Release of Active Threat Defense in Network Firewall

Adds support for Exportable Public Certificates
This release enables customers to create Multi-party approval teams and approval requests to protect supported operations.
We are launching a new analyzer type, internal access analyzer. The new analyzer will generate internal access findings, which help customers understand who within their AWS organization or AWS Account has access to their critical AWS resources.
Add "Virtual" field to Data Provider as well as "S3Path" and "S3AccessRoleArn" fields to DataProvider settings
AWS WAF can now suggest protection packs for you based on the application information you provide when you create a webACL.
Add Code Repository Scanning as part of AWS InspectorV2
Add support for policy operations on the SECURITYHUB_POLICY policy type.
Adds operations, structures, and exceptions required for public preview release of Security Hub V2.
The AWS Security Token Service APIs AssumeRoleWithSAML and AssumeRoleWithWebIdentity can now be invoked without pre-configured AWS credentials in the SDK configuration.
AWS Backup is adding support for integration of its logically air-gapped vaults with the AWS Organizations Multi-party approval capability.
This release of the SDK has the API and documentation for the createcustommodel API. This feature lets you copy a trained model into Amazon Bedrock for inference.
Adding support for extended threat detection for EKS Audit Logs and EKS Runtime Monitoring.

Author: aws-sdk-cpp-automation

VERSION

@@ -1 +1 @@
-1.11.589
+1.11.590

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/AnalyzerConfiguration.h

@@ -6,6 +6,7 @@
 #pragma once
 #include <aws/accessanalyzer/AccessAnalyzer_EXPORTS.h>
 #include <aws/accessanalyzer/model/UnusedAccessConfiguration.h>
+#include <aws/accessanalyzer/model/InternalAccessConfiguration.h>
 #include <utility>
 
 namespace Aws
@@ -50,10 +51,27 @@ namespace Model
     template<typename UnusedAccessT = UnusedAccessConfiguration>
     AnalyzerConfiguration& WithUnusedAccess(UnusedAccessT&& value) { SetUnusedAccess(std::forward<UnusedAccessT>(value)); return *this;}
     ///@}
+
+    ///@{
+    /**
+     * <p>Specifies the configuration of an internal access analyzer for an Amazon Web
+     * Services organization or account. This configuration determines how the analyzer
+     * evaluates access within your Amazon Web Services environment.</p>
+     */
+    inline const InternalAccessConfiguration& GetInternalAccess() const { return m_internalAccess; }
+    inline bool InternalAccessHasBeenSet() const { return m_internalAccessHasBeenSet; }
+    template<typename InternalAccessT = InternalAccessConfiguration>
+    void SetInternalAccess(InternalAccessT&& value) { m_internalAccessHasBeenSet = true; m_internalAccess = std::forward<InternalAccessT>(value); }
+    template<typename InternalAccessT = InternalAccessConfiguration>
+    AnalyzerConfiguration& WithInternalAccess(InternalAccessT&& value) { SetInternalAccess(std::forward<InternalAccessT>(value)); return *this;}
+    ///@}
   private:
 
     UnusedAccessConfiguration m_unusedAccess;
     bool m_unusedAccessHasBeenSet = false;
+
+    InternalAccessConfiguration m_internalAccess;
+    bool m_internalAccessHasBeenSet = false;
   };
 
 } // namespace Model

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/AnalyzerSummary.h

@@ -164,8 +164,8 @@ namespace Model
 
     ///@{
     /**
-     * <p>Specifies whether the analyzer is an external access or unused access
-     * analyzer.</p>
+     * <p>Specifies if the analyzer is an external access, unused access, or internal
+     * access analyzer.</p>
      */
     inline const AnalyzerConfiguration& GetConfiguration() const { return m_configuration; }
     inline bool ConfigurationHasBeenSet() const { return m_configurationHasBeenSet; }

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/CreateAnalyzerRequest.h

@@ -55,11 +55,8 @@ namespace Model
 
     ///@{
     /**
-     * <p>The type of analyzer to create. Only <code>ACCOUNT</code>,
-     * <code>ORGANIZATION</code>, <code>ACCOUNT_UNUSED_ACCESS</code>, and
-     * <code>ORGANIZATION_UNUSED_ACCESS</code> analyzers are supported. You can create
-     * only one analyzer per account per Region. You can create up to 5 analyzers per
-     * organization per Region.</p>
+     * <p>The type of analyzer to create. You can create only one analyzer per account
+     * per Region. You can create up to 5 analyzers per organization per Region.</p>
      */
     inline Type GetType() const { return m_type; }
     inline bool TypeHasBeenSet() const { return m_typeHasBeenSet; }
@@ -120,7 +117,8 @@ namespace Model
     /**
      * <p>Specifies the configuration of the analyzer. If the analyzer is an unused
      * access analyzer, the specified scope of unused access is used for the
-     * configuration.</p>
+     * configuration. If the analyzer is an internal access analyzer, the specified
+     * internal access analysis rules are used for the configuration.</p>
      */
     inline const AnalyzerConfiguration& GetConfiguration() const { return m_configuration; }
     inline bool ConfigurationHasBeenSet() const { return m_configurationHasBeenSet; }

