpoints for WAF.
For regional applications, you can use any of the endpoints in the list. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
For Amazon CloudFront applications, you must use the API endpoint listed for US East (N. Virginia): us-east-1.
Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
We currently provide two versions of the WAF API: this API and the prior versions, the classic WAF APIs. This new API provides the same functionality as the older versions, with the following major improvements:
You use one API for both global and regional applications. Where you need to distinguish the scope, you specify a Scope parameter and set it to CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a single call. You define all rule specifications in JSON format, and pass them to your rule group or web ACL calls.
The limits WAF places on the use of rules more closely reflects the cost of running each type of rule. Rule groups include capacity settings, so you know the maximum cost of a rule group when you use it.
This is the latest version of the WAF API, released in November, 2019. The names of the entities that you use to access this API, like endpoints and namespaces, all have the versioning information added, like \"V2\" or \"v2\", to distinguish from the prior version. We recommend migrating your resources to this version, because it has a number of significant improvements.
If you used WAF prior to this release, you can't use this WAFV2 API to access any WAF resources that you created before. You can access your old rules, web ACLs, and other WAF resources only through the WAF Classic APIs. The WAF Classic APIs have retained the prior names, endpoints, and namespaces.
For information, including how to migrate your WAF resources to this version, see the WAF Developer Guide.
WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, or an AppSync GraphQL API. WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, or the AppSync GraphQL API responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You also can configure CloudFront to return a custom error page when a request is blocked.
This API guide is for developers who need detailed information about WAF API actions, data types, and errors. For detailed information about WAF features and an overview of how to use WAF, see the WAF Developer Guide.
You can make calls using the endpoints listed in WAF endpoints and quotas.
For regional applications, you can use any of the endpoints in the list. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.
For Amazon CloudFront applications, you must use the API endpoint listed for US East (N. Virginia): us-east-1.
Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
We currently provide two versions of the WAF API: this API and the prior versions, the classic WAF APIs. This new API provides the same functionality as the older versions, with the following major improvements:
You use one API for both global and regional applications. Where you need to distinguish the scope, you specify a Scope parameter and set it to CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a single call. You define all rule specifications in JSON format, and pass them to your rule group or web ACL calls.
The limits WAF places on the use of rules more closely reflects the cost of running each type of rule. Rule groups include capacity settings, so you know the maximum cost of a rule group when you use it.