diff --git a/Makefile b/Makefile index 34d1319c5..1f9df9a62 100755 --- a/Makefile +++ b/Makefile @@ -65,7 +65,8 @@ prepare-companion-stack: fetch-schema-data: mkdir -p .tmp - curl -o .tmp/cfn-docs.json https://raw.githubusercontent.com/aws/aws-cdk/main/packages/%40aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json + # aws-cdk updated where they store the cfn doc json files. See https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/cfnspec/README.md + bin/git_lfs_download.sh "https://raw.githubusercontent.com/cdklabs/awscdk-service-spec/main/sources/CloudFormationDocumentation/CloudFormationDocumentation.json" curl -o .tmp/cloudformation.schema.json https://raw.githubusercontent.com/awslabs/goformation/master/schema/cloudformation.schema.json diff --git a/bin/git_lfs_download.sh b/bin/git_lfs_download.sh new file mode 100755 index 000000000..47680e11c --- /dev/null +++ b/bin/git_lfs_download.sh @@ -0,0 +1,38 @@ +#!/bin/bash +set -eux + +# Here is the reference I found on how to download Git LFS file +# https://gist.github.com/fkraeutli/66fa741d9a8c2a6a238a01d17ed0edc5#retrieving-lfs-files + +# Check if a URL parameter is provided +if [ $# -eq 0 ]; then + echo "Script Usage: $0 " + exit 1 +fi + +# Get the URL from the first command-line parameter +url="$1" + +# Fetch the metadata from the URL +response=$(curl -s "$url") + +# Extract oid and size from the metadata +oid=$(echo "$response" | grep '^oid' | cut -d: -f2) +size=$(echo "$response" | grep 'size' | cut -d ' ' -f 2) + +# String interpolation to create the request JSON content +request_json=$(jq -nc --arg oid "$oid" --argjson size "$size" '{"operation":"download","objects":[{"oid":$oid,"size":$size}],"transfers":["basic"]}') + +# Send a POST request to Git LFS with the retrieved metadata JSON content +response=$(curl \ + -X POST \ + -H "Accept: application/vnd.git-lfs+json" \ + -H "Content-type: application/json" \ + -d "$request_json" \ + https://github.com/cdklabs/awscdk-service-spec.git/info/lfs/objects/batch) + +# The above command should return a JSON object that tells you where the file is stored +href=$(echo "$response" | jq -r '.objects[0].actions.download.href') + +# Download the file and store it in .tmp/cfn-docs.json +curl -o .tmp/cfn-docs.json $href \ No newline at end of file diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json index 5e6800370..4af084896 100644 --- a/samtranslator/schema/schema.json +++ b/samtranslator/schema/schema.json @@ -1550,9 +1550,13 @@ "title": "Configuration" }, "DataReplicationMode": { + "markdownDescription": "Defines whether this broker is a part of a data replication pair.", + "title": "DataReplicationMode", "type": "string" }, "DataReplicationPrimaryBrokerArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", + "title": "DataReplicationPrimaryBrokerArn", "type": "string" }, "DeploymentMode": { @@ -2414,12 +2418,14 @@ "additionalProperties": false, "properties": { "AppId": { - "markdownDescription": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "markdownDescription": "The unique ID for an Amplify app.", "title": "AppId", "type": "string" }, "Backend": { - "$ref": "#/definitions/AWS::Amplify::Branch.Backend" + "$ref": "#/definitions/AWS::Amplify::Branch.Backend", + "markdownDescription": "The backend environment for an Amplify app.", + "title": "Backend" }, "BasicAuthConfig": { "$ref": "#/definitions/AWS::Amplify::Branch.BasicAuthConfig", @@ -2519,6 +2525,8 @@ "additionalProperties": false, "properties": { "StackArn": { + "markdownDescription": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack.", + "title": "StackArn", "type": "string" } }, @@ -4405,8 +4413,6 @@ "type": "string" }, "Id": { - "markdownDescription": "", - "title": "Id", "type": "string" }, "RestApiId": { @@ -4693,7 +4699,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -6244,7 +6250,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -8539,6 +8545,8 @@ "type": "string" }, "KmsKeyIdentifier": { + "markdownDescription": "", + "title": "KmsKeyIdentifier", "type": "string" }, "LocationUri": { @@ -8704,7 +8712,7 @@ "type": "string" }, "KmsKeyIdentifier": { - "markdownDescription": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "markdownDescription": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "title": "KmsKeyIdentifier", "type": "string" }, @@ -9659,7 +9667,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileCredentials", - "markdownDescription": "", + "markdownDescription": "The connector-specific credentials required when using Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -9745,7 +9753,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileProperties", - "markdownDescription": "", + "markdownDescription": "The connector-specific properties required by Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -10176,12 +10184,12 @@ "additionalProperties": false, "properties": { "AccessToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to access protected Salesforce Pardot resources.", "title": "AccessToken", "type": "string" }, "ClientCredentialsArn": { - "markdownDescription": "", + "markdownDescription": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "title": "ClientCredentialsArn", "type": "string" }, @@ -10191,7 +10199,7 @@ "title": "ConnectorOAuthRequest" }, "RefreshToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to acquire new access tokens.", "title": "RefreshToken", "type": "string" } @@ -10202,17 +10210,17 @@ "additionalProperties": false, "properties": { "BusinessUnitId": { - "markdownDescription": "", + "markdownDescription": "The business unit id of Salesforce Pardot instance.", "title": "BusinessUnitId", "type": "string" }, "InstanceUrl": { - "markdownDescription": "", + "markdownDescription": "The location of the Salesforce Pardot resource.", "title": "InstanceUrl", "type": "string" }, "IsSandboxEnvironment": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile applies to a sandbox or production environment.", "title": "IsSandboxEnvironment", "type": "boolean" } @@ -10252,17 +10260,17 @@ "type": "string" }, "ClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The unique ID that's assigned to an Amazon Redshift cluster.", "title": "ClusterIdentifier", "type": "string" }, "DataApiRoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", "title": "DataApiRoleArn", "type": "string" }, "DatabaseName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift database.", "title": "DatabaseName", "type": "string" }, @@ -10272,7 +10280,7 @@ "type": "string" }, "IsRedshiftServerless": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "title": "IsRedshiftServerless", "type": "boolean" }, @@ -10282,7 +10290,7 @@ "type": "string" }, "WorkgroupName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift workgroup.", "title": "WorkgroupName", "type": "string" } @@ -10374,12 +10382,12 @@ "title": "ConnectorOAuthRequest" }, "JwtToken": { - "markdownDescription": "", + "markdownDescription": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", "title": "JwtToken", "type": "string" }, "OAuth2GrantType": { - "markdownDescription": "", + "markdownDescription": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "title": "OAuth2GrantType", "type": "string" }, @@ -10405,7 +10413,7 @@ "type": "boolean" }, "usePrivateLinkForMetadataAndAuthorization": { - "markdownDescription": "", + "markdownDescription": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run.", "title": "usePrivateLinkForMetadataAndAuthorization", "type": "boolean" } @@ -10416,7 +10424,9 @@ "additionalProperties": false, "properties": { "OAuth2Credentials": { - "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials" + "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials", + "markdownDescription": "", + "title": "OAuth2Credentials" }, "Password": { "markdownDescription": "The password that corresponds to the user name.", @@ -10726,7 +10736,7 @@ }, "MetadataCatalogConfig": { "$ref": "#/definitions/AWS::AppFlow::Flow.MetadataCatalogConfig", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "title": "MetadataCatalogConfig" }, "SourceFlowConfig": { @@ -10795,7 +10805,7 @@ "type": "string" }, "TargetFileSize": { - "markdownDescription": "", + "markdownDescription": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains.", "title": "TargetFileSize", "type": "number" } @@ -10855,7 +10865,7 @@ "type": "string" }, "Pardot": { - "markdownDescription": "", + "markdownDescription": "The operation to be performed on the provided Salesforce Pardot source fields.", "title": "Pardot", "type": "string" }, @@ -10966,7 +10976,7 @@ }, "DataTransferApi": { "$ref": "#/definitions/AWS::AppFlow::Flow.DataTransferApi", - "markdownDescription": "", + "markdownDescription": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "title": "DataTransferApi" }, "EntityName": { @@ -10984,12 +10994,12 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the connector application API.", "title": "Name", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets.", "title": "Type", "type": "string" } @@ -11089,7 +11099,7 @@ "type": "string" }, "ConnectorType": { - "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "title": "ConnectorType", "type": "string" }, @@ -11273,7 +11283,7 @@ "properties": { "GlueDataCatalog": { "$ref": "#/definitions/AWS::AppFlow::Flow.GlueDataCatalog", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog .", "title": "GlueDataCatalog" } }, @@ -11283,7 +11293,7 @@ "additionalProperties": false, "properties": { "Object": { - "markdownDescription": "", + "markdownDescription": "The object specified in the Salesforce Pardot flow source.", "title": "Object", "type": "string" } @@ -11300,7 +11310,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "title": "PathPrefixHierarchy", "type": "array" }, @@ -11401,7 +11411,7 @@ "title": "PrefixConfig" }, "PreserveSourceDataTyping": { - "markdownDescription": "", + "markdownDescription": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output.", "title": "PreserveSourceDataTyping", "type": "boolean" } @@ -11474,6 +11484,8 @@ "additionalProperties": false, "properties": { "maxPageSize": { + "markdownDescription": "", + "title": "maxPageSize", "type": "number" } }, @@ -11486,6 +11498,8 @@ "additionalProperties": false, "properties": { "maxParallelism": { + "markdownDescription": "", + "title": "maxParallelism", "type": "number" } }, @@ -11503,10 +11517,14 @@ "type": "string" }, "paginationConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig", + "markdownDescription": "", + "title": "paginationConfig" }, "parallelismConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig", + "markdownDescription": "", + "title": "parallelismConfig" } }, "required": [ @@ -11594,7 +11612,7 @@ "type": "number" }, "FlowErrorDeactivationThreshold": { - "markdownDescription": "", + "markdownDescription": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "title": "FlowErrorDeactivationThreshold", "type": "number" }, @@ -11741,7 +11759,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::Flow.PardotSourceProperties", - "markdownDescription": "", + "markdownDescription": "Specifies the information that is required for querying Salesforce Pardot.", "title": "Pardot" }, "S3": { @@ -11888,7 +11906,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "markdownDescription": "The task property key.", "title": "Key", "type": "string" }, @@ -16015,6 +16033,8 @@ "title": "SourceCodeVersion" }, "SourceDirectory": { + "markdownDescription": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root.", + "title": "SourceDirectory", "type": "string" } }, @@ -16539,7 +16559,7 @@ }, "PostSetupScriptDetails": { "$ref": "#/definitions/AWS::AppStream::AppBlock.ScriptDetails", - "markdownDescription": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "markdownDescription": "The post setup script details of the app block.", "title": "PostSetupScriptDetails" }, "SetupScriptDetails": { @@ -16677,7 +16697,7 @@ "items": { "$ref": "#/definitions/AWS::AppStream::AppBlockBuilder.AccessEndpoint" }, - "markdownDescription": "", + "markdownDescription": "The access endpoints of the app block builder.", "title": "AccessEndpoints", "type": "array" }, @@ -16685,7 +16705,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The ARN of the app block.\n\n*Maximum* : `1`", "title": "AppBlockArns", "type": "array" }, @@ -16720,7 +16740,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", + "markdownDescription": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", "title": "Platform", "type": "string" }, @@ -16728,7 +16748,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags of the app block builder.", "title": "Tags", "type": "array" }, @@ -17457,10 +17477,12 @@ "type": "number" }, "MaxSessionsPerInstance": { + "markdownDescription": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "title": "MaxSessionsPerInstance", "type": "number" }, "MaxUserDurationInSeconds": { - "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "title": "MaxUserDurationInSeconds", "type": "number" }, @@ -17470,7 +17492,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "title": "Platform", "type": "string" }, @@ -17542,6 +17564,8 @@ "type": "number" }, "DesiredSessions": { + "markdownDescription": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank.", + "title": "DesiredSessions", "type": "number" } }, @@ -18424,8 +18448,6 @@ "type": "string" }, "ApiKeyId": { - "markdownDescription": "The API key ID.", - "title": "ApiKeyId", "type": "string" }, "Description": { @@ -19082,7 +19104,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::FunctionConfiguration.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19638,7 +19660,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::Resolver.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -20260,7 +20282,7 @@ "type": "string" }, "Cooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "title": "Cooldown", "type": "number" }, @@ -20304,12 +20326,12 @@ "title": "PredefinedMetricSpecification" }, "ScaleInCooldown": { - "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleInCooldown", "type": "number" }, "ScaleOutCooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleOutCooldown", "type": "number" }, @@ -21019,7 +21041,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -21354,7 +21376,7 @@ "additionalProperties": false, "properties": { "KmsKey": { - "markdownDescription": "The KMS key that is used to encrypt the user's data stores in Athena.", + "markdownDescription": "The customer managed KMS key that is used to encrypt the user's data stores in Athena.", "title": "KmsKey", "type": "string" } @@ -21558,7 +21580,7 @@ "title": "Scope" }, "Status": { - "markdownDescription": "The overall status of the assessment.\n\nWhen you create a new assessment, the initial `Status` value is always `ACTIVE` . When you create an assessment, even if you specify the value as `INACTIVE` , the value overrides to `ACTIVE` .\n\nAfter you create an assessment, you can change the value of the `Status` property at any time. For example, when you want to stop collecting evidence for your assessment, you can change the assessment status to `INACTIVE` .", + "markdownDescription": "The overall status of the assessment.", "title": "Status", "type": "string" }, @@ -21665,7 +21687,7 @@ "type": "string" }, "CreatedBy": { - "markdownDescription": "The user or role that created the delegation.\n\n*Minimum* : `1`\n\n*Maximum* : `100`\n\n*Pattern* : `^[a-zA-Z0-9-_()\\\\[\\\\]\\\\s]+$`", + "markdownDescription": "The user or role that created the delegation.", "title": "CreatedBy", "type": "string" }, @@ -22267,7 +22289,7 @@ "type": "string" }, "Version": { - "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", + "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", "title": "Version", "type": "string" } @@ -23835,7 +23857,7 @@ "title": "CustomizedLoadMetricSpecification" }, "DisableDynamicScaling": { - "markdownDescription": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "markdownDescription": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "title": "DisableDynamicScaling", "type": "boolean" }, @@ -23880,7 +23902,7 @@ "type": "string" }, "ScalingPolicyUpdateBehavior": { - "markdownDescription": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "markdownDescription": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "title": "ScalingPolicyUpdateBehavior", "type": "string" }, @@ -24156,6 +24178,8 @@ "type": "string" }, "ScheduleExpressionTimezone": { + "markdownDescription": "", + "title": "ScheduleExpressionTimezone", "type": "string" }, "StartWindowMinutes": { @@ -24713,7 +24737,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", "title": "ControlScope" } }, @@ -25104,7 +25128,7 @@ "additionalProperties": false, "properties": { "AllocationStrategy": { - "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "AllocationStrategy", "type": "string" }, @@ -25137,7 +25161,7 @@ "type": "string" }, "InstanceRole": { - "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "title": "InstanceRole", "type": "string" }, @@ -25155,7 +25179,7 @@ "title": "LaunchTemplate" }, "MaxvCpus": { - "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "MaxvCpus", "type": "number" }, @@ -25233,7 +25257,7 @@ "type": "string" }, "ImageType": { - "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", + "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", "title": "ImageType", "type": "string" } @@ -25476,7 +25500,7 @@ "title": "FargatePlatformConfiguration" }, "Image": { - "markdownDescription": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "markdownDescription": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "title": "Image", "type": "string" }, @@ -25537,7 +25561,9 @@ "type": "array" }, "RuntimePlatform": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform" + "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform", + "markdownDescription": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", + "title": "RuntimePlatform" }, "Secrets": { "items": { @@ -25686,7 +25712,7 @@ }, "SecurityContext": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainerSecurityContext", - "markdownDescription": "", + "markdownDescription": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "title": "SecurityContext" }, "VolumeMounts": { @@ -26187,9 +26213,13 @@ "additionalProperties": false, "properties": { "CpuArchitecture": { + "markdownDescription": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "CpuArchitecture", "type": "string" }, "OperatingSystemFamily": { + "markdownDescription": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "OperatingSystemFamily", "type": "string" } }, @@ -26263,7 +26293,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The `type` of the `ulimit` .", + "markdownDescription": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "title": "Name", "type": "string" }, @@ -26590,7 +26620,7 @@ "properties": { "AccountGrouping": { "$ref": "#/definitions/AWS::BillingConductor::BillingGroup.AccountGrouping", - "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "title": "AccountGrouping" }, "ComputationPreference": { @@ -26617,7 +26647,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A map that contains tag keys and tag values that are attached to a billing group.", "title": "Tags", "type": "array" } @@ -26655,6 +26685,8 @@ "additionalProperties": false, "properties": { "AutoAssociate": { + "markdownDescription": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", + "title": "AutoAssociate", "type": "boolean" }, "LinkedAccountIds": { @@ -26809,6 +26841,8 @@ "items": { "$ref": "#/definitions/AWS::BillingConductor::CustomLineItem.LineItemFilter" }, + "markdownDescription": "A representation of the line item filter.", + "title": "LineItemFilters", "type": "array" }, "Percentage": { @@ -26867,15 +26901,21 @@ "additionalProperties": false, "properties": { "Attribute": { + "markdownDescription": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "title": "Attribute", "type": "string" }, "MatchOption": { + "markdownDescription": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "title": "MatchOption", "type": "string" }, "Values": { "items": { "type": "string" }, + "markdownDescription": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts.", + "title": "Values", "type": "array" } }, @@ -27115,7 +27155,7 @@ "properties": { "FreeTier": { "$ref": "#/definitions/AWS::BillingConductor::PricingRule.FreeTier", - "markdownDescription": "", + "markdownDescription": "The possible AWS Free Tier configurations.", "title": "FreeTier" } }, @@ -27239,7 +27279,7 @@ "type": "string" }, "CostFilters": { - "markdownDescription": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "markdownDescription": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "title": "CostFilters", "type": "object" }, @@ -27408,7 +27448,7 @@ "type": "number" }, "Unit": { - "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.", + "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.", "title": "Unit", "type": "string" } @@ -28666,6 +28706,8 @@ "type": "array" }, "KeyAlgorithm": { + "markdownDescription": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", + "title": "KeyAlgorithm", "type": "string" }, "SubjectAlternativeNames": { @@ -28812,7 +28854,7 @@ "type": "string" }, "TeamsChannelId": { - "markdownDescription": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "markdownDescription": "", "title": "TeamsChannelId", "type": "string" }, @@ -29007,27 +29049,41 @@ "items": { "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisParameter" }, + "markdownDescription": "The parameters of the analysis template.", + "title": "AnalysisParameters", "type": "array" }, "Description": { + "markdownDescription": "The description of the analysis template.", + "title": "Description", "type": "string" }, "Format": { + "markdownDescription": "The format of the analysis template.", + "title": "Format", "type": "string" }, "MembershipIdentifier": { + "markdownDescription": "The identifier for a membership resource.", + "title": "MembershipIdentifier", "type": "string" }, "Name": { + "markdownDescription": "The name of the analysis template.", + "title": "Name", "type": "string" }, "Source": { - "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource" + "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource", + "markdownDescription": "The source of the analysis template.", + "title": "Source" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource.", + "title": "Tags", "type": "array" } }, @@ -29064,12 +29120,18 @@ "additionalProperties": false, "properties": { "DefaultValue": { + "markdownDescription": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "title": "DefaultValue", "type": "string" }, "Name": { + "markdownDescription": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of parameter.", + "title": "Type", "type": "string" } }, @@ -29086,6 +29148,8 @@ "items": { "type": "string" }, + "markdownDescription": "The tables referenced in the analysis schema.", + "title": "ReferencedTables", "type": "array" } }, @@ -29098,6 +29162,8 @@ "additionalProperties": false, "properties": { "Text": { + "markdownDescription": "The query text.", + "title": "Text", "type": "string" } }, @@ -29150,7 +29216,7 @@ "items": { "type": "string" }, - "markdownDescription": "The abilities granted to the collaboration creator.", + "markdownDescription": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "CreatorMemberAbilities", "type": "array" }, @@ -29258,7 +29324,7 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "The identifier used to reference members of the collaboration. Currently only supports AWS account ID.", + "markdownDescription": "The identifier used to reference members of the collaboration. Currently only supports ID.", "title": "AccountId", "type": "string" }, @@ -29450,7 +29516,7 @@ "title": "Policy" }, "Type": { - "markdownDescription": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`.", + "markdownDescription": "The type of analysis rule.", "title": "Type", "type": "string" } @@ -29534,12 +29600,16 @@ "items": { "type": "string" }, + "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "title": "AllowedAnalyses", "type": "array" }, "AllowedAnalysisProviders": { "items": { "type": "string" }, + "markdownDescription": "The accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "title": "AllowedAnalysisProviders", "type": "array" } }, @@ -29555,7 +29625,7 @@ "items": { "type": "string" }, - "markdownDescription": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "markdownDescription": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "title": "AllowedJoinOperators", "type": "array" }, @@ -29605,7 +29675,9 @@ "title": "Aggregation" }, "Custom": { - "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom" + "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom", + "markdownDescription": "Analysis rule type that enables custom SQL queries on a configured table.", + "title": "Custom" }, "List": { "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleList", @@ -29788,7 +29860,9 @@ "type": "string" }, "DefaultResultConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration", + "markdownDescription": "The default protected query result configuration as specified by the member who can receive results.", + "title": "DefaultResultConfiguration" }, "QueryLogStatus": { "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", @@ -29835,7 +29909,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration", + "markdownDescription": "Required configuration for a protected query with an `S3` output type.", + "title": "S3" } }, "required": [ @@ -29847,9 +29923,13 @@ "additionalProperties": false, "properties": { "OutputConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration", + "markdownDescription": "Configuration for protected query results.", + "title": "OutputConfiguration" }, "RoleArn": { + "markdownDescription": "The unique ARN for an IAM role that is used by to write protected query results to the result location, given by the member who can receive results.", + "title": "RoleArn", "type": "string" } }, @@ -29862,12 +29942,18 @@ "additionalProperties": false, "properties": { "Bucket": { + "markdownDescription": "The S3 bucket to unload the protected query results.", + "title": "Bucket", "type": "string" }, "KeyPrefix": { + "markdownDescription": "The S3 prefix to unload the protected query results.", + "title": "KeyPrefix", "type": "string" }, "ResultFormat": { + "markdownDescription": "Intended file format of the result.", + "title": "ResultFormat", "type": "string" } }, @@ -29928,7 +30014,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom November 20, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "title": "ImageId", "type": "string" }, @@ -31096,7 +31182,7 @@ "type": "array" }, "StackSetName": { - "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", + "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", "title": "StackSetName", "type": "string" }, @@ -31104,17 +31190,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", + "markdownDescription": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", "title": "Tags", "type": "array" }, "TemplateBody": { - "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", + "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", "title": "TemplateBody", "type": "string" }, "TemplateURL": { - "markdownDescription": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`", + "markdownDescription": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` .", "title": "TemplateURL", "type": "string" } @@ -31179,6 +31265,8 @@ "type": "array" }, "AccountsUrl": { + "markdownDescription": "Returns the value of the `AccountsUrl` property.", + "title": "AccountsUrl", "type": "string" }, "OrganizationalUnitIds": { @@ -31920,10 +32008,14 @@ "type": "boolean" }, "SingleHeaderPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig", + "markdownDescription": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "title": "SingleHeaderPolicyConfig" }, "SingleWeightPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig", + "markdownDescription": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", + "title": "SingleWeightPolicyConfig" }, "StagingDistributionDnsNames": { "items": { @@ -31939,6 +32031,8 @@ "title": "TrafficConfig" }, "Type": { + "markdownDescription": "The type of traffic configuration.", + "title": "Type", "type": "string" } }, @@ -31992,9 +32086,13 @@ "additionalProperties": false, "properties": { "Header": { + "markdownDescription": "", + "title": "Header", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -32027,9 +32125,13 @@ "additionalProperties": false, "properties": { "SessionStickinessConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig", + "markdownDescription": "", + "title": "SessionStickinessConfig" }, "Weight": { + "markdownDescription": "", + "title": "Weight", "type": "number" } }, @@ -33043,7 +33145,7 @@ "type": "string" }, "CloudFrontDefaultCertificate": { - "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "title": "CloudFrontDefaultCertificate", "type": "boolean" }, @@ -34820,7 +34922,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -34979,7 +35081,7 @@ "type": "array" }, "CloudWatchLogsLogGroupArn": { - "markdownDescription": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .", + "markdownDescription": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .\n\n> Only the management account can configure a CloudWatch Logs log group for an organization trail.", "title": "CloudWatchLogsLogGroupArn", "type": "string" }, @@ -34997,7 +35099,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.EventSelector" }, - "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "title": "EventSelectors", "type": "array" }, @@ -35025,7 +35127,7 @@ "type": "boolean" }, "IsOrganizationTrail": { - "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "title": "IsOrganizationTrail", "type": "boolean" }, @@ -35132,7 +35234,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -35178,7 +35280,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are also available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "title": "Type", "type": "string" }, @@ -35203,7 +35305,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.DataResource" }, - "markdownDescription": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "title": "DataResources", "type": "array" }, @@ -36209,7 +36311,7 @@ "items": { "$ref": "#/definitions/AWS::CloudWatch::MetricStream.MetricStreamStatisticsConfiguration" }, - "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", "title": "StatisticsConfigurations", "type": "array" }, @@ -36359,8 +36461,6 @@ "type": "string" }, "EncryptionKey": { - "markdownDescription": "The key used to encrypt the domain.", - "title": "EncryptionKey", "type": "string" }, "PermissionsPolicyDocument": { @@ -36449,8 +36549,6 @@ "type": "string" }, "DomainOwner": { - "markdownDescription": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", - "title": "DomainOwner", "type": "string" }, "ExternalConnections": { @@ -36870,7 +36968,7 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } @@ -36894,7 +36992,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", + "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", "title": "Value", "type": "string" } @@ -38034,7 +38132,7 @@ "title": "OnPremisesTagSet" }, "OutdatedInstancesStrategy": { - "markdownDescription": "", + "markdownDescription": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "title": "OutdatedInstancesStrategy", "type": "string" }, @@ -38047,7 +38145,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "title": "Tags", "type": "array" }, @@ -38352,7 +38450,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.ELBInfo" }, - "markdownDescription": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", + "markdownDescription": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", "title": "ElbInfoList", "type": "array" }, @@ -38360,7 +38458,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", + "markdownDescription": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", "title": "TargetGroupInfoList", "type": "array" }, @@ -38368,7 +38466,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupPairInfo" }, - "markdownDescription": "", + "markdownDescription": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one.", "title": "TargetGroupPairInfoList", "type": "array" } @@ -38496,20 +38594,20 @@ "properties": { "ProdTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", "title": "ProdTrafficRoute" }, "TargetGroups": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "", + "markdownDescription": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", "title": "TargetGroups", "type": "array" }, "TestTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment.", "title": "TestTrafficRoute" } }, @@ -38522,7 +38620,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one.", "title": "ListenerArns", "type": "array" } @@ -40339,9 +40437,13 @@ "items": { "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.LogConfiguration" }, + "markdownDescription": "The detailed activity logging destination of a user pool.", + "title": "LogConfigurations", "type": "array" }, "UserPoolId": { + "markdownDescription": "The ID of the user pool where you configured detailed activity logging.", + "title": "UserPoolId", "type": "string" } }, @@ -40375,6 +40477,8 @@ "additionalProperties": false, "properties": { "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) .", + "title": "LogGroupArn", "type": "string" } }, @@ -40384,12 +40488,18 @@ "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { - "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration" + "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration", + "markdownDescription": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "title": "CloudWatchLogsConfiguration" }, "EventSource": { + "markdownDescription": "The source of events that your user pool sends for detailed activity logging.", + "title": "EventSource", "type": "string" }, "LogLevel": { + "markdownDescription": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging.", + "title": "LogLevel", "type": "string" } }, @@ -40534,7 +40644,7 @@ }, "UserPoolAddOns": { "$ref": "#/definitions/AWS::Cognito::UserPool.UserPoolAddOns", - "markdownDescription": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "markdownDescription": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "title": "UserPoolAddOns" }, "UserPoolName": { @@ -40701,7 +40811,7 @@ "type": "string" }, "SourceArn": { - "markdownDescription": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", + "markdownDescription": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", "title": "SourceArn", "type": "string" } @@ -40845,7 +40955,7 @@ "type": "boolean" }, "TemporaryPasswordValidityDays": { - "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", + "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", "title": "TemporaryPasswordValidityDays", "type": "number" } @@ -40883,7 +40993,7 @@ "additionalProperties": false, "properties": { "AttributeDataType": { - "markdownDescription": "The attribute data type.", + "markdownDescription": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "title": "AttributeDataType", "type": "string" }, @@ -40893,12 +41003,12 @@ "type": "boolean" }, "Mutable": { - "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "Mutable", "type": "boolean" }, "Name": { - "markdownDescription": "A schema attribute of the name type.", + "markdownDescription": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "title": "Name", "type": "string" }, @@ -40978,7 +41088,7 @@ "additionalProperties": false, "properties": { "AdvancedSecurityMode": { - "markdownDescription": "The advanced security mode.", + "markdownDescription": "The operating mode of advanced security features in your user pool.", "title": "AdvancedSecurityMode", "type": "string" } @@ -41081,7 +41191,7 @@ "type": "array" }, "AllowedOAuthFlowsUserPoolClient": { - "markdownDescription": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "markdownDescription": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "title": "AllowedOAuthFlowsUserPoolClient", "type": "boolean" }, @@ -41166,7 +41276,7 @@ "items": { "type": "string" }, - "markdownDescription": "The read attributes.", + "markdownDescription": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "title": "ReadAttributes", "type": "array" }, @@ -41197,7 +41307,7 @@ "items": { "type": "string" }, - "markdownDescription": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "WriteAttributes", "type": "array" } @@ -42085,7 +42195,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", + "markdownDescription": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", "title": "Username", "type": "string" }, @@ -42093,7 +42203,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted.", + "markdownDescription": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) .", "title": "ValidationData", "type": "array" } @@ -42176,7 +42286,7 @@ "additionalProperties": false, "properties": { "GroupName": { - "markdownDescription": "The group name.", + "markdownDescription": "The name of the group that you want to add your user to.", "title": "GroupName", "type": "string" }, @@ -42186,7 +42296,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user.", + "markdownDescription": "", "title": "Username", "type": "string" } @@ -42862,7 +42972,9 @@ "additionalProperties": false, "properties": { "Compliance": { - "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance" + "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance", + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", + "title": "Compliance" }, "ConfigRuleName": { "markdownDescription": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", @@ -42878,6 +42990,8 @@ "items": { "$ref": "#/definitions/AWS::Config::ConfigRule.EvaluationModeConfiguration" }, + "markdownDescription": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", + "title": "EvaluationModes", "type": "array" }, "InputParameters": { @@ -42931,6 +43045,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type.", + "title": "Type", "type": "string" } }, @@ -42961,6 +43077,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of an evaluation. The valid values are Detective or Proactive.", + "title": "Mode", "type": "string" } }, @@ -43229,17 +43347,17 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", + "markdownDescription": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", "title": "Name", "type": "string" }, "RecordingGroup": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingGroup", - "markdownDescription": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", + "markdownDescription": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", "title": "RecordingGroup" }, "RoleARN": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.", + "markdownDescription": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* .", "title": "RoleARN", "type": "string" } @@ -43277,6 +43395,8 @@ "items": { "type": "string" }, + "markdownDescription": "A comma-separated list of resource types to exclude from recording by the configuration recorder.", + "title": "ResourceTypes", "type": "array" } }, @@ -43289,26 +43409,30 @@ "additionalProperties": false, "properties": { "AllSupported": { - "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", + "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regionally recorded resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new regionally recorded resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region Availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", "title": "AllSupported", "type": "boolean" }, "ExclusionByResourceTypes": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes", + "markdownDescription": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "RecordingStrategy" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", "title": "ResourceTypes", "type": "array" } @@ -43319,6 +43443,8 @@ "additionalProperties": false, "properties": { "UseOnly": { + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "UseOnly", "type": "string" } }, @@ -43397,7 +43523,7 @@ }, "TemplateSSMDocumentDetails": { "$ref": "#/definitions/AWS::Config::ConformancePack.TemplateSSMDocumentDetails", - "markdownDescription": "", + "markdownDescription": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.", "title": "TemplateSSMDocumentDetails" } }, @@ -43616,7 +43742,7 @@ }, "OrganizationCustomPolicyRuleMetadata": { "$ref": "#/definitions/AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata", - "markdownDescription": "", + "markdownDescription": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "title": "OrganizationCustomPolicyRuleMetadata" }, "OrganizationCustomRuleMetadata": { @@ -43663,22 +43789,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", "title": "DebugLogDeliveryAccounts", "type": "array" }, "Description": { - "markdownDescription": "", + "markdownDescription": "The description that you provide for your organization AWS Config Custom Policy rule.", "title": "Description", "type": "string" }, "InputParameters": { - "markdownDescription": "", + "markdownDescription": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", "title": "InputParameters", "type": "string" }, "MaximumExecutionFrequency": { - "markdownDescription": "", + "markdownDescription": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", "title": "MaximumExecutionFrequency", "type": "string" }, @@ -43686,17 +43812,17 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", "title": "OrganizationConfigRuleTriggerTypes", "type": "array" }, "PolicyText": { - "markdownDescription": "", + "markdownDescription": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", "title": "PolicyText", "type": "string" }, "ResourceIdScope": { - "markdownDescription": "", + "markdownDescription": "The ID of the AWS resource that was evaluated.", "title": "ResourceIdScope", "type": "string" }, @@ -43704,22 +43830,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of the AWS resource that was evaluated.", "title": "ResourceTypesScope", "type": "array" }, "Runtime": { - "markdownDescription": "", + "markdownDescription": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "title": "Runtime", "type": "string" }, "TagKeyScope": { - "markdownDescription": "", + "markdownDescription": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", "title": "TagKeyScope", "type": "string" }, "TagValueScope": { - "markdownDescription": "", + "markdownDescription": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).", "title": "TagValueScope", "type": "string" } @@ -44111,8 +44237,6 @@ "additionalProperties": false, "properties": { "Value": { - "markdownDescription": "The value is a resource ID.", - "title": "Value", "type": "string" } }, @@ -44141,8 +44265,6 @@ "items": { "type": "string" }, - "markdownDescription": "A list of values. For example, the ARN of the assumed role.", - "title": "Values", "type": "array" } }, @@ -44917,7 +45039,7 @@ "additionalProperties": false, "properties": { "Label": { - "markdownDescription": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`", + "markdownDescription": "The property label of the automation.", "title": "Label", "type": "string" } @@ -45583,7 +45705,7 @@ "type": "array" }, "TargetArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "markdownDescription": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "title": "TargetArn", "type": "string" }, @@ -45748,36 +45870,54 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the queue.", + "title": "Description", "type": "string" }, "HoursOfOperationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the hours of operation.", + "title": "HoursOfOperationArn", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MaxContacts": { + "markdownDescription": "The maximum number of contacts that can be in the queue before it is considered full.", + "title": "MaxContacts", "type": "number" }, "Name": { + "markdownDescription": "The name of the queue.", + "title": "Name", "type": "string" }, "OutboundCallerConfig": { - "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig" + "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig", + "markdownDescription": "The outbound caller ID name, number, and outbound whisper flow.", + "title": "OutboundCallerConfig" }, "QuickConnectArns": { "items": { "type": "string" }, + "markdownDescription": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "title": "QuickConnectArns", "type": "array" }, "Status": { + "markdownDescription": "The status of the queue.", + "title": "Status", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -45813,12 +45953,18 @@ "additionalProperties": false, "properties": { "OutboundCallerIdName": { + "markdownDescription": "The caller ID name.", + "title": "OutboundCallerIdName", "type": "string" }, "OutboundCallerIdNumberArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "title": "OutboundCallerIdNumberArn", "type": "string" }, "OutboundFlowArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound flow.", + "title": "OutboundFlowArn", "type": "string" } }, @@ -46035,36 +46181,52 @@ "additionalProperties": false, "properties": { "AgentAvailabilityTimer": { + "markdownDescription": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "title": "AgentAvailabilityTimer", "type": "string" }, "DefaultOutboundQueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "title": "DefaultOutboundQueueArn", "type": "string" }, "Description": { + "markdownDescription": "The description of the routing profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MediaConcurrencies": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.MediaConcurrency" }, + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "MediaConcurrencies", "type": "array" }, "Name": { + "markdownDescription": "The name of the routing profile.", + "title": "Name", "type": "string" }, "QueueConfigs": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueConfig" }, + "markdownDescription": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "title": "QueueConfigs", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46102,6 +46264,8 @@ "additionalProperties": false, "properties": { "BehaviorType": { + "markdownDescription": "Specifies the other channels that can be routed to an agent handling their current channel.", + "title": "BehaviorType", "type": "string" } }, @@ -46114,13 +46278,19 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels that agents can handle in the Contact Control Panel (CCP).", + "title": "Channel", "type": "string" }, "Concurrency": { + "markdownDescription": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "title": "Concurrency", "type": "number" }, "CrossChannelBehavior": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior", + "markdownDescription": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel.", + "title": "CrossChannelBehavior" } }, "required": [ @@ -46133,13 +46303,19 @@ "additionalProperties": false, "properties": { "Delay": { + "markdownDescription": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "title": "Delay", "type": "number" }, "Priority": { + "markdownDescription": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "title": "Priority", "type": "number" }, "QueueReference": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference", + "markdownDescription": "Contains information about a queue resource.", + "title": "QueueReference" } }, "required": [ @@ -46153,9 +46329,13 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "Channel", "type": "string" }, "QueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the queue.", + "title": "QueueArn", "type": "string" } }, @@ -46371,7 +46551,7 @@ "additionalProperties": false, "properties": { "EventSourceName": { - "markdownDescription": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "markdownDescription": "The name of the event source.", "title": "EventSourceName", "type": "string" }, @@ -46571,33 +46751,47 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "title": "AllowedAccessControlTags", "type": "array" }, "Description": { + "markdownDescription": "The description of the security profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "Permissions": { "items": { "type": "string" }, + "markdownDescription": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "title": "Permissions", "type": "array" }, "SecurityProfileName": { + "markdownDescription": "The name for the security profile.", + "title": "SecurityProfileName", "type": "string" }, "TagRestrictedResources": { "items": { "type": "string" }, + "markdownDescription": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "title": "TagRestrictedResources", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46924,18 +47118,26 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the traffic distribution group.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN).", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the traffic distribution group.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -47202,6 +47404,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -47271,24 +47475,36 @@ "items": { "type": "string" }, + "markdownDescription": "A list of actions possible from the view.", + "title": "Actions", "type": "array" }, "Description": { + "markdownDescription": "The description of the view.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance.", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the view.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the view resource (not specific to view version).", + "title": "Tags", "type": "array" }, "Template": { + "markdownDescription": "The view template representing the structure of the view.", + "title": "Template", "type": "object" } }, @@ -47357,12 +47573,18 @@ "additionalProperties": false, "properties": { "VersionDescription": { + "markdownDescription": "The description of the view version.", + "title": "VersionDescription", "type": "string" }, "ViewArn": { + "markdownDescription": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "title": "ViewArn", "type": "string" }, "ViewContentSha256": { + "markdownDescription": "Indicates the checksum value of the latest published view content.", + "title": "ViewContentSha256", "type": "string" } }, @@ -47489,6 +47711,8 @@ "additionalProperties": false, "properties": { "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47498,7 +47722,7 @@ "additionalProperties": false, "properties": { "EnableAnswerMachineDetection": { - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection is enabled.", "title": "EnableAnswerMachineDetection", "type": "boolean" } @@ -47512,7 +47736,9 @@ "additionalProperties": false, "properties": { "AgentlessDialerConfig": { - "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig" + "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig", + "markdownDescription": "The configuration of the agentless dialer.", + "title": "AgentlessDialerConfig" }, "PredictiveDialerConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.PredictiveDialerConfig", @@ -47532,7 +47758,7 @@ "properties": { "AnswerMachineDetectionConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AnswerMachineDetectionConfig", - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection has been enabled.", "title": "AnswerMachineDetectionConfig" }, "ConnectContactFlowArn": { @@ -47565,6 +47791,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47582,6 +47810,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47626,12 +47856,12 @@ "additionalProperties": false, "properties": { "ControlIdentifier": { - "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", + "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "ControlIdentifier", "type": "string" }, "TargetIdentifier": { - "markdownDescription": "The ARN of the organizational unit.", + "markdownDescription": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "TargetIdentifier", "type": "string" } @@ -47905,7 +48135,7 @@ "additionalProperties": false, "properties": { "DeadLetterQueueUrl": { - "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "title": "DeadLetterQueueUrl", "type": "string" }, @@ -47925,10 +48155,14 @@ "type": "string" }, "Matching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching", + "markdownDescription": "The process of matching duplicate profiles.", + "title": "Matching" }, "RuleBasedMatching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching", + "markdownDescription": "The process of matching duplicate profiles using Rule-Based matching.", + "title": "RuleBasedMatching" }, "Tags": { "items": { @@ -47972,21 +48206,29 @@ "items": { "type": "string" }, + "markdownDescription": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "title": "Address", "type": "array" }, "AttributeMatchingModel": { + "markdownDescription": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "title": "AttributeMatchingModel", "type": "string" }, "EmailAddress": { "items": { "type": "string" }, + "markdownDescription": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "title": "EmailAddress", "type": "array" }, "PhoneNumber": { "items": { "type": "string" }, + "markdownDescription": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule.", + "title": "PhoneNumber", "type": "array" } }, @@ -47999,15 +48241,23 @@ "additionalProperties": false, "properties": { "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Consolidation": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation", + "markdownDescription": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "title": "Consolidation" }, "Enabled": { + "markdownDescription": "The flag that enables the auto-merging of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "MinAllowedConfidenceScoreForMerging": { + "markdownDescription": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles.", + "title": "MinAllowedConfidenceScoreForMerging", "type": "number" } }, @@ -48020,9 +48270,13 @@ "additionalProperties": false, "properties": { "ConflictResolvingModel": { + "markdownDescription": "How the auto-merging process should resolve conflicts between different profiles.", + "title": "ConflictResolvingModel", "type": "string" }, "SourceName": { + "markdownDescription": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` .", + "title": "SourceName", "type": "string" } }, @@ -48035,6 +48289,8 @@ "additionalProperties": false, "properties": { "MatchingAttributesList": { + "markdownDescription": "A list of matching criteria.", + "title": "MatchingAttributesList", "type": "object" } }, @@ -48047,15 +48303,23 @@ "additionalProperties": false, "properties": { "MeteringProfileCount": { + "markdownDescription": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "title": "MeteringProfileCount", "type": "number" }, "ObjectCount": { + "markdownDescription": "The total number of objects in domain.", + "title": "ObjectCount", "type": "number" }, "ProfileCount": { + "markdownDescription": "The total number of profiles currently in the domain.", + "title": "ProfileCount", "type": "number" }, "TotalSize": { + "markdownDescription": "The total size, in bytes, of all objects in the domain.", + "title": "TotalSize", "type": "number" } }, @@ -48065,7 +48329,9 @@ "additionalProperties": false, "properties": { "S3Exporting": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig", + "markdownDescription": "", + "title": "S3Exporting" } }, "type": "object" @@ -48074,9 +48340,13 @@ "additionalProperties": false, "properties": { "DayOfTheWeek": { + "markdownDescription": "The day when the Identity Resolution Job should run every week.", + "title": "DayOfTheWeek", "type": "string" }, "Time": { + "markdownDescription": "The time when the Identity Resolution Job should run every week.", + "title": "Time", "type": "string" } }, @@ -48090,16 +48360,24 @@ "additionalProperties": false, "properties": { "AutoMerging": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging", + "markdownDescription": "Configuration information about the auto-merging process.", + "title": "AutoMerging" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "JobSchedule": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule", + "markdownDescription": "The day and time when do you want to start the Identity Resolution Job every week.", + "title": "JobSchedule" } }, "required": [ @@ -48114,6 +48392,8 @@ "items": { "type": "string" }, + "markdownDescription": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles.", + "title": "Rule", "type": "array" } }, @@ -48126,30 +48406,46 @@ "additionalProperties": false, "properties": { "AttributeTypesSelector": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector", + "markdownDescription": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "title": "AttributeTypesSelector" }, "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "MatchingRules": { "items": { "$ref": "#/definitions/AWS::CustomerProfiles::Domain.MatchingRule" }, + "markdownDescription": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "title": "MatchingRules", "type": "array" }, "MaxAllowedRuleLevelForMatching": { + "markdownDescription": "Indicates the maximum allowed rule level for matching.", + "title": "MaxAllowedRuleLevelForMatching", "type": "number" }, "MaxAllowedRuleLevelForMerging": { + "markdownDescription": "Indicates the maximum allowed rule level for merging.", + "title": "MaxAllowedRuleLevelForMerging", "type": "number" }, "Status": { + "markdownDescription": "The status of rule-based matching rule.", + "title": "Status", "type": "string" } }, @@ -48162,9 +48458,13 @@ "additionalProperties": false, "properties": { "S3BucketName": { + "markdownDescription": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "title": "S3BucketName", "type": "string" }, "S3KeyName": { + "markdownDescription": "The S3 key name of the location where Identity Resolution Jobs write result files.", + "title": "S3KeyName", "type": "string" } }, @@ -48849,6 +49149,8 @@ "type": "string" }, "SourceLastUpdatedTimestampFormat": { + "markdownDescription": "The format of your sourceLastUpdatedTimestamp that was previously set up.", + "title": "SourceLastUpdatedTimestampFormat", "type": "string" }, "Tags": { @@ -49387,7 +49689,7 @@ "properties": { "RetentionArchiveTier": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.RetentionArchiveTier", - "markdownDescription": "", + "markdownDescription": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) .", "title": "RetentionArchiveTier" } }, @@ -49401,7 +49703,7 @@ "properties": { "RetainRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRetainRule", - "markdownDescription": "", + "markdownDescription": "Information about the retention period for the snapshot archiving rule.", "title": "RetainRule" } }, @@ -49479,12 +49781,12 @@ "additionalProperties": false, "properties": { "Interval": { - "markdownDescription": "", + "markdownDescription": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49530,7 +49832,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyDeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "title": "DeprecateRule" }, "Encrypted": { @@ -49544,12 +49846,12 @@ "title": "RetainRule" }, "Target": { - "markdownDescription": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", + "markdownDescription": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "Target", "type": "string" }, "TargetRegion": { - "markdownDescription": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies.", + "markdownDescription": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "TargetRegion", "type": "string" } @@ -49563,17 +49865,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* .", "title": "IntervalUnit", "type": "string" } @@ -49687,7 +49989,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "*[Snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeDataVolumeTags", "type": "array" }, @@ -49785,17 +50087,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49807,7 +50109,7 @@ "properties": { "ArchiveRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRule", - "markdownDescription": "", + "markdownDescription": "*[Snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "title": "ArchiveRule" }, "CopyTags": { @@ -49830,7 +50132,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.DeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[AMI policies only]* The AMI deprecation rule for the schedule.", "title": "DeprecateRule" }, "FastRestoreRule": { @@ -50070,7 +50372,7 @@ "type": "string" }, "EngineName": { - "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "title": "EngineName", "type": "string" }, @@ -50342,7 +50644,7 @@ "type": "string" }, "ServerName": { - "markdownDescription": "Endpoint TCP port.", + "markdownDescription": "The MySQL host name.", "title": "ServerName", "type": "string" }, @@ -50556,15 +50858,23 @@ "type": "string" }, "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", "type": "string" }, "ForceLobLookup": { + "markdownDescription": "Forces LOB lookup on inline LOB.", + "title": "ForceLobLookup", "type": "boolean" }, "Password": { + "markdownDescription": "Endpoint connection password.", + "title": "Password", "type": "string" }, "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", "type": "number" }, "QuerySingleAlwaysOnNode": { @@ -50593,12 +50903,18 @@ "type": "string" }, "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", "type": "string" }, "TlogAccessMode": { + "markdownDescription": "Indicates the mode used to fetch CDC data.", + "title": "TlogAccessMode", "type": "string" }, "TrimSpaceInChar": { + "markdownDescription": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", + "title": "TrimSpaceInChar", "type": "boolean" }, "UseBcpFullLoad": { @@ -50612,6 +50928,8 @@ "type": "boolean" }, "Username": { + "markdownDescription": "Endpoint connection user name.", + "title": "Username", "type": "string" } }, @@ -50902,7 +51220,7 @@ "type": "string" }, "SecretsManagerOracleAsmAccessRoleArn": { - "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "title": "SecretsManagerOracleAsmAccessRoleArn", "type": "string" }, @@ -50973,6 +51291,8 @@ "type": "string" }, "BabelfishDatabaseName": { + "markdownDescription": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", + "title": "BabelfishDatabaseName", "type": "string" }, "CaptureDdls": { @@ -50981,6 +51301,8 @@ "type": "boolean" }, "DatabaseMode": { + "markdownDescription": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", + "title": "DatabaseMode", "type": "string" }, "DdlArtifactsSchema": { @@ -51014,7 +51336,7 @@ "type": "string" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51156,7 +51478,7 @@ "type": "number" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51577,39 +51899,61 @@ "additionalProperties": false, "properties": { "ComputeConfig": { - "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig" + "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig", + "markdownDescription": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "title": "ComputeConfig" }, "ReplicationConfigArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "title": "ReplicationConfigArn", "type": "string" }, "ReplicationConfigIdentifier": { + "markdownDescription": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "title": "ReplicationConfigIdentifier", "type": "string" }, "ReplicationSettings": { + "markdownDescription": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "title": "ReplicationSettings", "type": "object" }, "ReplicationType": { + "markdownDescription": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "title": "ReplicationType", "type": "string" }, "ResourceIdentifier": { + "markdownDescription": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "title": "ResourceIdentifier", "type": "string" }, "SourceEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "title": "SourceEndpointArn", "type": "string" }, "SupplementalSettings": { + "markdownDescription": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "title": "SupplementalSettings", "type": "object" }, "TableMappings": { + "markdownDescription": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "title": "TableMappings", "type": "object" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "title": "Tags", "type": "array" }, "TargetEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration.", + "title": "TargetEndpointArn", "type": "string" } }, @@ -51639,33 +51983,51 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "title": "AvailabilityZone", "type": "string" }, "DnsNameServers": { + "markdownDescription": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "title": "DnsNameServers", "type": "string" }, "KmsKeyId": { + "markdownDescription": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyId", "type": "string" }, "MaxCapacityUnits": { + "markdownDescription": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "title": "MaxCapacityUnits", "type": "number" }, "MinCapacityUnits": { + "markdownDescription": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. You don't have to specify a value for the `MinCapacityUnits` parameter. If you don't set this value, AWS DMS scans the current activity of available source tables to identify an optimum setting for this parameter. If there is no current source activity or AWS DMS can't otherwise identify a more appropriate value, it sets this parameter to the minimum DCU value allowed, 1.", + "title": "MinCapacityUnits", "type": "number" }, "MultiAZ": { + "markdownDescription": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "title": "MultiAZ", "type": "boolean" }, "PreferredMaintenanceWindow": { + "markdownDescription": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "title": "PreferredMaintenanceWindow", "type": "string" }, "ReplicationSubnetGroupId": { + "markdownDescription": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "title": "ReplicationSubnetGroupId", "type": "string" }, "VpcSecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication.", + "title": "VpcSecurityGroupIds", "type": "array" } }, @@ -52005,7 +52367,7 @@ "type": "string" }, "TaskData": { - "markdownDescription": "", + "markdownDescription": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*", "title": "TaskData", "type": "string" } @@ -52585,7 +52947,7 @@ }, "OutputLocation": { "$ref": "#/definitions/AWS::DataBrew::Job.OutputLocation", - "markdownDescription": "", + "markdownDescription": "The location in Amazon S3 where the job writes its output.", "title": "OutputLocation" }, "Outputs": { @@ -53378,12 +53740,12 @@ "properties": { "DataCatalogInputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.DataCatalogInputDefinition", - "markdownDescription": "", + "markdownDescription": "The AWS Glue Data Catalog parameters for the data.", "title": "DataCatalogInputDefinition" }, "S3InputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.S3Location", - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location where the data is stored.", "title": "S3InputDefinition" } }, @@ -54637,30 +54999,46 @@ "items": { "type": "string" }, + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "title": "AgentArns", "type": "array" }, "AzureAccessTier": { + "markdownDescription": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "title": "AzureAccessTier", "type": "string" }, "AzureBlobAuthenticationType": { + "markdownDescription": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "title": "AzureBlobAuthenticationType", "type": "string" }, "AzureBlobContainerUrl": { + "markdownDescription": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "title": "AzureBlobContainerUrl", "type": "string" }, "AzureBlobSasConfiguration": { - "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration" + "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { + "markdownDescription": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "title": "AzureBlobType", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "title": "Subdirectory", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.", + "title": "Tags", "type": "array" } }, @@ -54695,6 +55073,8 @@ "additionalProperties": false, "properties": { "AzureBlobSasToken": { + "markdownDescription": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`", + "title": "AzureBlobSasToken", "type": "string" } }, @@ -55257,7 +55637,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "title": "Domain", "type": "string" }, @@ -55267,7 +55647,7 @@ "type": "string" }, "Password": { - "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "title": "Password", "type": "string" }, @@ -55536,21 +55916,21 @@ "properties": { "MountOptions": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.MountOptions", - "markdownDescription": "Specifies the mount options that DataSync can use to mount your NFS share.", + "markdownDescription": "Specifies the options that DataSync can use to mount your NFS file server.", "title": "MountOptions" }, "OnPremConfig": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.OnPremConfig", - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", "title": "OnPremConfig" }, "ServerHostname": { - "markdownDescription": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", + "markdownDescription": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", "title": "ServerHostname", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "title": "Subdirectory", "type": "string" }, @@ -55607,7 +55987,7 @@ "items": { "type": "string" }, - "markdownDescription": "ARNs of the agents to use for an NFS location.