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/ExternalAccessDetails.h

@@ -120,7 +120,19 @@ namespace Model
     ///@{
     /**
      * <p>The type of restriction applied to the finding by the resource owner with an
-     * Organizations resource control policy (RCP).</p>
+     * Organizations resource control policy (RCP).</p> <ul> <li> <p>
+     * <code>APPLICABLE</code>: There is an RCP present in the organization but IAM
+     * Access Analyzer does not include it in the evaluation of effective permissions.
+     * For example, if <code>s3:DeleteObject</code> is blocked by the RCP and the
+     * restriction is <code>APPLICABLE</code>, then <code>s3:DeleteObject</code> would
+     * still be included in the list of actions for the finding.</p> </li> <li> <p>
+     * <code>FAILED_TO_EVALUATE_RCP</code>: There was an error evaluating the RCP.</p>
+     * </li> <li> <p> <code>NOT_APPLICABLE</code>: There was no RCP present in the
+     * organization, or there was no RCP applicable to the resource. For example, the
+     * resource being analyzed is an Amazon RDS snapshot and there is an RCP in the
+     * organization, but the RCP only impacts Amazon S3 buckets.</p> </li> <li> <p>
+     * <code>APPLIED</code>: This restriction is not currently available for external
+     * access findings. </p> </li> </ul>
      */
     inline ResourceControlPolicyRestriction GetResourceControlPolicyRestriction() const { return m_resourceControlPolicyRestriction; }
     inline bool ResourceControlPolicyRestrictionHasBeenSet() const { return m_resourceControlPolicyRestrictionHasBeenSet; }

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/FindingDetails.h

@@ -5,6 +5,7 @@
 
 #pragma once
 #include <aws/accessanalyzer/AccessAnalyzer_EXPORTS.h>
+#include <aws/accessanalyzer/model/InternalAccessDetails.h>
 #include <aws/accessanalyzer/model/ExternalAccessDetails.h>
 #include <aws/accessanalyzer/model/UnusedPermissionDetails.h>
 #include <aws/accessanalyzer/model/UnusedIamUserAccessKeyDetails.h>
@@ -43,6 +44,20 @@ namespace Model
     AWS_ACCESSANALYZER_API Aws::Utils::Json::JsonValue Jsonize() const;
 
 
+    ///@{
+    /**
+     * <p>The details for an internal access analyzer finding. This contains
+     * information about access patterns identified within your Amazon Web Services
+     * organization or account.</p>
+     */
+    inline const InternalAccessDetails& GetInternalAccessDetails() const { return m_internalAccessDetails; }
+    inline bool InternalAccessDetailsHasBeenSet() const { return m_internalAccessDetailsHasBeenSet; }
+    template<typename InternalAccessDetailsT = InternalAccessDetails>
+    void SetInternalAccessDetails(InternalAccessDetailsT&& value) { m_internalAccessDetailsHasBeenSet = true; m_internalAccessDetails = std::forward<InternalAccessDetailsT>(value); }
+    template<typename InternalAccessDetailsT = InternalAccessDetails>
+    FindingDetails& WithInternalAccessDetails(InternalAccessDetailsT&& value) { SetInternalAccessDetails(std::forward<InternalAccessDetailsT>(value)); return *this;}
+    ///@}
+
     ///@{
     /**
      * <p>The details for an external access analyzer finding.</p>
@@ -108,6 +123,9 @@ namespace Model
     ///@}
   private:
 
+    InternalAccessDetails m_internalAccessDetails;
+    bool m_internalAccessDetailsHasBeenSet = false;
+
     ExternalAccessDetails m_externalAccessDetails;
     bool m_externalAccessDetailsHasBeenSet = false;
 

