From 616e118f5e7afdcd843b6568a88849f5196f80ad Mon Sep 17 00:00:00 2001 From: awstools Date: Mon, 19 Feb 2024 19:15:53 +0000 Subject: [PATCH] docs(client-config-service): Documentation updates for the AWS Config CLI --- .../DescribeOrganizationConfigRulesCommand.ts | 2 +- ...ribeOrganizationConformancePacksCommand.ts | 2 +- .../PutRemediationConfigurationsCommand.ts | 16 ++++++++++ .../PutRemediationExceptionsCommand.ts | 19 ++++++++++++ .../src/models/models_0.ts | 31 +++++++++++++++++-- .../aws-models/config-service.json | 18 +++++------ 6 files changed, 75 insertions(+), 13 deletions(-) diff --git a/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts b/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts index 8d3dbf0273b1..a5c5fbf08d89 100644 --- a/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts +++ b/clients/client-config-service/src/commands/DescribeOrganizationConfigRulesCommand.ts @@ -39,7 +39,7 @@ export interface DescribeOrganizationConfigRulesCommandOutput *

Limit and next token are not applicable if you specify organization Config rule names. * It is only applicable, when you request all the organization Config rules.

*

- * For accounts within an organzation + * For accounts within an organization *

*

If you deploy an organizational rule or conformance pack in an organization * administrator account, and then establish a delegated administrator and deploy an diff --git a/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts b/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts index ef70d52c1c71..914b4ce817b3 100644 --- a/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts +++ b/clients/client-config-service/src/commands/DescribeOrganizationConformancePacksCommand.ts @@ -42,7 +42,7 @@ export interface DescribeOrganizationConformancePacksCommandOutput *

Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable, * when you request all the organization conformance packs.

*

- * For accounts within an organzation + * For accounts within an organization *

*

If you deploy an organizational rule or conformance pack in an organization * administrator account, and then establish a delegated administrator and deploy an diff --git a/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts b/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts index 8a27b314291c..b0bb3b3b8646 100644 --- a/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts +++ b/clients/client-config-service/src/commands/PutRemediationConfigurationsCommand.ts @@ -39,15 +39,31 @@ export interface PutRemediationConfigurationsCommandOutput * The Config rule must already exist for you to add a remediation configuration. * The target (SSM document) must exist and have permissions to use the target.

* + *

+ * Be aware of backward incompatible changes + *

*

If you make backward incompatible changes to the SSM document, * you must call this again to ensure the remediations can run.

*

This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, * the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.

* * + *

+ * Required fields + *

*

For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the assumeRolefield to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.

*

However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.

* + * + *

+ * Auto remediation can be initiated even for compliant resources + *

+ *

If you enable auto remediation for a specific Config rule using the PutRemediationConfigurations API or the Config console, + * it initiates the remediation process for all non-compliant resources for that specific rule. + * The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. + * Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

+ *

This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts b/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts index 3dca2e278012..91c660723651 100644 --- a/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts +++ b/clients/client-config-service/src/commands/PutRemediationExceptionsCommand.ts @@ -31,21 +31,40 @@ export interface PutRemediationExceptionsCommandOutput extends PutRemediationExc *

A remediation exception is when a specified resource is no longer considered for auto-remediation. * This API adds a new exception or updates an existing exception for a specified resource with a specified Config rule.

* + *

+ * Exceptions block auto remediation + *

*

Config generates a remediation exception when a problem occurs running a remediation action for a specified resource. * Remediation exceptions blocks auto-remediation until the exception is cleared.

* * + *

+ * Manual remediation is recommended when placing an exception + *

*

When placing an exception on an Amazon Web Services resource, it is recommended that remediation is set as manual remediation until * the given Config rule for the specified resource evaluates the resource as NON_COMPLIANT. * Once the resource has been evaluated as NON_COMPLIANT, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation. * Otherwise, using auto-remediation before a NON_COMPLIANT evaluation result can delete resources before the exception is applied.

* * + *

+ * Exceptions can only be performed on non-compliant resources + *

*

Placing an exception can only be performed on resources that are NON_COMPLIANT. * If you use this API for COMPLIANT resources or resources that are NOT_APPLICABLE, a remediation exception will not be generated. * For more information on the conditions that initiate the possible Config evaluation results, * see Concepts | Config Rules in the Config Developer Guide.