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location.", "title": "AgentArns", "type": "array" } @@ -55883,7 +56263,7 @@ "type": "array" }, "Domain": { - "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", "title": "Domain", "type": "string" }, @@ -56193,7 +56573,9 @@ "type": "array" }, "TaskReportConfig": { - "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig" + "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", + "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer.", + "title": "TaskReportConfig" } }, "required": [ @@ -56227,6 +56609,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56236,7 +56620,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::DataSync::Task.S3" + "$ref": "#/definitions/AWS::DataSync::Task.S3", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "title": "S3" } }, "type": "object" @@ -56342,16 +56728,24 @@ "additionalProperties": false, "properties": { "Deleted": { - "$ref": "#/definitions/AWS::DataSync::Task.Deleted" + "$ref": "#/definitions/AWS::DataSync::Task.Deleted", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "title": "Deleted" }, "Skipped": { - "$ref": "#/definitions/AWS::DataSync::Task.Skipped" + "$ref": "#/definitions/AWS::DataSync::Task.Skipped", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "title": "Skipped" }, "Transferred": { - "$ref": "#/definitions/AWS::DataSync::Task.Transferred" + "$ref": "#/definitions/AWS::DataSync::Task.Transferred", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "title": "Transferred" }, "Verified": { - "$ref": "#/definitions/AWS::DataSync::Task.Verified" + "$ref": "#/definitions/AWS::DataSync::Task.Verified", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "title": "Verified" } }, "type": "object" @@ -56360,12 +56754,18 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { + "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "title": "S3BucketArn", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies a bucket prefix for your report.", + "title": "Subdirectory", "type": "string" } }, @@ -56375,6 +56775,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "title": "ReportLevel", "type": "string" } }, @@ -56384,18 +56786,28 @@ "additionalProperties": false, "properties": { "Destination": { - "$ref": "#/definitions/AWS::DataSync::Task.Destination" + "$ref": "#/definitions/AWS::DataSync::Task.Destination", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "title": "Destination" }, "ObjectVersionIds": { + "markdownDescription": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "title": "ObjectVersionIds", "type": "string" }, "OutputType": { + "markdownDescription": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "title": "OutputType", "type": "string" }, "Overrides": { - "$ref": "#/definitions/AWS::DataSync::Task.Overrides" + "$ref": "#/definitions/AWS::DataSync::Task.Overrides", + "markdownDescription": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "title": "Overrides" }, "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56423,6 +56835,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "title": "ReportLevel", "type": "string" } }, @@ -56432,6 +56846,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "title": "ReportLevel", "type": "string" } }, @@ -56923,7 +57339,7 @@ "properties": { "CloudFormation": { "$ref": "#/definitions/AWS::DevOpsGuru::ResourceCollection.CloudFormationCollectionFilter", - "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "title": "CloudFormation" }, "Tags": { @@ -57322,12 +57738,12 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "", + "markdownDescription": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", "title": "RestoreToTime", "type": "string" }, "RestoreType": { - "markdownDescription": "", + "markdownDescription": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "title": "RestoreType", "type": "string" }, @@ -57337,7 +57753,7 @@ "type": "string" }, "SourceDBClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "title": "SourceDBClusterIdentifier", "type": "string" }, @@ -57355,7 +57771,7 @@ "type": "array" }, "UseLatestRestorableTime": { - "markdownDescription": "", + "markdownDescription": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -57543,7 +57959,7 @@ "type": "string" }, "EnablePerformanceInsights": { - "markdownDescription": "", + "markdownDescription": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "title": "EnablePerformanceInsights", "type": "boolean" }, @@ -60063,7 +60479,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::EC2Fleet.TagSpecification" }, - "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "title": "TagSpecifications", "type": "array" }, @@ -60518,7 +60934,7 @@ "title": "CapacityReservationOptions" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60610,7 +61026,7 @@ "title": "MaintenanceStrategies" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60636,7 +61052,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag. `ResourceType` must be `fleet` .", + "markdownDescription": "The type of resource to tag.", "title": "ResourceType", "type": "string" }, @@ -60763,7 +61179,7 @@ "type": "string" }, "NetworkBorderGroup": { - "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "title": "NetworkBorderGroup", "type": "string" }, @@ -61062,6 +61478,8 @@ "additionalProperties": false, "properties": { "DeliverCrossAccountRole": { + "markdownDescription": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", + "title": "DeliverCrossAccountRole", "type": "string" }, "DeliverLogsPermissionArn": { @@ -61285,6 +61703,8 @@ "additionalProperties": false, "properties": { "AssetId": { + "markdownDescription": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", + "title": "AssetId", "type": "string" }, "AutoPlacement": { @@ -61406,6 +61826,8 @@ "type": "array" }, "Tier": { + "markdownDescription": "", + "title": "Tier", "type": "string" } }, @@ -62385,7 +62807,7 @@ "additionalProperties": false, "properties": { "CPUCredits": { - "markdownDescription": "The credit option for CPU usage of the instance.\n\nValid values: `standard` | `unlimited`\n\nT3 instances with `host` tenancy do not support the `unlimited` CPU credit option.", + "markdownDescription": "The credit option for CPU usage of a T instance.\n\nValid values: `standard` | `unlimited`", "title": "CPUCredits", "type": "string" } @@ -62481,7 +62903,7 @@ "additionalProperties": false, "properties": { "Configured": { - "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`", + "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`", "title": "Configured", "type": "boolean" } @@ -62747,24 +63169,34 @@ "additionalProperties": false, "properties": { "ClientToken": { + "markdownDescription": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "title": "ClientToken", "type": "string" }, "PreserveClientIp": { + "markdownDescription": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "title": "PreserveClientIp", "type": "boolean" }, "SecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { + "markdownDescription": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "title": "SubnetId", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to apply to the EC2 Instance Connect Endpoint during creation.", + "title": "Tags", "type": "array" } }, @@ -62999,7 +63431,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateTagSpecification" }, - "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63515,7 +63947,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateElasticInferenceAccelerator" }, - "markdownDescription": "The elastic inference accelerator for the instance.", + "markdownDescription": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "title": "ElasticInferenceAccelerators", "type": "array" }, @@ -63635,7 +64067,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.TagSpecification" }, - "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63798,7 +64230,7 @@ "additionalProperties": false, "properties": { "AssociateCarrierIpAddress": { - "markdownDescription": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "markdownDescription": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "title": "AssociateCarrierIpAddress", "type": "boolean" }, @@ -63885,6 +64317,8 @@ "type": "string" }, "PrimaryIpv6": { + "markdownDescription": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", + "title": "PrimaryIpv6", "type": "boolean" }, "PrivateIpAddress": { @@ -64052,7 +64486,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -64488,7 +64922,7 @@ "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -64496,7 +64930,7 @@ "items": { "type": "string" }, - "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddresses", "type": "array" }, @@ -66062,16 +66496,20 @@ "type": "string" }, "Ipv4PrefixCount": { + "markdownDescription": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4PrefixCount", "type": "number" }, "Ipv4Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv4PrefixSpecification" }, + "markdownDescription": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4Prefixes", "type": "array" }, "Ipv6AddressCount": { - "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", + "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6AddressCount", "type": "number" }, @@ -66079,17 +66517,21 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.InstanceIpv6Address" }, - "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6Addresses", "type": "array" }, "Ipv6PrefixCount": { + "markdownDescription": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6PrefixCount", "type": "number" }, "Ipv6Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv6PrefixSpecification" }, + "markdownDescription": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6Prefixes", "type": "array" }, "PrivateIpAddress": { @@ -66101,12 +66543,12 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.PrivateIpAddressSpecification" }, - "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", + "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "PrivateIpAddresses", "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -66173,6 +66615,8 @@ "additionalProperties": false, "properties": { "Ipv4Prefix": { + "markdownDescription": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv4Prefix", "type": "string" } }, @@ -66185,6 +66629,8 @@ "additionalProperties": false, "properties": { "Ipv6Prefix": { + "markdownDescription": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv6Prefix", "type": "string" } }, @@ -66707,6 +67153,8 @@ "type": "string" }, "DestinationPrefixListId": { + "markdownDescription": "The ID of a prefix list used for the destination match.", + "title": "DestinationPrefixListId", "type": "string" }, "EgressOnlyInternetGatewayId": { @@ -68146,7 +68594,7 @@ "type": "string" }, "OnDemandMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "OnDemandMaxTotalPrice", "type": "string" }, @@ -68166,7 +68614,7 @@ "title": "SpotMaintenanceStrategies" }, "SpotMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "SpotMaxTotalPrice", "type": "string" }, @@ -68179,7 +68627,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::SpotFleet.SpotFleetTagSpecification" }, - "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "title": "TagSpecifications", "type": "array" }, @@ -68967,7 +69415,7 @@ "type": "string" }, "PacketLength": { - "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "title": "PacketLength", "type": "number" }, @@ -71583,7 +72031,9 @@ "type": "array" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71684,9 +72134,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71743,7 +72197,9 @@ "type": "boolean" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71789,9 +72245,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71838,11 +72298,13 @@ "type": "string" }, "FipsEnabled": { + "markdownDescription": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "title": "FipsEnabled", "type": "boolean" }, "LoggingConfigurations": { "$ref": "#/definitions/AWS::EC2::VerifiedAccessInstance.VerifiedAccessLogs", - "markdownDescription": "The current logging configuration for the Verified Access instances.", + "markdownDescription": "The logging configuration for the Verified Access instances.", "title": "LoggingConfigurations" }, "Tags": { @@ -71959,7 +72421,7 @@ "title": "CloudWatchLogs" }, "IncludeTrustContext": { - "markdownDescription": "Include trust data sent by trust providers into the logs.", + "markdownDescription": "Indicates whether to include trust data sent by trust providers in the logs.", "title": "IncludeTrustContext", "type": "boolean" }, @@ -71969,7 +72431,7 @@ "title": "KinesisDataFirehose" }, "LogVersion": { - "markdownDescription": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "markdownDescription": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "title": "LogVersion", "type": "string" }, @@ -72073,7 +72535,9 @@ "type": "string" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -72177,9 +72641,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -72425,7 +72893,7 @@ "properties": { "RepositoryCatalogData": { "$ref": "#/definitions/AWS::ECR::PublicRepository.RepositoryCatalogData", - "markdownDescription": "", + "markdownDescription": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "title": "RepositoryCatalogData" }, "RepositoryName": { @@ -72826,6 +73294,8 @@ "additionalProperties": false, "properties": { "EmptyOnDelete": { + "markdownDescription": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", + "title": "EmptyOnDelete", "type": "boolean" }, "EncryptionConfiguration": { @@ -73019,7 +73489,7 @@ "additionalProperties": false, "properties": { "AutoScalingGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", "title": "AutoScalingGroupArn", "type": "string" }, @@ -73048,7 +73518,7 @@ "type": "number" }, "MaximumScalingStepSize": { - "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "title": "MaximumScalingStepSize", "type": "number" }, @@ -73279,7 +73749,7 @@ "additionalProperties": false, "properties": { "Namespace": { - "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", + "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "title": "Namespace", "type": "string" } @@ -73808,12 +74278,12 @@ "type": "number" }, "LoadBalancerName": { - "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", "title": "LoadBalancerName", "type": "string" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -73948,7 +74418,7 @@ }, "LogConfiguration": { "$ref": "#/definitions/AWS::ECS::Service.LogConfiguration", - "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "title": "LogConfiguration" }, "Namespace": { @@ -74115,7 +74585,7 @@ "type": "string" }, "PidMode": { - "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "PidMode", "type": "string" }, @@ -74430,7 +74900,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.SystemControl" }, - "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "SystemControls", "type": "array" }, @@ -74853,7 +75323,7 @@ "additionalProperties": false, "properties": { "AppProtocol": { - "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "title": "AppProtocol", "type": "string" }, @@ -74863,12 +75333,12 @@ "type": "number" }, "ContainerPortRange": { - "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", "title": "ContainerPortRange", "type": "string" }, "HostPort": { - "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "title": "HostPort", "type": "number" }, @@ -74878,7 +75348,7 @@ "type": "string" }, "Protocol": { - "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` .", + "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.", "title": "Protocol", "type": "string" } @@ -74988,7 +75458,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the namespaced kernel parameter that's specified in `namespace` .", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -75086,7 +75556,7 @@ "title": "Host" }, "Name": { - "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", + "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume.", "title": "Name", "type": "string" } @@ -75273,7 +75743,7 @@ "type": "number" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -75591,7 +76061,7 @@ "type": "array" }, "PerformanceMode": { - "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on file systems using One Zone storage classes.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "title": "PerformanceMode", "type": "string" }, @@ -75601,10 +76071,12 @@ "type": "number" }, "ReplicationConfiguration": { - "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration" + "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration", + "markdownDescription": "Describes the replication configuration for a specific file system.", + "title": "ReplicationConfiguration" }, "ThroughputMode": { - "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` .", + "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` .", "title": "ThroughputMode", "type": "string" } @@ -75688,6 +76160,8 @@ "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationDestination" }, + "markdownDescription": "An array of destination objects. Only one destination object is supported.", + "title": "Destinations", "type": "array" } }, @@ -75697,15 +76171,23 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { + "markdownDescription": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "title": "AvailabilityZoneName", "type": "string" }, "FileSystemId": { + "markdownDescription": "The ID of the destination Amazon EFS file system.", + "title": "FileSystemId", "type": "string" }, "KmsKeyId": { + "markdownDescription": "The ID of an AWS KMS key used to protect the encrypted file system.", + "title": "KmsKeyId", "type": "string" }, "Region": { + "markdownDescription": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located.", + "title": "Region", "type": "string" } }, @@ -75969,7 +76451,7 @@ }, "ResourcesVpcConfig": { "$ref": "#/definitions/AWS::EKS::Cluster.ResourcesVpcConfig", - "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets.", "title": "ResourcesVpcConfig" }, "RoleArn": { @@ -76177,7 +76659,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.", + "markdownDescription": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets.", "title": "SubnetIds", "type": "array" } @@ -76822,7 +77304,7 @@ }, "AutoTerminationPolicy": { "$ref": "#/definitions/AWS::EMR::Cluster.AutoTerminationPolicy", - "markdownDescription": "", + "markdownDescription": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "title": "AutoTerminationPolicy" }, "BootstrapActions": { @@ -76887,7 +77369,7 @@ "type": "string" }, "OSReleaseLabel": { - "markdownDescription": "", + "markdownDescription": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "title": "OSReleaseLabel", "type": "string" }, @@ -77029,7 +77511,7 @@ "additionalProperties": false, "properties": { "IdleTimeout": { - "markdownDescription": "", + "markdownDescription": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days).", "title": "IdleTimeout", "type": "number" } @@ -77830,6 +78312,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78134,6 +78618,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78564,6 +79050,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -79050,9 +79538,13 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "title": "Tags", "type": "array" }, "WALWorkspaceName": { + "markdownDescription": "The name of the WAL workspace.", + "title": "WALWorkspaceName", "type": "string" } }, @@ -79249,7 +79741,7 @@ "additionalProperties": false, "properties": { "Architecture": { - "markdownDescription": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "markdownDescription": "The CPU architecture of an application.", "title": "Architecture", "type": "string" }, @@ -79265,7 +79757,7 @@ }, "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration applied to all worker types.", "title": "ImageConfiguration" }, "InitialCapacity": { @@ -79285,7 +79777,7 @@ "$ref": "#/definitions/AWS::EMRServerless::Application.MonitoringConfiguration" }, "Name": { - "markdownDescription": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "markdownDescription": "The name of the application.", "title": "Name", "type": "string" }, @@ -79295,7 +79787,7 @@ "title": "NetworkConfiguration" }, "ReleaseLabel": { - "markdownDescription": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "markdownDescription": "The Amazon EMR release associated with the application.", "title": "ReleaseLabel", "type": "string" }, @@ -79320,7 +79812,7 @@ }, "WorkerTypeSpecifications": { "additionalProperties": false, - "markdownDescription": "", + "markdownDescription": "The specification applied to each worker type.", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::EMRServerless::Application.WorkerTypeSpecificationInput" @@ -79361,7 +79853,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically start on job submission. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" } @@ -79372,12 +79864,12 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "IdleTimeoutMinutes": { - "markdownDescription": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080", + "markdownDescription": "", "title": "IdleTimeoutMinutes", "type": "number" } @@ -79415,7 +79907,7 @@ "additionalProperties": false, "properties": { "ImageUri": { - "markdownDescription": "", + "markdownDescription": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration.", "title": "ImageUri", "type": "string" } @@ -79431,7 +79923,7 @@ "title": "WorkerConfiguration" }, "WorkerCount": { - "markdownDescription": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000", + "markdownDescription": "The number of workers in the initial capacity configuration.", "title": "WorkerCount", "type": "number" } @@ -79446,13 +79938,13 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", + "markdownDescription": "", "title": "Key", "type": "string" }, "Value": { "$ref": "#/definitions/AWS::EMRServerless::Application.InitialCapacityConfig", - "markdownDescription": "The value for the initial capacity configuration per worker.", + "markdownDescription": "", "title": "Value" } }, @@ -79478,17 +79970,17 @@ "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "The maximum allowed CPU for an application.", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "The maximum allowed disk for an application.", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "The maximum allowed resources for an application.", "title": "Memory", "type": "string" } @@ -79518,7 +80010,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of security group Ids for customer VPC connectivity.", "title": "SecurityGroupIds", "type": "array" }, @@ -79526,7 +80018,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of subnet Ids for customer VPC connectivity.", "title": "SubnetIds", "type": "array" } @@ -79549,17 +80041,17 @@ "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "", "title": "Memory", "type": "string" } @@ -79575,7 +80067,7 @@ "properties": { "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration for a worker type.", "title": "ImageConfiguration" } }, @@ -79645,12 +80137,12 @@ "type": "array" }, "CacheSubnetGroupName": { - "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", + "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", "title": "CacheSubnetGroupName", "type": "string" }, "ClusterName": { - "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "title": "ClusterName", "type": "string" }, @@ -80321,8 +80813,6 @@ "type": "string" }, "ReplicationGroupId": { - "markdownDescription": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", - "title": "ReplicationGroupId", "type": "string" }, "SecurityGroupIds": { @@ -81620,16 +82110,16 @@ }, "ConnectionDrainingPolicy": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionDrainingPolicy", - "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionDrainingPolicy" }, "ConnectionSettings": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionSettings", - "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionSettings" }, "CrossZone": { - "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "title": "CrossZone", "type": "boolean" }, @@ -83066,7 +83556,7 @@ "items": { "type": "string" }, - "markdownDescription": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "markdownDescription": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "title": "SecurityGroups", "type": "array" }, @@ -83126,7 +83616,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "title": "Key", "type": "string" }, @@ -83373,7 +83863,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -83858,33 +84348,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "IdMappingTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques", + "markdownDescription": "An object which defines the `idMappingType` and the `providerProperties` .", + "title": "IdMappingTechniques" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowInputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowOutputSource" }, + "markdownDescription": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83922,10 +84426,14 @@ "additionalProperties": false, "properties": { "IdMappingType": { + "markdownDescription": "The type of ID mapping.", + "title": "IdMappingType", "type": "string" }, "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties", + "markdownDescription": "An object which defines any additional configurations required by the provider service.", + "title": "ProviderProperties" } }, "type": "object" @@ -83934,9 +84442,13 @@ "additionalProperties": false, "properties": { "InputSourceARN": { + "markdownDescription": "An AWS Glue table ARN for the input source table.", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` .", + "title": "SchemaArn", "type": "string" } }, @@ -83950,9 +84462,13 @@ "additionalProperties": false, "properties": { "KMSArn": { + "markdownDescription": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -83965,6 +84481,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -83977,18 +84495,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -84033,33 +84557,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.InputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputSource" }, + "markdownDescription": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "ResolutionTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques", + "markdownDescription": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "title": "ResolutionTechniques" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -84097,12 +84635,18 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "InputSourceARN": { + "markdownDescription": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The name of the schema.", + "title": "SchemaArn", "type": "string" } }, @@ -84116,6 +84660,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -84128,9 +84674,13 @@ "additionalProperties": false, "properties": { "Hashed": { + "markdownDescription": "Enables the ability to hash the column values in the output.", + "title": "Hashed", "type": "boolean" }, "Name": { + "markdownDescription": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping.", + "title": "Name", "type": "string" } }, @@ -84143,18 +84693,26 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "KMSArn": { + "markdownDescription": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "Output": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputAttribute" }, + "markdownDescription": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "title": "Output", "type": "array" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -84168,18 +84726,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -84192,13 +84756,19 @@ "additionalProperties": false, "properties": { "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties", + "markdownDescription": "The properties of the provider service.", + "title": "ProviderProperties" }, "ResolutionType": { + "markdownDescription": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "title": "ResolutionType", "type": "string" }, "RuleBasedProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties", + "markdownDescription": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects.", + "title": "RuleBasedProperties" } }, "type": "object" @@ -84210,9 +84780,13 @@ "items": { "type": "string" }, + "markdownDescription": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "title": "MatchingKeys", "type": "array" }, "RuleName": { + "markdownDescription": "A name for the matching rule.", + "title": "RuleName", "type": "string" } }, @@ -84226,12 +84800,16 @@ "additionalProperties": false, "properties": { "AttributeMatchingModel": { + "markdownDescription": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "title": "AttributeMatchingModel", "type": "string" }, "Rules": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.Rule" }, + "markdownDescription": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` .", + "title": "Rules", "type": "array" } }, @@ -84277,21 +84855,29 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the schema.", + "title": "Description", "type": "string" }, "MappedInputFields": { "items": { "$ref": "#/definitions/AWS::EntityResolution::SchemaMapping.SchemaInputAttribute" }, + "markdownDescription": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "title": "MappedInputFields", "type": "array" }, "SchemaName": { + "markdownDescription": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "title": "SchemaName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" } }, @@ -84326,18 +84912,28 @@ "additionalProperties": false, "properties": { "FieldName": { + "markdownDescription": "A string containing the field name.", + "title": "FieldName", "type": "string" }, "GroupName": { + "markdownDescription": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "title": "GroupName", "type": "string" }, "MatchKey": { + "markdownDescription": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "title": "MatchKey", "type": "string" }, "SubType": { + "markdownDescription": "The subtype of the attribute, selected from a list of values.", + "title": "SubType", "type": "string" }, "Type": { + "markdownDescription": "The type of the attribute, selected from a list of values.", + "title": "Type", "type": "string" } }, @@ -84436,12 +85032,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84532,12 +85128,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84727,12 +85323,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -85406,6 +86002,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", + "title": "Policy", "type": "object" }, "Tags": { @@ -86017,6 +86615,8 @@ "items": { "type": "string" }, + "markdownDescription": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", + "title": "Sqls", "type": "array" }, "StatementName": { @@ -86313,7 +86913,7 @@ "type": "number" }, "Segment": { - "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Segment", "type": "string" }, @@ -87152,7 +87752,7 @@ "type": "string" }, "Pattern": { - "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Pattern", "type": "string" }, @@ -87238,7 +87838,7 @@ "type": "object" }, "Description": { - "markdownDescription": "A description for the experiment template.", + "markdownDescription": "The description for the experiment template.", "title": "Description", "type": "string" }, @@ -87248,7 +87848,7 @@ "title": "LogConfiguration" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role.", "title": "RoleArn", "type": "string" }, @@ -87256,13 +87856,13 @@ "items": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateStopCondition" }, - "markdownDescription": "The stop conditions.", + "markdownDescription": "The stop conditions for the experiment.", "title": "StopConditions", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags to apply to the experiment template.", + "markdownDescription": "The tags for the experiment template.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87331,7 +87931,7 @@ "additionalProperties": false, "properties": { "ActionId": { - "markdownDescription": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "markdownDescription": "The ID of the action.", "title": "ActionId", "type": "string" }, @@ -87342,32 +87942,28 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the action, if applicable.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Parameters", "type": "object" }, "StartAfter": { "items": { "type": "string" }, - "markdownDescription": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", + "markdownDescription": "The name of the action that must be completed before the current action starts.", "title": "StartAfter", "type": "array" }, "Targets": { "additionalProperties": true, - "markdownDescription": "The targets for the action.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Targets", "type": "object" } }, @@ -87404,12 +88000,12 @@ "additionalProperties": false, "properties": { "Source": { - "markdownDescription": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", + "markdownDescription": "The source for the stop condition.", "title": "Source", "type": "string" }, "Value": { - "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm.", + "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable.", "title": "Value", "type": "string" } @@ -87445,7 +88041,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon Resource Names (ARNs) of the resources.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the targets.", "title": "ResourceArns", "type": "array" }, @@ -87461,12 +88057,12 @@ "type": "object" }, "ResourceType": { - "markdownDescription": "The resource type. The resource type must be supported for the specified action.", + "markdownDescription": "The resource type.", "title": "ResourceType", "type": "string" }, "SelectionMode": { - "markdownDescription": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets.", + "markdownDescription": "Scopes the identified resources to a specific count or percentage.", "title": "SelectionMode", "type": "string" } @@ -87679,7 +88275,7 @@ "type": "array" }, "ResourceType": { - "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "title": "ResourceType", "type": "string" }, @@ -87698,7 +88294,7 @@ }, "SecurityServicePolicyData": { "$ref": "#/definitions/AWS::FMS::Policy.SecurityServicePolicyData", - "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "SecurityServicePolicyData" }, "Tags": { @@ -87834,7 +88430,7 @@ "additionalProperties": false, "properties": { "ManagedServiceData": { - "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "ManagedServiceData", "type": "string" }, @@ -87925,7 +88521,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources included in the resource set.", + "markdownDescription": "", "title": "Resources", "type": "array" }, @@ -87933,7 +88529,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.", + "markdownDescription": "", "title": "Tags", "type": "array" } @@ -88163,7 +88759,7 @@ "type": "string" }, "FileSystemTypeVersion": { - "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "title": "FileSystemTypeVersion", "type": "string" }, @@ -88436,7 +89032,7 @@ "items": { "type": "string" }, - "markdownDescription": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", "title": "RouteTableIds", "type": "array" }, @@ -88480,16 +89076,18 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", "title": "DeploymentType", "type": "string" }, "DiskIopsConfiguration": { "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", - "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", "title": "DiskIopsConfiguration" }, "EndpointIpAddressRange": { + "markdownDescription": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", + "title": "EndpointIpAddressRange", "type": "string" }, "Options": { @@ -88501,6 +89099,8 @@ "type": "array" }, "PreferredSubnetId": { + "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", + "title": "PreferredSubnetId", "type": "string" }, "RootVolumeConfiguration": { @@ -88512,10 +89112,12 @@ "items": { "type": "string" }, + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -88674,7 +89276,9 @@ "type": "string" }, "DiskIopsConfiguration": { - "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration" + "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", + "title": "DiskIopsConfiguration" }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", @@ -89033,9 +89637,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10", + "title": "Value", "type": "number" } }, @@ -89113,7 +89721,9 @@ "type": "string" }, "SnaplockConfiguration": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration", + "markdownDescription": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", + "title": "SnaplockConfiguration" }, "SnapshotPolicy": { "markdownDescription": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", @@ -89239,9 +89849,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100", + "title": "Value", "type": "number" } }, @@ -89254,21 +89868,33 @@ "additionalProperties": false, "properties": { "AuditLogVolume": { + "markdownDescription": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "title": "AuditLogVolume", "type": "string" }, "AutocommitPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod", + "markdownDescription": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "title": "AutocommitPeriod" }, "PrivilegedDelete": { + "markdownDescription": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "title": "PrivilegedDelete", "type": "string" }, "RetentionPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod", + "markdownDescription": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "title": "RetentionPeriod" }, "SnaplockType": { + "markdownDescription": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "title": "SnaplockType", "type": "string" }, "VolumeAppendModeEnabled": { + "markdownDescription": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) .", + "title": "VolumeAppendModeEnabled", "type": "string" } }, @@ -89281,13 +89907,19 @@ "additionalProperties": false, "properties": { "DefaultRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "title": "DefaultRetention" }, "MaximumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MaximumRetention" }, "MinimumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MinimumRetention" } }, "required": [ @@ -90110,7 +90742,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the model.", "title": "Arn", "type": "string" } @@ -90190,7 +90822,7 @@ "type": "string" }, "Language": { - "markdownDescription": "The rule language.", + "markdownDescription": "The rule language.\n\nValid Value: DETECTORPL", "title": "Language", "type": "string" }, @@ -91066,12 +91698,12 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", "title": "OperatingSystem", "type": "string" }, "ServerSdkVersion": { - "markdownDescription": "The Amazon GameLift Server SDK version used to develop your game server.", + "markdownDescription": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "title": "ServerSdkVersion", "type": "string" }, @@ -91112,22 +91744,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "An Amazon S3 bucket identifier. Thename of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", "title": "Bucket", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The name of the zip file that contains the build files or script files.", "title": "Key", "type": "string" }, "ObjectVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from your S3 bucket. To retrieve a specific version of the file, provide an object version. To retrieve the latest version of the file, do not set this parameter.", "title": "ObjectVersion", "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket.", "title": "RoleArn", "type": "string" } @@ -91176,7 +91808,7 @@ "properties": { "AnywhereConfiguration": { "$ref": "#/definitions/AWS::GameLift::Fleet.AnywhereConfiguration", - "markdownDescription": "", + "markdownDescription": "Amazon GameLift Anywhere configuration options for your Anywhere fleets.", "title": "AnywhereConfiguration" }, "BuildId": { @@ -91218,16 +91850,18 @@ "type": "string" }, "FleetType": { - "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", + "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", "title": "FleetType", "type": "string" }, "InstanceRoleARN": { - "markdownDescription": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "markdownDescription": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "title": "InstanceRoleARN", "type": "string" }, "InstanceRoleCredentialsProvider": { + "markdownDescription": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "title": "InstanceRoleCredentialsProvider", "type": "string" }, "Locations": { @@ -91382,7 +92016,7 @@ "additionalProperties": false, "properties": { "DesiredEC2Instances": { - "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "title": "DesiredEC2Instances", "type": "number" }, @@ -91472,7 +92106,7 @@ "type": "number" }, "LaunchPath": { - "markdownDescription": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", + "markdownDescription": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "title": "LaunchPath", "type": "string" }, @@ -92535,7 +93169,7 @@ "type": "boolean" }, "EndpointId": { - "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "title": "EndpointId", "type": "string" }, @@ -92767,6 +93401,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ContainsCustomDatatype", "type": "array" }, "ContainsHeader": { @@ -92775,6 +93411,8 @@ "type": "string" }, "CustomDatatypeConfigured": { + "markdownDescription": "Enables the custom datatype to be configured.", + "title": "CustomDatatypeConfigured", "type": "boolean" }, "Delimiter": { @@ -93230,21 +93868,29 @@ "additionalProperties": false, "properties": { "ConnectionName": { + "markdownDescription": "The name of the connection to use to connect to the Iceberg target.", + "title": "ConnectionName", "type": "string" }, "Exclusions": { "items": { "type": "string" }, + "markdownDescription": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "title": "Exclusions", "type": "array" }, "MaximumTraversalDepth": { + "markdownDescription": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "title": "MaximumTraversalDepth", "type": "number" }, "Paths": { "items": { "type": "string" }, + "markdownDescription": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` .", + "title": "Paths", "type": "array" } }, @@ -93398,6 +94044,8 @@ "items": { "$ref": "#/definitions/AWS::Glue::Crawler.IcebergTarget" }, + "markdownDescription": "", + "title": "IcebergTargets", "type": "array" }, "JdbcTargets": { @@ -93750,6 +94398,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target database.", + "title": "Region", "type": "string" } }, @@ -95369,7 +96019,9 @@ "type": "string" }, "OpenTableFormatInput": { - "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput" + "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput", + "markdownDescription": "A structure representing an open format table.", + "title": "OpenTableFormatInput" }, "TableInput": { "$ref": "#/definitions/AWS::Glue::Table.TableInput", @@ -95433,9 +96085,13 @@ "additionalProperties": false, "properties": { "MetadataOperation": { - "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation" + "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation", + "markdownDescription": "A required metadata operation. Can only be set to `CREATE` .", + "title": "MetadataOperation" }, "Version": { + "markdownDescription": "The table version for the Iceberg table. Defaults to 2.", + "title": "Version", "type": "string" } }, @@ -95450,7 +96106,9 @@ "additionalProperties": false, "properties": { "IcebergInput": { - "$ref": "#/definitions/AWS::Glue::Table.IcebergInput" + "$ref": "#/definitions/AWS::Glue::Table.IcebergInput", + "markdownDescription": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table.", + "title": "IcebergInput" } }, "type": "object" @@ -95664,6 +96322,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target table.", + "title": "Region", "type": "string" } }, @@ -96092,7 +96752,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "title": "AuthenticationProviders", "type": "array" }, @@ -96115,7 +96775,7 @@ "type": "string" }, "GrafanaVersion": { - "markdownDescription": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "markdownDescription": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "title": "GrafanaVersion", "type": "string" }, @@ -99760,7 +100420,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The decoding settings are in JSON format and define a set of steps to perform to decode the data.