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/FindingSummaryV2.h

@@ -148,7 +148,11 @@ namespace Model
 
     ///@{
     /**
-     * <p>The type of the external access or unused access finding.</p>
+     * <p>The type of the access finding. For external access analyzers, the type is
+     * <code>ExternalAccess</code>. For unused access analyzers, the type can be
+     * <code>UnusedIAMRole</code>, <code>UnusedIAMUserAccessKey</code>,
+     * <code>UnusedIAMUserPassword</code>, or <code>UnusedPermission</code>. For
+     * internal access analyzers, the type is <code>InternalAccess</code>.</p>
      */
     inline FindingType GetFindingType() const { return m_findingType; }
     inline bool FindingTypeHasBeenSet() const { return m_findingTypeHasBeenSet; }

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/FindingType.h

@@ -20,7 +20,8 @@ namespace Model
     UnusedIAMRole,
     UnusedIAMUserAccessKey,
     UnusedIAMUserPassword,
-    UnusedPermission
+    UnusedPermission,
+    InternalAccess
   };
 
 namespace FindingTypeMapper

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/FindingsStatistics.h

@@ -6,6 +6,7 @@
 #pragma once
 #include <aws/accessanalyzer/AccessAnalyzer_EXPORTS.h>
 #include <aws/accessanalyzer/model/ExternalAccessFindingsStatistics.h>
+#include <aws/accessanalyzer/model/InternalAccessFindingsStatistics.h>
 #include <aws/accessanalyzer/model/UnusedAccessFindingsStatistics.h>
 #include <utility>
 
@@ -52,6 +53,20 @@ namespace Model
     FindingsStatistics& WithExternalAccessFindingsStatistics(ExternalAccessFindingsStatisticsT&& value) { SetExternalAccessFindingsStatistics(std::forward<ExternalAccessFindingsStatisticsT>(value)); return *this;}
     ///@}
 
+    ///@{
+    /**
+     * <p>The aggregate statistics for an internal access analyzer. This includes
+     * information about active, archived, and resolved findings related to internal
+     * access within your Amazon Web Services organization or account.</p>
+     */
+    inline const InternalAccessFindingsStatistics& GetInternalAccessFindingsStatistics() const { return m_internalAccessFindingsStatistics; }
+    inline bool InternalAccessFindingsStatisticsHasBeenSet() const { return m_internalAccessFindingsStatisticsHasBeenSet; }
+    template<typename InternalAccessFindingsStatisticsT = InternalAccessFindingsStatistics>
+    void SetInternalAccessFindingsStatistics(InternalAccessFindingsStatisticsT&& value) { m_internalAccessFindingsStatisticsHasBeenSet = true; m_internalAccessFindingsStatistics = std::forward<InternalAccessFindingsStatisticsT>(value); }
+    template<typename InternalAccessFindingsStatisticsT = InternalAccessFindingsStatistics>
+    FindingsStatistics& WithInternalAccessFindingsStatistics(InternalAccessFindingsStatisticsT&& value) { SetInternalAccessFindingsStatistics(std::forward<InternalAccessFindingsStatisticsT>(value)); return *this;}
+    ///@}
+
     ///@{
     /**
      * <p>The aggregate statistics for an unused access analyzer.</p>
@@ -68,6 +83,9 @@ namespace Model
     ExternalAccessFindingsStatistics m_externalAccessFindingsStatistics;
     bool m_externalAccessFindingsStatisticsHasBeenSet = false;
 
+    InternalAccessFindingsStatistics m_internalAccessFindingsStatistics;
+    bool m_internalAccessFindingsStatisticsHasBeenSet = false;
+
     UnusedAccessFindingsStatistics m_unusedAccessFindingsStatistics;
     bool m_unusedAccessFindingsStatisticsHasBeenSet = false;
   };

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/GetFindingV2Result.h

@@ -164,7 +164,8 @@ namespace Model
      * <p>The type of the finding. For external access analyzers, the type is
      * <code>ExternalAccess</code>. For unused access analyzers, the type can be
      * <code>UnusedIAMRole</code>, <code>UnusedIAMUserAccessKey</code>,
-     * <code>UnusedIAMUserPassword</code>, or <code>UnusedPermission</code>.</p>
+     * <code>UnusedIAMUserPassword</code>, or <code>UnusedPermission</code>. For
+     * internal access analyzers, the type is <code>InternalAccess</code>.</p>
      */
     inline FindingType GetFindingType() const { return m_findingType; }
     inline void SetFindingType(FindingType value) { m_findingTypeHasBeenSet = true; m_findingType = value; }

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/InternalAccessAnalysisRule.h