* + * + *

+ * Auto remediation can be initiated even for compliant resources + *

+ *

If you enable auto remediation for a specific Config rule using the PutRemediationConfigurations API or the Config console, + * it initiates the remediation process for all non-compliant resources for that specific rule. + * The auto remediation process relies on the compliance data snapshot which is captured on a periodic basis. + * Any non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

+ *

This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-config-service/src/models/models_0.ts b/clients/client-config-service/src/models/models_0.ts index bd933f9f9ef3..e9ea978e9aee 100644 --- a/clients/client-config-service/src/models/models_0.ts +++ b/clients/client-config-service/src/models/models_0.ts @@ -2563,6 +2563,9 @@ export interface ConfigurationItem { *

Asia Pacific (Melbourne)

* *
  • + *

    Canada West (Calgary)

    + *
    • + *
  • *

    Europe (Spain)

    *
    • *
  • @@ -2665,6 +2668,9 @@ export interface RecordingStrategy { *

    Asia Pacific (Melbourne)

    *
    • *
  • + *

    Canada West (Calgary)

    + *
    • + *
  • *

    Europe (Spain)

    *
    • *
  • @@ -2744,6 +2750,9 @@ export interface RecordingGroup { *

    Asia Pacific (Melbourne)

    *
    • *
  • + *

    Canada West (Calgary)

    + *
    • + *
  • *

    Europe (Spain)

    *
    • *
  • @@ -2760,7 +2769,7 @@ export interface RecordingGroup { *

    * Aurora global clusters are recorded in all enabled Regions *

    - *

    The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is not set to true. + *

    The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is setfalse. * The includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies. *

    *

    If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:

    @@ -2776,7 +2785,22 @@ export interface RecordingGroup { * *

    For more information, see Selecting Which Resources are Recorded in the Config developer guide.

    * + * + *

    + * includeGlobalResourceTypes and the exclusion recording strategy + *

    + *

    The includeGlobalResourceTypes field has no impact on the EXCLUSION_BY_RESOURCE_TYPES recording strategy. + * This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will + * not be automatically added as exclusions for exclusionByResourceTypes when includeGlobalResourceTypes is set to false.

    + *

    The includeGlobalResourceTypes field should only be used to modify the AllSupported field, as the default for + * the AllSupported field is to record configuration changes for all supported resource types excluding the global + * IAM resource types. To include the global IAM resource types when AllSupported is set to true, make sure to set includeGlobalResourceTypes to true.

    + *

    To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES recording strategy, you need to manually add them to the resourceTypes field of exclusionByResourceTypes.

    + *     * + *

    + * Required and optional fields + *

    *

    Before you set this field to true, * set the allSupported field of RecordingGroup to * true. Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.

    @@ -2889,6 +2913,9 @@ export interface RecordingGroup { *

    Asia Pacific (Melbourne)

    *
    • *
  • + *

    Canada West (Calgary)

    + *
    • + *
  • *

    Europe (Spain)

    *
    • *
  • @@ -3289,7 +3316,7 @@ export interface TemplateSSMDocumentDetails { /** * @public *

    The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack. - * If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document. If you want to use an SSM document from another Region or account, you must provide the ARN.

    + * If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document.

    */ DocumentName: string | undefined; diff --git a/codegen/sdk-codegen/aws-models/config-service.json b/codegen/sdk-codegen/aws-models/config-service.json index 0cfdc497ce9b..3306a63405a6 100644 --- a/codegen/sdk-codegen/aws-models/config-service.json +++ b/codegen/sdk-codegen/aws-models/config-service.json @@ -4625,7 +4625,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Returns a list of organization Config rules.

    \n \n

    When you specify the limit and the next token, you receive a paginated response.

    \n

    Limit and next token are not applicable if you specify organization Config rule names. \n\t\t\tIt is only applicable, when you request all the organization Config rules.

    \n

    \n For accounts within an organzation\n

    \n

    If you deploy an organizational rule or conformance pack in an organization\n\t\t\t\tadministrator account, and then establish a delegated administrator and deploy an\n\t\t\t\torganizational rule or conformance pack in the delegated administrator account, you\n\t\t\t\twon't be able to see the organizational rule or conformance pack in the organization\n\t\t\t\tadministrator account from the delegated administrator account or see the organizational\n\t\t\t\trule or conformance pack in the delegated administrator account from organization\n\t\t\t\tadministrator account. The DescribeOrganizationConfigRules and \n\t\t\t\tDescribeOrganizationConformancePacks APIs can only see and interact with\n\t\t\t\tthe organization-related resource that were deployed from within the account calling\n\t\t\t\tthose APIs.