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99771,7 +100431,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -100055,7 +100715,7 @@ "title": "Address" }, "Mtu": { - "markdownDescription": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "markdownDescription": "", "title": "Mtu", "type": "number" }, @@ -100445,9 +101105,13 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "Name of the additional configuration.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the additional configuration.", + "title": "Status", "type": "string" } }, @@ -100460,12 +101124,18 @@ "items": { "$ref": "#/definitions/AWS::GuardDuty::Detector.CFNFeatureAdditionalConfiguration" }, + "markdownDescription": "Information about the additional configuration of a feature in your account.", + "title": "AdditionalConfiguration", "type": "array" }, "Name": { + "markdownDescription": "Name of the feature.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the feature configuration.", + "title": "Status", "type": "string" } }, @@ -100543,9 +101213,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -100742,7 +101416,7 @@ "additionalProperties": false, "properties": { "Criterion": { - "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "title": "Criterion", "type": "object" }, @@ -100898,8 +101572,6 @@ "type": "string" }, "MasterId": { - "markdownDescription": "The AWS account ID of the account designated as the GuardDuty administrator account.", - "title": "MasterId", "type": "string" } }, @@ -100981,8 +101653,6 @@ "type": "string" }, "MemberId": { - "markdownDescription": "The AWS account ID of the account to designate as a member.", - "title": "MemberId", "type": "string" }, "Message": { @@ -101158,18 +101828,24 @@ "additionalProperties": false, "properties": { "DatastoreName": { + "markdownDescription": "The data store name.", + "title": "DatastoreName", "type": "string" }, "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "title": "KmsKeyArn", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "The tags provided when creating a data store.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -101231,28 +101907,28 @@ "additionalProperties": false, "properties": { "DatastoreName": { - "markdownDescription": "The user generated name for the Data Store.", + "markdownDescription": "The user generated name for the data store.", "title": "DatastoreName", "type": "string" }, "DatastoreTypeVersion": { - "markdownDescription": "The FHIR version of the Data Store. The only supported version is R4.", + "markdownDescription": "The FHIR version of the data store. The only supported version is R4.", "title": "DatastoreTypeVersion", "type": "string" }, "IdentityProviderConfiguration": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", - "markdownDescription": "", + "markdownDescription": "The identity provider configuration that you gave when the data store was created.", "title": "IdentityProviderConfiguration" }, "PreloadDataConfig": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", - "markdownDescription": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", + "markdownDescription": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", "title": "PreloadDataConfig" }, "SseConfiguration": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", "title": "SseConfiguration" }, "Tags": { @@ -101314,22 +101990,22 @@ "additionalProperties": false, "properties": { "AuthorizationStrategy": { - "markdownDescription": "", + "markdownDescription": "The authorization strategy that you selected when you created the data store.", "title": "AuthorizationStrategy", "type": "string" }, "FineGrainedAuthorizationEnabled": { - "markdownDescription": "", + "markdownDescription": "If you enabled fine-grained authorization when you created the data store.", "title": "FineGrainedAuthorizationEnabled", "type": "boolean" }, "IdpLambdaArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", "title": "IdpLambdaArn", "type": "string" }, "Metadata": { - "markdownDescription": "", + "markdownDescription": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods.", "title": "Metadata", "type": "string" } @@ -101348,7 +102024,7 @@ "type": "string" }, "KmsKeyId": { - "markdownDescription": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest.", + "markdownDescription": "The KMS encryption key id/alias used to encrypt the data store contents at rest.", "title": "KmsKeyId", "type": "string" } @@ -101603,12 +102279,18 @@ "additionalProperties": false, "properties": { "GroupName": { + "markdownDescription": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "title": "GroupName", "type": "string" }, "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" } }, @@ -102185,12 +102867,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "RoleName": { + "markdownDescription": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "RoleName", "type": "string" } }, @@ -102650,12 +103338,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "UserName": { + "markdownDescription": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "UserName", "type": "string" } }, @@ -102919,7 +103613,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "title": "Tags", "type": "array" }, @@ -103000,7 +103694,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) .", "title": "Tags", "type": "array" } @@ -103064,7 +103758,7 @@ "properties": { "DestinationConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.DestinationConfiguration", - "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "title": "DestinationConfiguration" }, "Name": { @@ -103078,19 +103772,21 @@ "type": "number" }, "RenditionConfiguration": { - "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration" + "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration", + "markdownDescription": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "title": "RenditionConfiguration" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", "title": "Tags", "type": "array" }, "ThumbnailConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.ThumbnailConfiguration", - "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information.", + "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information.", "title": "ThumbnailConfiguration" } }, @@ -103135,12 +103831,16 @@ "additionalProperties": false, "properties": { "RenditionSelection": { + "markdownDescription": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "title": "RenditionSelection", "type": "string" }, "Renditions": { "items": { "type": "string" }, + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Renditions", "type": "array" } }, @@ -103169,16 +103869,20 @@ "type": "string" }, "Resolution": { + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Resolution", "type": "string" }, "Storage": { "items": { "type": "string" }, + "markdownDescription": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "title": "Storage", "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -103229,7 +103933,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) .", "title": "Tags", "type": "array" } @@ -103309,7 +104013,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) .", "title": "Tags", "type": "array" } @@ -103470,7 +104174,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) .", "title": "Tags", "type": "array" } @@ -103970,7 +104674,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ContainerRecipe.ComponentParameter" }, - "markdownDescription": "", + "markdownDescription": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe.", "title": "Parameters", "type": "array" } @@ -103981,7 +104685,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the component parameter to set.", "title": "Name", "type": "string" }, @@ -103989,7 +104693,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Sets the value for the named component parameter.", "title": "Value", "type": "array" } @@ -104285,7 +104989,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchConfiguration" }, - "markdownDescription": "", + "markdownDescription": "The Windows faster-launching configurations to use for AMI distribution.", "title": "FastLaunchConfigurations", "type": "array" }, @@ -104320,28 +105024,28 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "", + "markdownDescription": "The owner account ID for the fast-launch enabled Windows AMI.", "title": "AccountId", "type": "string" }, "Enabled": { - "markdownDescription": "", + "markdownDescription": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", "title": "Enabled", "type": "boolean" }, "LaunchTemplate": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchLaunchTemplateSpecification", - "markdownDescription": "", + "markdownDescription": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", "title": "LaunchTemplate" }, "MaxParallelLaunches": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel instances that are launched for creating resources.", "title": "MaxParallelLaunches", "type": "number" }, "SnapshotConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchSnapshotConfiguration", - "markdownDescription": "", + "markdownDescription": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled.", "title": "SnapshotConfiguration" } }, @@ -104351,17 +105055,17 @@ "additionalProperties": false, "properties": { "LaunchTemplateId": { - "markdownDescription": "", + "markdownDescription": "The ID of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateId", "type": "string" }, "LaunchTemplateName": { - "markdownDescription": "", + "markdownDescription": "The name of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateName", "type": "string" }, "LaunchTemplateVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateVersion", "type": "string" } @@ -104372,7 +105076,7 @@ "additionalProperties": false, "properties": { "TargetResourceCount": { - "markdownDescription": "", + "markdownDescription": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.", "title": "TargetResourceCount", "type": "number" } @@ -104511,7 +105215,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104569,12 +105273,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104586,11 +105290,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -104675,7 +105379,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104749,12 +105453,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104766,11 +105470,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -105997,7 +106701,7 @@ "properties": { "HealthEventsConfig": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.HealthEventsConfig", - "markdownDescription": "", + "markdownDescription": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "title": "HealthEventsConfig" }, "InternetMeasurementsLogDelivery": { @@ -106019,7 +106723,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", + "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", "title": "Resources", "type": "array" }, @@ -106027,7 +106731,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", + "markdownDescription": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToAdd", "type": "array" }, @@ -106035,7 +106739,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToRemove", "type": "array" }, @@ -106088,18 +106792,22 @@ "additionalProperties": false, "properties": { "AvailabilityLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "title": "AvailabilityLocalHealthEventsConfig" }, "AvailabilityScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", "title": "AvailabilityScoreThreshold", "type": "number" }, "PerformanceLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "title": "PerformanceLocalHealthEventsConfig" }, "PerformanceScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event.", "title": "PerformanceScoreThreshold", "type": "number" } @@ -106111,7 +106819,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.", "title": "S3Config" } }, @@ -106121,12 +106829,18 @@ "additionalProperties": false, "properties": { "HealthScoreThreshold": { + "markdownDescription": "The health event threshold percentage set for a local health score.", + "title": "HealthScoreThreshold", "type": "number" }, "MinTrafficImpact": { + "markdownDescription": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "title": "MinTrafficImpact", "type": "number" }, "Status": { + "markdownDescription": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` .", + "title": "Status", "type": "string" } }, @@ -106552,12 +107266,12 @@ }, "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if device certificates are still active despite being revoked by an intermediate CA.", "title": "IntermediateCaRevokedForActiveDeviceCertificatesCheck" }, "IoTPolicyPotentialMisConfigurationCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "title": "IoTPolicyPotentialMisConfigurationCheck" }, "IotPolicyOverlyPermissiveCheck": { @@ -107560,6 +108274,8 @@ "items": { "type": "string" }, + "markdownDescription": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", + "title": "DestinationPackageVersions", "type": "array" }, "Document": { @@ -108180,6 +108896,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -108803,7 +109521,7 @@ "properties": { "Criteria": { "$ref": "#/definitions/AWS::IoT::SecurityProfile.BehaviorCriteria", - "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", "title": "Criteria" }, "Metric": { @@ -109017,15 +109735,21 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the new software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package.", + "title": "Tags", "type": "array" } }, @@ -109088,26 +109812,36 @@ "properties": { "Attributes": { "additionalProperties": true, + "markdownDescription": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Attributes", "type": "object" }, "Description": { + "markdownDescription": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the associated software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package version.", + "title": "Tags", "type": "array" }, "VersionName": { + "markdownDescription": "The name of the new package version.", + "title": "VersionName", "type": "string" } }, @@ -110185,6 +110919,8 @@ "items": { "$ref": "#/definitions/AWS::IoT::TopicRule.KafkaActionHeader" }, + "markdownDescription": "The list of Kafka headers that you specify.", + "title": "Headers", "type": "array" }, "Key": { @@ -110214,9 +110950,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The key of the Kafka header.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The value of the Kafka header.", + "title": "Value", "type": "string" } }, @@ -112365,12 +113105,12 @@ "additionalProperties": false, "properties": { "CertificateArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's certificate ARN.", "title": "CertificateArn", "type": "string" }, "ThingArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's thing ARN.", "title": "ThingArn", "type": "string" } @@ -112381,7 +113121,7 @@ "additionalProperties": false, "properties": { "DevicePermissionRoleArn": { - "markdownDescription": "", + "markdownDescription": "Gets the device permission ARN. This is a required parameter.", "title": "DevicePermissionRoleArn", "type": "string" }, @@ -112389,22 +113129,22 @@ "items": { "$ref": "#/definitions/AWS::IoTCoreDeviceAdvisor::SuiteDefinition.DeviceUnderTest" }, - "markdownDescription": "", + "markdownDescription": "Gets the devices configured.", "title": "Devices", "type": "array" }, "IntendedForQualification": { - "markdownDescription": "", + "markdownDescription": "Gets the tests intended for qualification in a suite.", "title": "IntendedForQualification", "type": "boolean" }, "RootGroup": { - "markdownDescription": "", + "markdownDescription": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", "title": "RootGroup", "type": "string" }, "SuiteDefinitionName": { - "markdownDescription": "", + "markdownDescription": "Gets the suite definition name. This is a required parameter.", "title": "SuiteDefinitionName", "type": "string" } @@ -114430,23 +115170,15 @@ "additionalProperties": false, "properties": { "CanInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "title": "CanInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface" }, "InterfaceId": { - "markdownDescription": "The ID of the network interface.", - "title": "InterfaceId", "type": "string" }, "ObdInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", - "title": "ObdInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -114565,28 +115297,18 @@ "additionalProperties": false, "properties": { "CanSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal", - "markdownDescription": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "title": "CanSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal" }, "FullyQualifiedName": { - "markdownDescription": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "title": "FullyQualifiedName", "type": "string" }, "InterfaceId": { - "markdownDescription": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "title": "InterfaceId", "type": "string" }, "ObdSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal", - "markdownDescription": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "title": "ObdSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -116187,7 +116909,7 @@ "type": "string" }, "PortalAuthMode": { - "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "title": "PortalAuthMode", "type": "string" }, @@ -116545,7 +117267,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -116769,7 +117491,7 @@ "title": "DefaultValue" }, "IsExternalId": { - "markdownDescription": "A boolean value that specifies whether the property ID comes from an external data store.", + "markdownDescription": "", "title": "IsExternalId", "type": "boolean" }, @@ -116819,7 +117541,7 @@ "type": "string" }, "TargetComponentTypeId": { - "markdownDescription": "The ID of the target component type associated with this relationship.", + "markdownDescription": "", "title": "TargetComponentTypeId", "type": "string" } @@ -116910,7 +117632,7 @@ "type": "string" }, "EntityId": { - "markdownDescription": "The entity ID.", + "markdownDescription": "The ID of the entity.", "title": "EntityId", "type": "string" }, @@ -116936,7 +117658,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -116977,7 +117699,7 @@ "type": "string" }, "ComponentTypeId": { - "markdownDescription": "The ID of the ComponentType.", + "markdownDescription": "", "title": "ComponentTypeId", "type": "string" }, @@ -117330,7 +118052,7 @@ "type": "string" }, "SceneId": { - "markdownDescription": "The scene ID.", + "markdownDescription": "The ID of the scene.", "title": "SceneId", "type": "string" }, @@ -117357,7 +118079,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -118266,6 +118988,8 @@ "additionalProperties": false, "properties": { "AccountLinked": { + "markdownDescription": "Whether the partner account is linked to the AWS account.", + "title": "AccountLinked", "type": "boolean" }, "PartnerAccountId": { @@ -118274,6 +118998,8 @@ "type": "string" }, "PartnerType": { + "markdownDescription": "The partner type.", + "title": "PartnerType", "type": "string" }, "Sidewalk": { @@ -118282,10 +119008,14 @@ "title": "Sidewalk" }, "SidewalkResponse": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint", + "markdownDescription": "", + "title": "SidewalkResponse" }, "SidewalkUpdate": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount", + "markdownDescription": "Sidewalk update.", + "title": "SidewalkUpdate" }, "Tags": { "items": { @@ -118582,7 +119312,9 @@ "type": "boolean" }, "LoRaWANUpdateGatewayTaskEntry": { - "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry" + "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry", + "markdownDescription": "LoRaWANUpdateGatewayTaskEntry object.", + "title": "LoRaWANUpdateGatewayTaskEntry" }, "Name": { "markdownDescription": "The name of the new resource.", @@ -118598,6 +119330,8 @@ "type": "array" }, "TaskDefinitionType": { + "markdownDescription": "A filter to list only the wireless gateway task definitions that use this task definition type.", + "title": "TaskDefinitionType", "type": "string" }, "Update": { @@ -118826,13 +119560,13 @@ "additionalProperties": false, "properties": { "DevAddr": { - "markdownDescription": "The DevAddr value.", + "markdownDescription": "", "title": "DevAddr", "type": "string" }, "SessionKeys": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.SessionKeysAbpV10x", - "markdownDescription": "Session keys for ABP v1.0.x", + "markdownDescription": "", "title": "SessionKeys" } }, @@ -118867,7 +119601,7 @@ "properties": { "AbpV10x": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.AbpV10x", - "markdownDescription": "LoRaWAN object for create APIs.", + "markdownDescription": "", "title": "AbpV10x" }, "AbpV11": { @@ -118907,12 +119641,12 @@ "additionalProperties": false, "properties": { "AppEui": { - "markdownDescription": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", + "markdownDescription": "", "title": "AppEui", "type": "string" }, "AppKey": { - "markdownDescription": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppKey", "type": "string" } @@ -118953,12 +119687,12 @@ "additionalProperties": false, "properties": { "AppSKey": { - "markdownDescription": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppSKey", "type": "string" }, "NwkSKey": { - "markdownDescription": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "NwkSKey", "type": "string" } @@ -119267,7 +120001,7 @@ "additionalProperties": false, "properties": { "AliasName": { - "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "title": "AliasName", "type": "string" }, @@ -119340,6 +120074,8 @@ "additionalProperties": false, "properties": { "BypassPolicyLockoutSafetyCheck": { + "markdownDescription": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", + "title": "BypassPolicyLockoutSafetyCheck", "type": "boolean" }, "Description": { @@ -119348,7 +120084,7 @@ "type": "string" }, "EnableKeyRotation": { - "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "EnableKeyRotation", "type": "boolean" }, @@ -119358,7 +120094,7 @@ "type": "boolean" }, "KeyPolicy": { - "markdownDescription": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "markdownDescription": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "title": "KeyPolicy", "type": "object" }, @@ -119378,10 +120114,12 @@ "type": "boolean" }, "Origin": { + "markdownDescription": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "title": "Origin", "type": "string" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119467,7 +120205,7 @@ "type": "object" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -120047,6 +120785,8 @@ "type": "string" }, "LanguageCode": { + "markdownDescription": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", + "title": "LanguageCode", "type": "string" }, "Name": { @@ -120554,17 +121294,17 @@ "additionalProperties": false, "properties": { "DataSourceFieldName": { - "markdownDescription": "The name of the column or attribute in the data source.", + "markdownDescription": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", "title": "DataSourceFieldName", "type": "string" }, "DateFieldFormat": { - "markdownDescription": "The type of data stored in the column or attribute.", + "markdownDescription": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", "title": "DateFieldFormat", "type": "string" }, "IndexFieldName": { - "markdownDescription": "The name of the field in the index.", + "markdownDescription": "The name of the index field to map to the data source field. The index field type must match the data source field type.", "title": "IndexFieldName", "type": "string" } @@ -121846,7 +122586,7 @@ "properties": { "CapacityUnits": { "$ref": "#/definitions/AWS::Kendra::Index.CapacityUnitsConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "title": "CapacityUnits" }, "Description": { @@ -123260,7 +124000,7 @@ }, "RunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.RunConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the starting parameters for an Managed Service for Apache Flink application.", "title": "RunConfiguration" }, "RuntimeEnvironment": { @@ -123334,27 +124074,27 @@ "properties": { "ApplicationCodeConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationCodeConfiguration", - "markdownDescription": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The code location and type parameters for a Managed Service for Apache Flink application.", "title": "ApplicationCodeConfiguration" }, "ApplicationSnapshotConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationSnapshotConfiguration", - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "ApplicationSnapshotConfiguration" }, "EnvironmentProperties": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.EnvironmentProperties", - "markdownDescription": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes execution properties for a Managed Service for Apache Flink application.", "title": "EnvironmentProperties" }, "FlinkApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a Managed Service for Apache Flink application.", "title": "FlinkApplicationConfiguration" }, "SqlApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.SqlApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "title": "SqlApplicationConfiguration" }, "VpcConfigurations": { @@ -123410,7 +124150,7 @@ "additionalProperties": false, "properties": { "SnapshotsEnabled": { - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "SnapshotsEnabled", "type": "boolean" } @@ -123460,12 +124200,12 @@ "type": "number" }, "CheckpointingEnabled": { - "markdownDescription": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "markdownDescription": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", "title": "CheckpointingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "markdownDescription": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "title": "ConfigurationType", "type": "string" }, @@ -123489,12 +124229,12 @@ "title": "S3ContentLocation" }, "TextContent": { - "markdownDescription": "The text-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The text-format code for a Managed Service for Apache Flink application.", "title": "TextContent", "type": "string" }, "ZipFileContent": { - "markdownDescription": "The zip-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The zip-format code for a Managed Service for Apache Flink application.", "title": "ZipFileContent", "type": "string" } @@ -123606,7 +124346,7 @@ }, "InputProcessingConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputProcessingConfiguration", - "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "title": "InputProcessingConfiguration" }, "InputSchema": { @@ -123625,7 +124365,7 @@ "title": "KinesisStreamsInput" }, "NamePrefix": { - "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", + "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", "title": "NamePrefix", "type": "string" } @@ -123666,7 +124406,7 @@ "properties": { "InputLambdaProcessor": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputLambdaProcessor", - "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", + "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", "title": "InputLambdaProcessor" } }, @@ -123812,17 +124552,17 @@ "additionalProperties": false, "properties": { "AutoScalingEnabled": { - "markdownDescription": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", + "markdownDescription": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", "title": "AutoScalingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "markdownDescription": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", "title": "ConfigurationType", "type": "string" }, "Parallelism": { - "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "title": "Parallelism", "type": "number" }, @@ -123913,7 +124653,7 @@ }, "FlinkRunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkRunConfiguration", - "markdownDescription": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes the starting parameters for a Managed Service for Apache Flink application.", "title": "FlinkRunConfiguration" } }, @@ -123970,7 +124710,7 @@ "items": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.Input" }, - "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", + "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", "title": "Inputs", "type": "array" } @@ -124172,7 +124912,7 @@ }, "Output": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationOutput.Output", - "markdownDescription": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", + "markdownDescription": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", "title": "Output" } }, @@ -124332,7 +125072,7 @@ }, "ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.ReferenceDataSource", - "markdownDescription": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", + "markdownDescription": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", "title": "ReferenceDataSource" } }, @@ -124467,7 +125207,7 @@ }, "S3ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.S3ReferenceDataSource", - "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "title": "S3ReferenceDataSource" }, "TableName": { @@ -124566,7 +125306,7 @@ "properties": { "AmazonOpenSearchServerlessDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessDestinationConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "title": "AmazonOpenSearchServerlessDestinationConfiguration" }, "AmazonopensearchserviceDestinationConfiguration": { @@ -124610,7 +125350,9 @@ "title": "KinesisStreamSourceConfiguration" }, "MSKSourceConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration", + "markdownDescription": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", + "title": "MSKSourceConfiguration" }, "RedshiftDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.RedshiftDestinationConfiguration", @@ -124662,12 +125404,12 @@ "additionalProperties": false, "properties": { "IntervalInSeconds": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", "title": "IntervalInSeconds", "type": "number" }, "SizeInMBs": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher.", "title": "SizeInMBs", "type": "number" } @@ -124679,7 +125421,7 @@ "properties": { "BufferingHints": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessBufferingHints", - "markdownDescription": "", + "markdownDescription": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "title": "BufferingHints" }, "CloudWatchLoggingOptions": { @@ -124688,12 +125430,12 @@ "title": "CloudWatchLoggingOptions" }, "CollectionEndpoint": { - "markdownDescription": "", + "markdownDescription": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", "title": "CollectionEndpoint", "type": "string" }, "IndexName": { - "markdownDescription": "", + "markdownDescription": "The Serverless offering for Amazon OpenSearch Service index name.", "title": "IndexName", "type": "string" }, @@ -124704,16 +125446,16 @@ }, "RetryOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessRetryOptions", - "markdownDescription": "", + "markdownDescription": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", "title": "RetryOptions" }, "RoleARN": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", "title": "RoleARN", "type": "string" }, "S3BackupMode": { - "markdownDescription": "", + "markdownDescription": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "title": "S3BackupMode", "type": "string" }, @@ -124739,7 +125481,7 @@ "additionalProperties": false, "properties": { "DurationInSeconds": { - "markdownDescription": "", + "markdownDescription": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries.", "title": "DurationInSeconds", "type": "number" } @@ -124782,7 +125524,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -124858,9 +125600,13 @@ "additionalProperties": false, "properties": { "Connectivity": { + "markdownDescription": "The type of connectivity used to access the Amazon MSK cluster.", + "title": "Connectivity", "type": "string" }, "RoleARN": { + "markdownDescription": "The ARN of the role used to access the Amazon MSK cluster.", + "title": "RoleARN", "type": "string" } }, @@ -124996,7 +125742,7 @@ "additionalProperties": false, "properties": { "DefaultDocumentIdFormat": { - "markdownDescription": "", + "markdownDescription": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance.", "title": "DefaultDocumentIdFormat", "type": "string" } @@ -125058,7 +125804,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -125402,12 +126148,18 @@ "additionalProperties": false, "properties": { "AuthenticationConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration", + "markdownDescription": "The authentication configuration of the Amazon MSK cluster.", + "title": "AuthenticationConfiguration" }, "MSKClusterARN": { + "markdownDescription": "The ARN of the Amazon MSK cluster.", + "title": "MSKClusterARN", "type": "string" }, "TopicName": { + "markdownDescription": "The topic name within the Amazon MSK cluster.", + "title": "TopicName", "type": "string" } }, @@ -126256,6 +127008,8 @@ "type": "boolean" }, "AllowFullTableExternalDataAccess": { + "markdownDescription": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", + "title": "AllowFullTableExternalDataAccess", "type": "boolean" }, "AuthorizedSessionTagValueList": { @@ -126282,6 +127036,8 @@ "title": "ExternalDataFilteringAllowList" }, "MutationType": { + "markdownDescription": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", + "title": "MutationType", "type": "string" }, "Parameters": { @@ -126934,7 +127690,7 @@ "additionalProperties": false, "properties": { "CatalogId": { - "markdownDescription": "", + "markdownDescription": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "title": "CatalogId", "type": "string" }, @@ -128212,7 +128968,7 @@ "type": "array" }, "MemorySize": { - "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "title": "MemorySize", "type": "number" }, @@ -128222,6 +128978,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "", + "title": "Policy", "type": "object" }, "ReservedConcurrentExecutions": { @@ -128484,6 +129242,8 @@ "additionalProperties": false, "properties": { "Ipv6AllowedForDualStack": { + "markdownDescription": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", + "title": "Ipv6AllowedForDualStack", "type": "boolean" }, "SecurityGroupIds": { @@ -129008,7 +129768,9 @@ "title": "ProvisionedConcurrencyConfig" }, "RuntimePolicy": { - "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy" + "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy", + "markdownDescription": "", + "title": "RuntimePolicy" } }, "required": [ @@ -129055,9 +129817,13 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { + "markdownDescription": "", + "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { + "markdownDescription": "", + "title": "UpdateRuntimeOn", "type": "string" } }, @@ -132478,7 +133244,9 @@ "type": "string" }, "PrivateRegistryAccess": { - "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess" + "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess", + "markdownDescription": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", + "title": "PrivateRegistryAccess" }, "PublicDomainNames": { "items": { @@ -132598,9 +133366,13 @@ "additionalProperties": false, "properties": { "IsActive": { + "markdownDescription": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "title": "IsActive", "type": "boolean" }, "PrincipalArn": { + "markdownDescription": "The principle Amazon Resource Name (ARN) of the role. This property is read-only.", + "title": "PrincipalArn", "type": "string" } }, @@ -132678,7 +133450,9 @@ "additionalProperties": false, "properties": { "EcrImagePullerRole": { - "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole" + "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole", + "markdownDescription": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed.", + "title": "EcrImagePullerRole" } }, "type": "object" @@ -132971,7 +133745,7 @@ }, "Location": { "$ref": "#/definitions/AWS::Lightsail::Disk.Location", - "markdownDescription": "", + "markdownDescription": "The AWS Region and Availability Zone where the disk is located.", "title": "Location" }, "SizeInGb": { @@ -133054,12 +133828,12 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { - "markdownDescription": "", + "markdownDescription": "The Availability Zone where the disk is located.", "title": "AvailabilityZone", "type": "string" }, "RegionName": { - "markdownDescription": "", + "markdownDescription": "The AWS Region where the disk is located.", "title": "RegionName", "type": "string" } @@ -134532,15 +135306,23 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "title": "PolicyDocument", "type": "string" }, "PolicyName": { + "markdownDescription": "A name for the policy. This must be unique within the account.", + "title": "PolicyName", "type": "string" }, "PolicyType": { + "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "title": "PolicyType", "type": "string" }, "Scope": { + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "title": "Scope", "type": "string" } }, @@ -135274,7 +136056,7 @@ "type": "string" }, "ModelName": { - "markdownDescription": "The name of the ML model used for the inference scheduler.", + "markdownDescription": "The name of the machine learning model used for the inference scheduler.", "title": "ModelName", "type": "string" }, @@ -136215,7 +136997,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the role associated with the application.", "title": "RoleArn", "type": "string" }, @@ -136606,7 +137388,7 @@ }, "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::Cluster.ClientAuthentication", - "markdownDescription": "Includes all client authentication related information.", + "markdownDescription": "VPC connection control settings for brokers.", "title": "ClientAuthentication" }, "ClusterName": { @@ -136743,7 +137525,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "title": "InstanceType", "type": "string" }, @@ -136863,7 +137645,7 @@ "additionalProperties": false, "properties": { "DataVolumeKMSKeyId": { - "markdownDescription": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", "title": "DataVolumeKMSKeyId", "type": "string" } @@ -136914,7 +137696,7 @@ "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream.", + "markdownDescription": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream.", "title": "Enabled", "type": "boolean" } @@ -137109,7 +137891,7 @@ "items": { "type": "string" }, - "markdownDescription": "List of AWS Private CA ARNs.", + "markdownDescription": "List of AWS Private CA Amazon Resource Name (ARN)s.", "title": "CertificateAuthorityArnList", "type": "array" }, @@ -137342,7 +138124,9 @@ "type": "array" }, "LatestRevision": { - "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision" + "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision", + "markdownDescription": "Latest revision of the configuration.", + "title": "LatestRevision" }, "Name": { "markdownDescription": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", @@ -137386,12 +138170,18 @@ "additionalProperties": false, "properties": { "CreationTime": { + "markdownDescription": "", + "title": "CreationTime", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "Revision": { + "markdownDescription": "", + "title": "Revision", "type": "number" } }, @@ -137433,33 +138223,47 @@ "additionalProperties": false, "properties": { "CurrentVersion": { + "markdownDescription": "", + "title": "CurrentVersion", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "KafkaClusters": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.KafkaCluster" }, + "markdownDescription": "", + "title": "KafkaClusters", "type": "array" }, "ReplicationInfoList": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.ReplicationInfo" }, + "markdownDescription": "", + "title": "ReplicationInfoList", "type": "array" }, "ReplicatorName": { + "markdownDescription": "", + "title": "ReplicatorName", "type": "string" }, "ServiceExecutionRoleArn": { + "markdownDescription": "", + "title": "ServiceExecutionRoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -137496,6 +138300,8 @@ "additionalProperties": false, "properties": { "MskClusterArn": { + "markdownDescription": "", + "title": "MskClusterArn", "type": "string" } }, @@ -137511,18 +138317,26 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToExclude", "type": "array" }, "ConsumerGroupsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToReplicate", "type": "array" }, "DetectAndCopyNewConsumerGroups": { + "markdownDescription": "", + "title": "DetectAndCopyNewConsumerGroups", "type": "boolean" }, "SynchroniseConsumerGroupOffsets": { + "markdownDescription": "", + "title": "SynchroniseConsumerGroupOffsets", "type": "boolean" } }, @@ -137535,10 +138349,14 @@ "additionalProperties": false, "properties": { "AmazonMskCluster": { - "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster" + "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster", + "markdownDescription": "", + "title": "AmazonMskCluster" }, "VpcConfig": { - "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig" + "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig", + "markdownDescription": "", + "title": "VpcConfig" } }, "required": [ @@ -137554,12 +138372,16 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "SubnetIds", "type": "array" } }, @@ -137572,19 +138394,29 @@ "additionalProperties": false, "properties": { "ConsumerGroupReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication", + "markdownDescription": "", + "title": "ConsumerGroupReplication" }, "SourceKafkaClusterArn": { + "markdownDescription": "", + "title": "SourceKafkaClusterArn", "type": "string" }, "TargetCompressionType": { + "markdownDescription": "", + "title": "TargetCompressionType", "type": "string" }, "TargetKafkaClusterArn": { + "markdownDescription": "", + "title": "TargetKafkaClusterArn", "type": "string" }, "TopicReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication", + "markdownDescription": "", + "title": "TopicReplication" } }, "required": [ @@ -137600,24 +138432,34 @@ "additionalProperties": false, "properties": { "CopyAccessControlListsForTopics": { + "markdownDescription": "", + "title": "CopyAccessControlListsForTopics", "type": "boolean" }, "CopyTopicConfigurations": { + "markdownDescription": "", + "title": "CopyTopicConfigurations", "type": "boolean" }, "DetectAndCopyNewTopics": { + "markdownDescription": "", + "title": "DetectAndCopyNewTopics", "type": "boolean" }, "TopicsToExclude": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToExclude", "type": "array" }, "TopicsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToReplicate", "type": "array" } }, @@ -137663,7 +138505,7 @@ "properties": { "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::ServerlessCluster.ClientAuthentication", - "markdownDescription": "", + "markdownDescription": "Includes all client authentication information.", "title": "ClientAuthentication" }, "ClusterName": { @@ -137935,7 +138777,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -138025,7 +138867,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "title": "Tags", "type": "object" }, @@ -138194,7 +139036,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", "type": "array" } @@ -138337,6 +139179,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138423,7 +139267,7 @@ "type": "string" }, "Position": { - "markdownDescription": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "markdownDescription": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", "title": "Position", "type": "number" }, @@ -138431,6 +139275,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138940,7 +139786,7 @@ "type": "string" }, "NetworkId": { - "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "title": "NetworkId", "type": "string" }, @@ -139043,7 +139889,7 @@ "title": "IngressGatewayBridge" }, "Name": { - "markdownDescription": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "markdownDescription": "The name of the bridge. This name can not be modified after the bridge is created.", "title": "Name", "type": "string" }, @@ -139479,7 +140325,7 @@ "title": "FlowSource" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "title": "Name", "type": "string" }, @@ -139745,13 +140591,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::Flow.