@@ -0,0 +1,66 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#pragma once
+#include <aws/accessanalyzer/AccessAnalyzer_EXPORTS.h>
+#include <aws/core/utils/memory/stl/AWSVector.h>
+#include <aws/accessanalyzer/model/InternalAccessAnalysisRuleCriteria.h>
+#include <utility>
+
+namespace Aws
+{
+namespace Utils
+{
+namespace Json
+{
+  class JsonValue;
+  class JsonView;
+} // namespace Json
+} // namespace Utils
+namespace AccessAnalyzer
+{
+namespace Model
+{
+
+  /**
+   * <p>Contains information about analysis rules for the internal access analyzer.
+   * Analysis rules determine which entities will generate findings based on the
+   * criteria you define when you create the rule.</p><p><h3>See Also:</h3>   <a
+   * href="http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternalAccessAnalysisRule">AWS
+   * API Reference</a></p>
+   */
+  class InternalAccessAnalysisRule
+  {
+  public:
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRule() = default;
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRule(Aws::Utils::Json::JsonView jsonValue);
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRule& operator=(Aws::Utils::Json::JsonView jsonValue);
+    AWS_ACCESSANALYZER_API Aws::Utils::Json::JsonValue Jsonize() const;
+
+
+    ///@{
+    /**
+     * <p>A list of rules for the internal access analyzer containing criteria to
+     * include in analysis. Only resources that meet the rule criteria will generate
+     * findings.</p>
+     */
+    inline const Aws::Vector<InternalAccessAnalysisRuleCriteria>& GetInclusions() const { return m_inclusions; }
+    inline bool InclusionsHasBeenSet() const { return m_inclusionsHasBeenSet; }
+    template<typename InclusionsT = Aws::Vector<InternalAccessAnalysisRuleCriteria>>
+    void SetInclusions(InclusionsT&& value) { m_inclusionsHasBeenSet = true; m_inclusions = std::forward<InclusionsT>(value); }
+    template<typename InclusionsT = Aws::Vector<InternalAccessAnalysisRuleCriteria>>
+    InternalAccessAnalysisRule& WithInclusions(InclusionsT&& value) { SetInclusions(std::forward<InclusionsT>(value)); return *this;}
+    template<typename InclusionsT = InternalAccessAnalysisRuleCriteria>
+    InternalAccessAnalysisRule& AddInclusions(InclusionsT&& value) { m_inclusionsHasBeenSet = true; m_inclusions.emplace_back(std::forward<InclusionsT>(value)); return *this; }
+    ///@}
+  private:
+
+    Aws::Vector<InternalAccessAnalysisRuleCriteria> m_inclusions;
+    bool m_inclusionsHasBeenSet = false;
+  };
+
+} // namespace Model
+} // namespace AccessAnalyzer
+} // namespace Aws

generated/src/aws-cpp-sdk-accessanalyzer/include/aws/accessanalyzer/model/InternalAccessAnalysisRuleCriteria.h