    \n     ", + "smithy.api#documentation": "

    Returns a list of organization Config rules.

    \n \n

    When you specify the limit and the next token, you receive a paginated response.

    \n

    Limit and next token are not applicable if you specify organization Config rule names. \n\t\t\tIt is only applicable, when you request all the organization Config rules.

    \n

    \n For accounts within an organization\n

    \n

    If you deploy an organizational rule or conformance pack in an organization\n\t\t\t\tadministrator account, and then establish a delegated administrator and deploy an\n\t\t\t\torganizational rule or conformance pack in the delegated administrator account, you\n\t\t\t\twon't be able to see the organizational rule or conformance pack in the organization\n\t\t\t\tadministrator account from the delegated administrator account or see the organizational\n\t\t\t\trule or conformance pack in the delegated administrator account from organization\n\t\t\t\tadministrator account. The DescribeOrganizationConfigRules and \n\t\t\t\tDescribeOrganizationConformancePacks APIs can only see and interact with\n\t\t\t\tthe organization-related resource that were deployed from within the account calling\n\t\t\t\tthose APIs.

    \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -4783,7 +4783,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Returns a list of organization conformance packs.

    \n \n

    When you specify the limit and the next token, you receive a paginated response.

    \n

    Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable,\n\t\t\twhen you request all the organization conformance packs.

    \n

    \n For accounts within an organzation\n

    \n

    If you deploy an organizational rule or conformance pack in an organization\n\t\t\t\tadministrator account, and then establish a delegated administrator and deploy an\n\t\t\t\torganizational rule or conformance pack in the delegated administrator account, you\n\t\t\t\twon't be able to see the organizational rule or conformance pack in the organization\n\t\t\t\tadministrator account from the delegated administrator account or see the organizational\n\t\t\t\trule or conformance pack in the delegated administrator account from organization\n\t\t\t\tadministrator account. The DescribeOrganizationConfigRules and \n\t\t\t\tDescribeOrganizationConformancePacks APIs can only see and interact with\n\t\t\t\tthe organization-related resource that were deployed from within the account calling\n\t\t\t\tthose APIs.

    \n     ", + "smithy.api#documentation": "

    Returns a list of organization conformance packs.

    \n \n

    When you specify the limit and the next token, you receive a paginated response.

    \n

    Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable,\n\t\t\twhen you request all the organization conformance packs.

    \n

    \n For accounts within an organization\n

    \n

    If you deploy an organizational rule or conformance pack in an organization\n\t\t\t\tadministrator account, and then establish a delegated administrator and deploy an\n\t\t\t\torganizational rule or conformance pack in the delegated administrator account, you\n\t\t\t\twon't be able to see the organizational rule or conformance pack in the organization\n\t\t\t\tadministrator account from the delegated administrator account or see the organizational\n\t\t\t\trule or conformance pack in the delegated administrator account from organization\n\t\t\t\tadministrator account. The DescribeOrganizationConfigRules and \n\t\t\t\tDescribeOrganizationConformancePacks APIs can only see and interact with\n\t\t\t\tthe organization-related resource that were deployed from within the account calling\n\t\t\t\tthose APIs.

    \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -5507,7 +5507,7 @@ } }, "traits": { - "smithy.api#documentation": "

    Specifies whether the configuration recorder excludes certain resource types from being recorded.\n\t\t\tUse the resourceTypes field to enter a comma-separated list of resource types you want to exclude from recording.

    \n

    By default, when Config adds support for a new resource type in the Region where you set up the configuration recorder,\n\t\t\tincluding global resource types, Config starts recording resources of that type automatically.

    \n \n

    \n How to use the exclusion recording strategy \n

    \n

    To use this option, you must set the useOnly\n\t\t\t\tfield of RecordingStrategy\n\t\t\t\tto EXCLUSION_BY_RESOURCE_TYPES.

    \n

    Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded.

    \n

    \n Global resource types and the exclusion recording strategy \n

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " + "smithy.api#documentation": "

    Specifies whether the configuration recorder excludes certain resource types from being recorded.\n\t\t\tUse the resourceTypes field to enter a comma-separated list of resource types you want to exclude from recording.

    \n

    By default, when Config adds support for a new resource type in the Region where you set up the configuration recorder,\n\t\t\tincluding global resource types, Config starts recording resources of that type automatically.

    \n \n

    \n How to use the exclusion recording strategy \n

    \n

    To use this option, you must set the useOnly\n\t\t\t\tfield of RecordingStrategy\n\t\t\t\tto EXCLUSION_BY_RESOURCE_TYPES.

