docs(client-config-service): Documentation updates for the AWS Config…

… CLI
aws · Feb 19, 2024 · 616e118 · 616e118
1 parent 20675fd
commit 616e118
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 13 deletions.
diff --git a/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts b/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts
@@ -39,7 +39,7 @@ export interface DescribeOrganizationConfigRulesCommandOutput
  *             <p>Limit and next token are not applicable if you specify organization Config rule names.
  * 			It is only applicable, when you request all the organization Config rules.</p>
  *             <p>
- *                <i>For accounts within an organzation</i>
+ *                <i>For accounts within an organization</i>
  *             </p>
  *             <p>If you deploy an organizational rule or conformance pack in an organization
  * 				administrator account, and then establish a delegated administrator and deploy an

diff --git a/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts b/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts
@@ -42,7 +42,7 @@ export interface DescribeOrganizationConformancePacksCommandOutput
  *             <p>Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable,
  * 			when you request all the organization conformance packs. </p>
  *             <p>
- *                <i>For accounts within an organzation</i>
+ *                <i>For accounts within an organization</i>
  *             </p>
  *             <p>If you deploy an organizational rule or conformance pack in an organization
  * 				administrator account, and then establish a delegated administrator and deploy an

diff --git a/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts b/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts
@@ -39,15 +39,31 @@ export interface PutRemediationConfigurationsCommandOutput
  * 		The Config rule must already exist for you to add a remediation configuration.
  * 		The target (SSM document) must exist and have permissions to use the target. </p>
  *          <note>
+ *             <p>
+ *                <b>Be aware of backward incompatible changes</b>
+ *             </p>
  *             <p>If you make backward incompatible changes to the SSM document,
  * 			you must call this again to ensure the remediations can run.</p>
  *             <p>This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules,
  * 				the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.</p>
  *          </note>
  *          <note>
+ *             <p>
+ *                <b>Required fields</b>
+ *             </p>
  *             <p>For manual remediation configuration, you need to provide a value for <code>automationAssumeRole</code> or use a value in the <code>assumeRole</code>field  to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.</p>
  *             <p>However, for automatic remediation configuration, the only valid <code>assumeRole</code> field value is <code>AutomationAssumeRole</code> and you need to provide a value for <code>AutomationAssumeRole</code> to remediate your resources.</p>
  *          </note>
+ *          <note>
+ *             <p>
+ *                <b>Auto remediation can be initiated even for compliant resources</b>
+ *             </p>
+ *             <p>If you enable auto remediation for a specific Config rule using the <a href="https://docs.aws.amazon.com/config/latest/APIReference/emAPI_PutRemediationConfigurations.html">PutRemediationConfigurations</a> API or the Config console,
+ * 				it initiates the remediation process for all non-compliant resources for that specific rule.
+ * 				The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.
+ * 				Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.</p>
+ *             <p>This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.</p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts b/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts
@@ -31,21 +31,40 @@ export interface PutRemediationExceptionsCommandOutput extends PutRemediationExc
  * <p>A remediation exception is when a specified resource is no longer considered for auto-remediation.
  * 			This API adds a new exception or updates an existing exception for a specified resource with a specified Config rule. </p>
  *          <note>
+ *             <p>
+ *                <b>Exceptions block auto remediation</b>
+ *             </p>
  *             <p>Config generates a remediation exception when a problem occurs running a remediation action for a specified resource.
  * 			Remediation exceptions blocks auto-remediation until the exception is cleared.</p>
  *          </note>
  *          <note>
+ *             <p>
+ *                <b>Manual remediation is recommended when placing an exception</b>
+ *             </p>
  *             <p>When placing an exception on an Amazon Web Services resource, it is recommended that remediation is set as manual remediation until
  * 			the given Config rule for the specified resource evaluates the resource as <code>NON_COMPLIANT</code>.
  * 			Once the resource has been evaluated as <code>NON_COMPLIANT</code>, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation.
  * 			Otherwise, using auto-remediation before a <code>NON_COMPLIANT</code> evaluation result can delete resources before the exception is applied.</p>
  *          </note>
  *          <note>
+ *             <p>
+ *                <b>Exceptions can only be performed on non-compliant resources</b>
+ *             </p>
  *             <p>Placing an exception can only be performed on resources that are <code>NON_COMPLIANT</code>.
  * 			If you use this API for <code>COMPLIANT</code> resources or resources that are <code>NOT_APPLICABLE</code>, a remediation exception will not be generated.
  * 			For more information on the conditions that initiate the possible Config evaluation results,