@@ -0,0 +1,109 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#pragma once
+#include <aws/accessanalyzer/AccessAnalyzer_EXPORTS.h>
+#include <aws/core/utils/memory/stl/AWSVector.h>
+#include <aws/core/utils/memory/stl/AWSString.h>
+#include <aws/accessanalyzer/model/ResourceType.h>
+#include <utility>
+
+namespace Aws
+{
+namespace Utils
+{
+namespace Json
+{
+  class JsonValue;
+  class JsonView;
+} // namespace Json
+} // namespace Utils
+namespace AccessAnalyzer
+{
+namespace Model
+{
+
+  /**
+   * <p>The criteria for an analysis rule for an internal access
+   * analyzer.</p><p><h3>See Also:</h3>   <a
+   * href="http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternalAccessAnalysisRuleCriteria">AWS
+   * API Reference</a></p>
+   */
+  class InternalAccessAnalysisRuleCriteria
+  {
+  public:
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRuleCriteria() = default;
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRuleCriteria(Aws::Utils::Json::JsonView jsonValue);
+    AWS_ACCESSANALYZER_API InternalAccessAnalysisRuleCriteria& operator=(Aws::Utils::Json::JsonView jsonValue);
+    AWS_ACCESSANALYZER_API Aws::Utils::Json::JsonValue Jsonize() const;
+
+
+    ///@{
+    /**
+     * <p>A list of Amazon Web Services account IDs to apply to the internal access
+     * analysis rule criteria. Account IDs can only be applied to the analysis rule
+     * criteria for organization-level analyzers.</p>
+     */
+    inline const Aws::Vector<Aws::String>& GetAccountIds() const { return m_accountIds; }
+    inline bool AccountIdsHasBeenSet() const { return m_accountIdsHasBeenSet; }
+    template<typename AccountIdsT = Aws::Vector<Aws::String>>
+    void SetAccountIds(AccountIdsT&& value) { m_accountIdsHasBeenSet = true; m_accountIds = std::forward<AccountIdsT>(value); }
+    template<typename AccountIdsT = Aws::Vector<Aws::String>>
+    InternalAccessAnalysisRuleCriteria& WithAccountIds(AccountIdsT&& value) { SetAccountIds(std::forward<AccountIdsT>(value)); return *this;}
+    template<typename AccountIdsT = Aws::String>
+    InternalAccessAnalysisRuleCriteria& AddAccountIds(AccountIdsT&& value) { m_accountIdsHasBeenSet = true; m_accountIds.emplace_back(std::forward<AccountIdsT>(value)); return *this; }
+    ///@}
+
+    ///@{
+    /**
+     * <p>A list of resource types to apply to the internal access analysis rule
+     * criteria. The analyzer will only generate findings for resources of these types.
+     * These resource types are currently supported for internal access analyzers:</p>
+     * <ul> <li> <p> <code>AWS::S3::Bucket</code> </p> </li> <li> <p>
+     * <code>AWS::RDS::DBSnapshot</code> </p> </li> <li> <p>
+     * <code>AWS::RDS::DBClusterSnapshot</code> </p> </li> <li> <p>
+     * <code>AWS::S3Express::DirectoryBucket</code> </p> </li> <li> <p>
+     * <code>AWS::DynamoDB::Table</code> </p> </li> <li> <p>
+     * <code>AWS::DynamoDB::Stream</code> </p> </li> </ul>
+     */
+    inline const Aws::Vector<ResourceType>& GetResourceTypes() const { return m_resourceTypes; }
+    inline bool ResourceTypesHasBeenSet() const { return m_resourceTypesHasBeenSet; }
+    template<typename ResourceTypesT = Aws::Vector<ResourceType>>
+    void SetResourceTypes(ResourceTypesT&& value) { m_resourceTypesHasBeenSet = true; m_resourceTypes = std::forward<ResourceTypesT>(value); }
+    template<typename ResourceTypesT = Aws::Vector<ResourceType>>
+    InternalAccessAnalysisRuleCriteria& WithResourceTypes(ResourceTypesT&& value) { SetResourceTypes(std::forward<ResourceTypesT>(value)); return *this;}
+    inline InternalAccessAnalysisRuleCriteria& AddResourceTypes(ResourceType value) { m_resourceTypesHasBeenSet = true; m_resourceTypes.push_back(value); return *this; }
+    ///@}
+
+    ///@{
+    /**
+     * <p>A list of resource ARNs to apply to the internal access analysis rule
+     * criteria. The analyzer will only generate findings for resources that match
+     * these ARNs.</p>
+     */
+    inline const Aws::Vector<Aws::String>& GetResourceArns() const { return m_resourceArns; }
+    inline bool ResourceArnsHasBeenSet() const { return m_resourceArnsHasBeenSet; }
+    template<typename ResourceArnsT = Aws::Vector<Aws::String>>
+    void SetResourceArns(ResourceArnsT&& value) { m_resourceArnsHasBeenSet = true; m_resourceArns = std::forward<ResourceArnsT>(value); }
+    template<typename ResourceArnsT = Aws::Vector<Aws::String>>
+    InternalAccessAnalysisRuleCriteria& WithResourceArns(ResourceArnsT&& value) { SetResourceArns(std::forward<ResourceArnsT>(value)); return *this;}
+    template<typename ResourceArnsT = Aws::String>
+    InternalAccessAnalysisRuleCriteria& AddResourceArns(ResourceArnsT&& value) { m_resourceArnsHasBeenSet = true; m_resourceArns.emplace_back(std::forward<ResourceArnsT>(value)); return *this; }
+    ///@}
+  private:
+
+    Aws::Vector<Aws::String> m_accountIds;
+    bool m_accountIdsHasBeenSet = false;
+
+    Aws::Vector<ResourceType> m_resourceTypes;
+    bool m_resourceTypesHasBeenSet = false;
+
+    Aws::Vector<Aws::String> m_resourceArns;
+    bool m_resourceArnsHasBeenSet = false;
+  };
+
+} // namespace Model
+} // namespace AccessAnalyzer
+} // namespace Aws