    \n

    Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded.

    \n

    \n Global resource types and the exclusion recording strategy \n

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Canada West (Calgary)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " } }, "com.amazonaws.configservice#ExecutionControls": { @@ -10280,7 +10280,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Adds or updates the remediation configuration with a specific Config rule with the \n\t\t\tselected target or action. \n\t\t\tThe API creates the RemediationConfiguration object for the Config rule. \n\t\tThe Config rule must already exist for you to add a remediation configuration. \n\t\tThe target (SSM document) must exist and have permissions to use the target.

    \n \n

    If you make backward incompatible changes to the SSM document, \n\t\t\tyou must call this again to ensure the remediations can run.

    \n

    This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, \n\t\t\t\tthe rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.

    \n     \n \n

    For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the assumeRolefield to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.

    \n

    However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.

    \n     " + "smithy.api#documentation": "

    Adds or updates the remediation configuration with a specific Config rule with the \n\t\t\tselected target or action. \n\t\t\tThe API creates the RemediationConfiguration object for the Config rule. \n\t\tThe Config rule must already exist for you to add a remediation configuration. \n\t\tThe target (SSM document) must exist and have permissions to use the target.

    \n \n

    \n Be aware of backward incompatible changes\n

    \n

    If you make backward incompatible changes to the SSM document, \n\t\t\tyou must call this again to ensure the remediations can run.

    \n

    This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, \n\t\t\t\tthe rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.

    \n     \n \n

    \n Required fields\n

    \n

    For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the assumeRolefield to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.

    \n

    However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.

    \n     \n \n

    \n Auto remediation can be initiated even for compliant resources\n

    \n

    If you enable auto remediation for a specific Config rule using the PutRemediationConfigurations API or the Config console,\n\t\t\t\tit initiates the remediation process for all non-compliant resources for that specific rule.\n\t\t\t\tThe auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.\n\t\t\t\tAny non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

    \n

    This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

    \n     " } }, "com.amazonaws.configservice#PutRemediationConfigurationsRequest": { @@ -10329,7 +10329,7 @@ } ], "traits": { - "smithy.api#documentation": "

    A remediation exception is when a specified resource is no longer considered for auto-remediation. \n\t\t\tThis API adds a new exception or updates an existing exception for a specified resource with a specified Config rule.

    \n \n

    Config generates a remediation exception when a problem occurs running a remediation action for a specified resource. \n\t\t\tRemediation exceptions blocks auto-remediation until the exception is cleared.

    \n     \n \n

    When placing an exception on an Amazon Web Services resource, it is recommended that remediation is set as manual remediation until\n\t\t\tthe given Config rule for the specified resource evaluates the resource as NON_COMPLIANT.\n\t\t\tOnce the resource has been evaluated as NON_COMPLIANT, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation.\n\t\t\tOtherwise, using auto-remediation before a NON_COMPLIANT evaluation result can delete resources before the exception is applied.

    \n     \n \n

    Placing an exception can only be performed on resources that are NON_COMPLIANT.\n\t\t\tIf you use this API for COMPLIANT resources or resources that are NOT_APPLICABLE, a remediation exception will not be generated.\n\t\t\tFor more information on the conditions that initiate the possible Config evaluation results,\n\t\t\tsee Concepts | Config Rules in the Config Developer Guide.

    \n     " + "smithy.api#documentation": "

    A remediation exception is when a specified resource is no longer considered for auto-remediation. \n\t\t\tThis API adds a new exception or updates an existing exception for a specified resource with a specified Config rule.

    \n \n

    \n Exceptions block auto remediation\n

    \n

    Config generates a remediation exception when a problem occurs running a remediation action for a specified resource. \n\t\t\tRemediation exceptions blocks auto-remediation until the exception is cleared.

    \n     \n \n

    \n Manual remediation is recommended when placing an exception\n

    \n

    When placing an exception on an Amazon Web Services resource, it is recommended that remediation is set as manual remediation until\n\t\t\tthe given Config rule for the specified resource evaluates the resource as NON_COMPLIANT.\n\t\t\tOnce the resource has been evaluated as NON_COMPLIANT, you can add remediation exceptions and change the remediation type back from Manual to Auto if you want to use auto-remediation.\n\t\t\tOtherwise, using auto-remediation before a NON_COMPLIANT evaluation result can delete resources before the exception is applied.