  * 			see <a href="https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#aws-config-rules">Concepts | Config  Rules</a> in the <i>Config Developer Guide</i>.</p>
  *          </note>
+ *          <note>
+ *             <p>
+ *                <b>Auto remediation can be initiated even for compliant resources</b>
+ *             </p>
+ *             <p>If you enable auto remediation for a specific Config rule using the <a href="https://docs.aws.amazon.com/config/latest/APIReference/emAPI_PutRemediationConfigurations.html">PutRemediationConfigurations</a> API or the Config console,
+ * 				it initiates the remediation process for all non-compliant resources for that specific rule.
+ * 				The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.
+ * 				Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.</p>
+ *             <p>This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.</p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-config-service/src/models/models_0.ts b/clients/client-config-service/src/models/models_0.ts
@@ -2563,6 +2563,9 @@ export interface ConfigurationItem {
  *                   <p>Asia Pacific (Melbourne)</p>
  *                </li>
  *                <li>
+ *                   <p>Canada West (Calgary)</p>
+ *                </li>
+ *                <li>
  *                   <p>Europe (Spain)</p>
  *                </li>
  *                <li>
@@ -2665,6 +2668,9 @@ export interface RecordingStrategy {
    *                   <p>Asia Pacific (Melbourne)</p>
    *                </li>
    *                <li>
+   *                   <p>Canada West (Calgary)</p>
+   *                </li>
+   *                <li>
    *                   <p>Europe (Spain)</p>
    *                </li>
    *                <li>
@@ -2744,6 +2750,9 @@ export interface RecordingGroup {
    *                <p>Asia Pacific (Melbourne)</p>
    *             </li>
    *             <li>
+   *                <p>Canada West (Calgary)</p>
+   *             </li>
+   *             <li>
    *                <p>Europe (Spain)</p>
    *             </li>
    *             <li>
@@ -2760,7 +2769,7 @@ export interface RecordingGroup {
    *             <p>
    *                <b>Aurora global clusters are recorded in all enabled Regions</b>
    *             </p>
-   *             <p>The <code>AWS::RDS::GlobalCluster</code> resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if <code>includeGlobalResourceTypes</code> is not set to <code>true</code>.
+   *             <p>The <code>AWS::RDS::GlobalCluster</code> resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if <code>includeGlobalResourceTypes</code> is set<code>false</code>.
    * 				The <code>includeGlobalResourceTypes</code> option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.
    * 			</p>
    *             <p>If you do not want to record <code>AWS::RDS::GlobalCluster</code> in all enabled Regions, use one of the following recording strategies:</p>
@@ -2776,7 +2785,22 @@ export interface RecordingGroup {
    *             </ol>
    *             <p>For more information, see <a href="https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all">Selecting Which Resources are Recorded</a> in the <i>Config developer guide</i>.</p>
    *          </important>
+   *          <important>
+   *             <p>
+   *                <b>includeGlobalResourceTypes and the exclusion recording strategy</b>
+   *             </p>
+   *             <p>The <code>includeGlobalResourceTypes</code> field has no impact on the <code>EXCLUSION_BY_RESOURCE_TYPES</code> recording strategy.
+   * 				This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will
+   * 				not be automatically added as exclusions for <code>exclusionByResourceTypes</code> when <code>includeGlobalResourceTypes</code> is set to <code>false</code>.</p>
+   *             <p>The <code>includeGlobalResourceTypes</code> field should only be used to modify the <code>AllSupported</code> field, as the default for
+   * 				the <code>AllSupported</code> field is to record configuration changes for all supported resource types excluding the global
+   * 				IAM resource types. To include the global IAM resource types when <code>AllSupported</code> is set to <code>true</code>, make sure to set <code>includeGlobalResourceTypes</code> to <code>true</code>.</p>
+   *             <p>To exclude the global IAM resource types for the <code>EXCLUSION_BY_RESOURCE_TYPES</code> recording strategy, you need to manually add them to the <code>resourceTypes</code> field of <code>exclusionByResourceTypes</code>.</p>
+   *          </important>
    *          <note>
+   *             <p>
+   *                <b>Required and optional fields</b>
+   *             </p>
    *             <p>Before you set this field to <code>true</code>,
    * 			set the <code>allSupported</code> field of <a href="https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html">RecordingGroup</a> to
    * 			<code>true</code>. Optionally, you can set the <code>useOnly</code> field of <a href="https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html">RecordingStrategy</a> to <code>ALL_SUPPORTED_RESOURCE_TYPES</code>.</p>
@@ -2889,6 +2913,9 @@ export interface RecordingGroup {
    *                   <p>Asia Pacific (Melbourne)</p>
    *                </li>
    *                <li>
+   *                   <p>Canada West (Calgary)</p>
+   *                </li>
+   *                <li>
    *                   <p>Europe (Spain)</p>
    *                </li>
    *                <li>
@@ -3289,7 +3316,7 @@ export interface TemplateSSMDocumentDetails {
   /**
    * @public
    * <p>The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack.
-   * 			If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document. If you want to use an SSM document from another Region or account, you must provide the ARN.</p>
+   * 			If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document.</p>
    */
   DocumentName: string | undefined;