    \n     \n \n

    \n Exceptions can only be performed on non-compliant resources\n

    \n

    Placing an exception can only be performed on resources that are NON_COMPLIANT.\n\t\t\tIf you use this API for COMPLIANT resources or resources that are NOT_APPLICABLE, a remediation exception will not be generated.\n\t\t\tFor more information on the conditions that initiate the possible Config evaluation results,\n\t\t\tsee Concepts | Config Rules in the Config Developer Guide.

    \n     \n \n

    \n Auto remediation can be initiated even for compliant resources\n

    \n

    If you enable auto remediation for a specific Config rule using the PutRemediationConfigurations API or the Config console,\n\t\t\t\tit initiates the remediation process for all non-compliant resources for that specific rule.\n\t\t\t\tThe auto remediation process relies on the compliance data snapshot which is captured on a periodic basis.\n\t\t\t\tAny non-compliant resource that is updated between the snapshot schedule will continue to be remediated based on the last known compliance data snapshot.

    \n

    This means that in some cases auto remediation can be initiated even for compliant resources, since the bootstrap processor uses a database that can have stale evaluation results based on the last known compliance data snapshot.

    \n     " } }, "com.amazonaws.configservice#PutRemediationExceptionsRequest": { @@ -10688,7 +10688,7 @@ "target": "com.amazonaws.configservice#IncludeGlobalResourceTypes", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

    This option is a bundle which only applies to the global IAM resource types:\n\t\t\tIAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded\n\t\t\tby Config in Regions where Config was available before February 2022.\n\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022.\n\t\t\tThis list where you cannot record the global IAM resource types includes the following Regions:

    \n \n \n

    \n Aurora global clusters are recorded in all enabled Regions\n

    \n

    The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is not set to true.\n\t\t\t\tThe includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n\t\t\t

    \n

    If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:

    \n
      \n
    1. \n

      \n Record all current and future resource types with exclusions (EXCLUSION_BY_RESOURCE_TYPES), or

      \n
      2. \n
    2. \n

      \n Record specific resource types (INCLUSION_BY_RESOURCE_TYPES).

      \n
      3. \n
    \n

    For more information, see Selecting Which Resources are Recorded in the Config developer guide.

    \n     \n \n

    Before you set this field to true,\n\t\t\tset the allSupported field of RecordingGroup to\n\t\t\ttrue. Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you set this field to false but list global IAM resource types in the resourceTypes field of RecordingGroup,\n\t\t\tConfig will still record configuration changes for those specified resource types regardless of if you set the includeGlobalResourceTypes field to false.

    \n

    If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the resourceTypes field\n\t\t\tin addition to setting the includeGlobalResourceTypes field to false.

    \n     " + "smithy.api#documentation": "

    This option is a bundle which only applies to the global IAM resource types:\n\t\t\tIAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded\n\t\t\tby Config in Regions where Config was available before February 2022.\n\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022.\n\t\t\tThis list where you cannot record the global IAM resource types includes the following Regions:

    \n \n \n

    \n Aurora global clusters are recorded in all enabled Regions\n

    \n

    The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is setfalse.\n\t\t\t\tThe includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n\t\t\t

    \n

    If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:

    \n
      \n
    1. \n

      \n Record all current and future resource types with exclusions (EXCLUSION_BY_RESOURCE_TYPES), or

      \n
      2. \n
    2. \n

      \n Record specific resource types (INCLUSION_BY_RESOURCE_TYPES).

      \n
      3. \n
    \n

    For more information, see Selecting Which Resources are Recorded in the Config developer guide.

    \n     \n \n

    \n includeGlobalResourceTypes and the exclusion recording strategy\n

    \n

    The includeGlobalResourceTypes field has no impact on the EXCLUSION_BY_RESOURCE_TYPES recording strategy.\n\t\t\t\tThis means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will\n\t\t\t\tnot be automatically added as exclusions for exclusionByResourceTypes when includeGlobalResourceTypes is set to false.

    \n

    The includeGlobalResourceTypes field should only be used to modify the AllSupported field, as the default for\n\t\t\t\tthe AllSupported field is to record configuration changes for all supported resource types excluding the global\n\t\t\t\tIAM resource types. To include the global IAM resource types when AllSupported is set to true, make sure to set includeGlobalResourceTypes to true.

    \n

    To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES recording strategy, you need to manually add them to the resourceTypes field of exclusionByResourceTypes.

    \n     \n \n

    \n Required and optional fields\n

    \n

    Before you set this field to true,\n\t\t\tset the allSupported field of RecordingGroup to\n\t\t\ttrue. Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you set this field to false but list global IAM resource types in the resourceTypes field of RecordingGroup,\n\t\t\tConfig will still record configuration changes for those specified resource types regardless of if you set the includeGlobalResourceTypes field to false.

    \n

    If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the resourceTypes field\n\t\t\tin addition to setting the includeGlobalResourceTypes field to false.

    \n     " } }, "resourceTypes": { @@ -10706,7 +10706,7 @@ "recordingStrategy": { "target": "com.amazonaws.configservice#RecordingStrategy", "traits": { - "smithy.api#documentation": "

    An object that specifies the recording strategy for the configuration recorder.

    \n \n \n

    \n Required and optional fields\n

    \n

    The recordingStrategy field is optional when you set the\n\t\t\tallSupported field of RecordingGroup to true.

    \n

    The recordingStrategy field is optional when you list resource types in the\n\t\t\t\tresourceTypes field of RecordingGroup.

    \n

    The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

    \n

    For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically\n\t\t\trecorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.

    \n     \n \n

    \n Global resources types and the resource exclusion recording strategy\n

    \n

    By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy,\n\t\t\twhen Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types,\n\t\t\tConfig starts recording resources of that type automatically.

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " + "smithy.api#documentation": "

    An object that specifies the recording strategy for the configuration recorder.

    \n \n \n

    \n Required and optional fields\n

    \n

    The recordingStrategy field is optional when you set the\n\t\t\tallSupported field of RecordingGroup to true.

    \n

    The recordingStrategy field is optional when you list resource types in the\n\t\t\t\tresourceTypes field of RecordingGroup.

    \n

    The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

    \n

    For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically\n\t\t\trecorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.

    \n     \n \n

    \n Global resources types and the resource exclusion recording strategy\n

    \n

    By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy,\n\t\t\twhen Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types,\n\t\t\tConfig starts recording resources of that type automatically.

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Canada West (Calgary)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " } } }, @@ -10787,7 +10787,7 @@ "useOnly": { "target": "com.amazonaws.configservice#RecordingStrategyType", "traits": { - "smithy.api#documentation": "

    The recording strategy for the configuration recorder.

    \n \n \n

    \n Required and optional fields\n

    \n

    The recordingStrategy field is optional when you set the\n\t\t\tallSupported field of RecordingGroup to true.

    \n

    The recordingStrategy field is optional when you list resource types in the\n\t\t\t\tresourceTypes field of RecordingGroup.

    \n

    The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

    \n

    For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically\n\t\t\trecorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.

    \n     \n \n

    \n Global resource types and the exclusion recording strategy\n

    \n

    By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy,\n\t\t\t\twhen Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types,\n\t\t\t\tConfig starts recording resources of that type automatically.

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " + "smithy.api#documentation": "

    The recording strategy for the configuration recorder.

    \n \n \n

    \n Required and optional fields\n

    \n

    The recordingStrategy field is optional when you set the\n\t\t\tallSupported field of RecordingGroup to true.

    \n

    The recordingStrategy field is optional when you list resource types in the\n\t\t\t\tresourceTypes field of RecordingGroup.

    \n

    The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.

    \n     \n \n

    \n Overriding fields\n

    \n

    If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.

    \n

    For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically\n\t\t\trecorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.

    \n     \n \n

    \n Global resource types and the exclusion recording strategy\n

    \n

    By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy,\n\t\t\t\twhen Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types,\n\t\t\t\tConfig starts recording resources of that type automatically.

    \n

    Unless specifically listed as exclusions,\n\t\t\t\tAWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.

    \n

    IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022.\n\t\t\t\tYou cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:

    \n
      \n
    • \n

      Asia Pacific (Hyderabad)

      \n
      • \n
    • \n

      Asia Pacific (Melbourne)

      \n
      • \n
    • \n

      Canada West (Calgary)

      \n
      • \n
    • \n

      Europe (Spain)

      \n
      • \n
    • \n

      Europe (Zurich)

      \n
      • \n
    • \n

      Israel (Tel Aviv)

      \n
      • \n
    • \n

      Middle East (UAE)

      \n
      • \n
    \n     " } } }, @@ -16563,7 +16563,7 @@ "DocumentName": { "target": "com.amazonaws.configservice#SSMDocumentName", "traits": { - "smithy.api#documentation": "

    The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack.\n\t\t\tIf you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document. If you want to use an SSM document from another Region or account, you must provide the ARN.

    ", + "smithy.api#documentation": "

    The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack.\n\t\t\tIf you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document.

    ", "smithy.api#required": {} } },