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -139780,7 +140626,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::Flow.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestIp": { @@ -139884,7 +140730,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140123,7 +140969,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the VPC interface.", + "markdownDescription": "The name of the output. This value must be unique within the current flow.", "title": "Name", "type": "string" }, @@ -140283,7 +141129,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -140437,13 +141283,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -140456,7 +141302,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140601,7 +141447,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", + "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "title": "Name", "type": "string" }, @@ -140721,7 +141567,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the job template you are creating.", + "markdownDescription": "Name of the output group", "title": "Name", "type": "string" }, @@ -141060,7 +141906,7 @@ }, "Maintenance": { "$ref": "#/definitions/AWS::MediaLive::Channel.MaintenanceCreateSettings", - "markdownDescription": "", + "markdownDescription": "Maintenance settings for this channel.", "title": "Maintenance" }, "Name": { @@ -141161,6 +142007,8 @@ "additionalProperties": false, "properties": { "AttenuationControl": { + "markdownDescription": "", + "title": "AttenuationControl", "type": "string" }, "Bitrate": { @@ -142496,7 +143344,9 @@ "type": "array" }, "ThumbnailConfiguration": { - "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration" + "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration", + "markdownDescription": "", + "title": "ThumbnailConfiguration" }, "TimecodeConfig": { "$ref": "#/definitions/AWS::MediaLive::Channel.TimecodeConfig", @@ -143476,7 +144326,7 @@ "type": "string" }, "ProgramDateTimeClock": { - "markdownDescription": "", + "markdownDescription": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "title": "ProgramDateTimeClock", "type": "string" }, @@ -144163,9 +145013,13 @@ "type": "string" }, "KlvBehavior": { + "markdownDescription": "", + "title": "KlvBehavior", "type": "string" }, "KlvDataPids": { + "markdownDescription": "", + "title": "KlvDataPids", "type": "string" }, "NielsenId3Behavior": { @@ -144245,12 +145099,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", + "markdownDescription": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", "title": "MaintenanceDay", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", + "markdownDescription": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows.", "title": "MaintenanceStartTime", "type": "string" } @@ -144261,18 +145115,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", - "title": "MaintenanceDay", "type": "string" }, "MaintenanceScheduledDate": { - "markdownDescription": "", - "title": "MaintenanceScheduledDate", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", - "title": "MaintenanceStartTime", "type": "string" } }, @@ -145002,6 +145850,8 @@ "type": "string" }, "IncludeFillerNalUnits": { + "markdownDescription": "", + "title": "IncludeFillerNalUnits", "type": "string" }, "InputLossAction": { @@ -145205,6 +146055,8 @@ "additionalProperties": false, "properties": { "State": { + "markdownDescription": "", + "title": "State", "type": "string" } }, @@ -145674,8 +146526,6 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "This property is not used. Ignore it.", - "title": "Id", "type": "string" } }, @@ -146966,9 +147816,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147339,18 +148193,26 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "Description": { + "markdownDescription": "The description of the channel.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel.", + "title": "Tags", "type": "array" } }, @@ -147380,9 +148242,13 @@ "additionalProperties": false, "properties": { "Id": { + "markdownDescription": "The identifier associated with the ingest endpoint of the channel.", + "title": "Id", "type": "string" }, "Url": { + "markdownDescription": "The URL associated with the ingest endpoint of the channel.", + "title": "Url", "type": "string" } }, @@ -147424,15 +148290,21 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group.", + "title": "ChannelGroupName", "type": "string" }, "Description": { + "markdownDescription": "The configuration for a MediaPackage V2 channel group.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel group.", + "title": "Tags", "type": "array" } }, @@ -147494,12 +148366,18 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel associated with the channel policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the channel.", + "title": "Policy", "type": "object" } }, @@ -147565,42 +148443,62 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint.", + "title": "ChannelName", "type": "string" }, "ContainerType": { + "markdownDescription": "The container type associated with the origin endpoint configuration.", + "title": "ContainerType", "type": "string" }, "Description": { + "markdownDescription": "The description associated with the origin endpoint.", + "title": "Description", "type": "string" }, "HlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, + "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "title": "HlsManifests", "type": "array" }, "LowLatencyHlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.LowLatencyHlsManifestConfiguration" }, + "markdownDescription": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "title": "LowLatencyHlsManifests", "type": "array" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint configuration.", + "title": "OriginEndpointName", "type": "string" }, "Segment": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment", + "markdownDescription": "The segment associated with the origin endpoint.", + "title": "Segment" }, "StartoverWindowSeconds": { + "markdownDescription": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "title": "StartoverWindowSeconds", "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the origin endpoint.", + "title": "Tags", "type": "array" } }, @@ -147634,16 +148532,24 @@ "additionalProperties": false, "properties": { "ConstantInitializationVector": { + "markdownDescription": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "title": "ConstantInitializationVector", "type": "string" }, "EncryptionMethod": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod", + "markdownDescription": "The encryption method to use.", + "title": "EncryptionMethod" }, "KeyRotationIntervalSeconds": { + "markdownDescription": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "title": "KeyRotationIntervalSeconds", "type": "number" }, "SpekeKeyProvider": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider", + "markdownDescription": "The SPEKE key provider to use for encryption.", + "title": "SpekeKeyProvider" } }, "required": [ @@ -147656,9 +148562,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147672,9 +148582,13 @@ "additionalProperties": false, "properties": { "CmafEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "CmafEncryptionMethod", "type": "string" }, "TsEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "TsEncryptionMethod", "type": "string" } }, @@ -147684,21 +148598,33 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the HLS manifest configuration.", + "title": "ChildManifestName", "type": "string" }, "ManifestName": { + "markdownDescription": "The name of the manifest associated with the HLS manifest configuration.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the HLS manifest configuration.", + "title": "Url", "type": "string" } }, @@ -147711,21 +148637,33 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ChildManifestName", "type": "string" }, "ManifestName": { + "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of the manifest's content.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "Url", "type": "string" } }, @@ -147741,6 +148679,8 @@ "items": { "type": "string" }, + "markdownDescription": "The filter associated with the SCTE-35 configuration.", + "title": "ScteFilter", "type": "array" } }, @@ -147750,6 +148690,8 @@ "additionalProperties": false, "properties": { "AdMarkerHls": { + "markdownDescription": "The SCTE-35 HLS ad-marker configuration.", + "title": "AdMarkerHls", "type": "string" } }, @@ -147759,24 +148701,38 @@ "additionalProperties": false, "properties": { "Encryption": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption", + "markdownDescription": "Whether to use encryption for the segment.", + "title": "Encryption" }, "IncludeIframeOnlyStreams": { + "markdownDescription": "Whether the segment includes I-frame-only streams.", + "title": "IncludeIframeOnlyStreams", "type": "boolean" }, "Scte": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte", + "markdownDescription": "The SCTE-35 configuration associated with the segment.", + "title": "Scte" }, "SegmentDurationSeconds": { + "markdownDescription": "The duration of the segment, in seconds.", + "title": "SegmentDurationSeconds", "type": "number" }, "SegmentName": { + "markdownDescription": "The name of the segment associated with the origin endpoint.", + "title": "SegmentName", "type": "string" }, "TsIncludeDvbSubtitles": { + "markdownDescription": "Whether the segment includes DVB subtitles.", + "title": "TsIncludeDvbSubtitles", "type": "boolean" }, "TsUseAudioRenditionGroup": { + "markdownDescription": "Whether the segment is an audio rendition group.", + "title": "TsUseAudioRenditionGroup", "type": "boolean" } }, @@ -147789,18 +148745,28 @@ "items": { "type": "string" }, + "markdownDescription": "The DRM solution provider you're using to protect your content during distribution.", + "title": "DrmSystems", "type": "array" }, "EncryptionContractConfiguration": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration", + "markdownDescription": "The encryption contract configuration associated with the SPEKE key provider.", + "title": "EncryptionContractConfiguration" }, "ResourceId": { + "markdownDescription": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "title": "ResourceId", "type": "string" }, "RoleArn": { + "markdownDescription": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "title": "RoleArn", "type": "string" }, "Url": { + "markdownDescription": "The URL of the SPEKE key provider.", + "title": "Url", "type": "string" } }, @@ -147849,15 +148815,23 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint policy.", + "title": "ChannelName", "type": "string" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint policy.", + "title": "OriginEndpointName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the origin endpoint.", + "title": "Policy", "type": "object" } }, @@ -147947,7 +148921,7 @@ }, "MetricPolicy": { "$ref": "#/definitions/AWS::MediaStore::Container.MetricPolicy", - "markdownDescription": "", + "markdownDescription": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "title": "MetricPolicy" }, "Policy": { @@ -148111,30 +149085,44 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "FillerSlate": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource" + "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource", + "markdownDescription": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "title": "FillerSlate" }, "LogConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel" + "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel", + "markdownDescription": "The log configuration.", + "title": "LogConfiguration" }, "Outputs": { "items": { "$ref": "#/definitions/AWS::MediaTailor::Channel.RequestOutputItem" }, + "markdownDescription": "The channel's output properties.", + "title": "Outputs", "type": "array" }, "PlaybackMode": { + "markdownDescription": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "title": "PlaybackMode", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "Tier": { + "markdownDescription": "The tier for this channel. STANDARD tier channels can contain live programs.", + "title": "Tier", "type": "string" } }, @@ -148170,15 +149158,23 @@ "additionalProperties": false, "properties": { "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" }, "MinBufferTimeSeconds": { + "markdownDescription": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinBufferTimeSeconds", "type": "number" }, "MinUpdatePeriodSeconds": { + "markdownDescription": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinUpdatePeriodSeconds", "type": "number" }, "SuggestedPresentationDelaySeconds": { + "markdownDescription": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "SuggestedPresentationDelaySeconds", "type": "number" } }, @@ -148191,9 +149187,13 @@ "items": { "type": "string" }, + "markdownDescription": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "title": "AdMarkupType", "type": "array" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" } }, @@ -148206,6 +149206,8 @@ "items": { "type": "string" }, + "markdownDescription": "The log types.", + "title": "LogTypes", "type": "array" } }, @@ -148215,15 +149217,23 @@ "additionalProperties": false, "properties": { "DashPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings", + "markdownDescription": "DASH manifest configuration parameters.", + "title": "DashPlaylistSettings" }, "HlsPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings", + "markdownDescription": "HLS playlist configuration parameters.", + "title": "HlsPlaylistSettings" }, "ManifestName": { + "markdownDescription": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "title": "ManifestName", "type": "string" }, "SourceGroup": { + "markdownDescription": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` .", + "title": "SourceGroup", "type": "string" } }, @@ -148237,9 +149247,13 @@ "additionalProperties": false, "properties": { "SourceLocationName": { + "markdownDescription": "The name of the source location where the slate VOD source is stored.", + "title": "SourceLocationName", "type": "string" }, "VodSourceName": { + "markdownDescription": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate.", + "title": "VodSourceName", "type": "string" } }, @@ -148281,9 +149295,13 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel associated with this Channel Policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The IAM policy for the channel. IAM policies are used to control access to your channel.", + "title": "Policy", "type": "object" } }, @@ -148353,18 +149371,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::LiveSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the live source.", + "title": "HttpPackageConfigurations", "type": "array" }, "LiveSourceName": { + "markdownDescription": "The name that's used to refer to a live source.", + "title": "LiveSourceName", "type": "string" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148400,12 +149426,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -148452,23 +149484,23 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "AvailSuppression": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AvailSuppression", - "markdownDescription": "", + "markdownDescription": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "AvailSuppression" }, "Bumper": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.Bumper", - "markdownDescription": "", + "markdownDescription": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", "title": "Bumper" }, "CdnConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.CdnConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "title": "CdnConfiguration" }, "ConfigurationAliases": { @@ -148484,7 +149516,7 @@ }, "DashConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.DashConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for a DASH source.", "title": "DashConfiguration" }, "HlsConfiguration": { @@ -148494,26 +149526,26 @@ }, "LivePreRollConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.LivePreRollConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for pre-roll ad insertion.", "title": "LivePreRollConfiguration" }, "ManifestProcessingRules": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.ManifestProcessingRules", - "markdownDescription": "", + "markdownDescription": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", "title": "ManifestProcessingRules" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The identifier for the playback configuration.", "title": "Name", "type": "string" }, "PersonalizationThresholdSeconds": { - "markdownDescription": "", + "markdownDescription": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "PersonalizationThresholdSeconds", "type": "number" }, "SlateAdUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", "title": "SlateAdUrl", "type": "string" }, @@ -148521,17 +149553,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", "title": "Tags", "type": "array" }, "TranscodeProfileName": { - "markdownDescription": "", + "markdownDescription": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", "title": "TranscodeProfileName", "type": "string" }, "VideoContentSourceUrl": { - "markdownDescription": "", + "markdownDescription": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters.", "title": "VideoContentSourceUrl", "type": "string" } @@ -148568,7 +149600,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "", + "markdownDescription": "Enables ad marker passthrough for your configuration.", "title": "Enabled", "type": "boolean" } @@ -148579,12 +149611,12 @@ "additionalProperties": false, "properties": { "Mode": { - "markdownDescription": "", + "markdownDescription": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", "title": "Mode", "type": "string" }, "Value": { - "markdownDescription": "", + "markdownDescription": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge.", "title": "Value", "type": "string" } @@ -148595,12 +149627,12 @@ "additionalProperties": false, "properties": { "EndUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the end bumper asset.", "title": "EndUrl", "type": "string" }, "StartUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the start bumper asset.", "title": "StartUrl", "type": "string" } @@ -148611,12 +149643,12 @@ "additionalProperties": false, "properties": { "AdSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", "title": "AdSegmentUrlPrefix", "type": "string" }, "ContentSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments.", "title": "ContentSegmentUrlPrefix", "type": "string" } @@ -148659,12 +149691,12 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "MaxDurationSeconds": { - "markdownDescription": "", + "markdownDescription": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns.", "title": "MaxDurationSeconds", "type": "number" } @@ -148676,7 +149708,7 @@ "properties": { "AdMarkerPassthrough": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AdMarkerPassthrough", - "markdownDescription": "", + "markdownDescription": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` .", "title": "AdMarkerPassthrough" } }, @@ -148718,27 +149750,39 @@ "additionalProperties": false, "properties": { "AccessConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration", + "markdownDescription": "The access configuration for the source location.", + "title": "AccessConfiguration" }, "DefaultSegmentDeliveryConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration", + "markdownDescription": "The default segment delivery configuration.", + "title": "DefaultSegmentDeliveryConfiguration" }, "HttpConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration", + "markdownDescription": "The HTTP configuration for the source location.", + "title": "HttpConfiguration" }, "SegmentDeliveryConfigurations": { "items": { "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SegmentDeliveryConfiguration" }, + "markdownDescription": "The segment delivery configurations for the source location.", + "title": "SegmentDeliveryConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148773,10 +149817,14 @@ "additionalProperties": false, "properties": { "AccessType": { + "markdownDescription": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "title": "AccessType", "type": "string" }, "SecretsManagerAccessTokenConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration", + "markdownDescription": "AWS Secrets Manager access token configuration parameters.", + "title": "SecretsManagerAccessTokenConfiguration" } }, "type": "object" @@ -148785,6 +149833,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148794,6 +149844,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL for the source location host server. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148806,12 +149858,18 @@ "additionalProperties": false, "properties": { "HeaderName": { + "markdownDescription": "The name of the HTTP header used to supply the access token in requests to the source location.", + "title": "HeaderName", "type": "string" }, "SecretArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "title": "SecretArn", "type": "string" }, "SecretStringKey": { + "markdownDescription": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token.", + "title": "SecretStringKey", "type": "string" } }, @@ -148821,9 +149879,13 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "title": "BaseUrl", "type": "string" }, "Name": { + "markdownDescription": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location.", + "title": "Name", "type": "string" } }, @@ -148868,18 +149930,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::VodSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the VOD source.", + "title": "HttpPackageConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location that the VOD source is associated with.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "VodSourceName": { + "markdownDescription": "The name of the VOD source.", + "title": "VodSourceName", "type": "string" } }, @@ -148915,12 +149985,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -149500,12 +150576,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The password(s) used for authentication", "title": "Passwords", "type": "array" }, "Type": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the user requires a password to authenticate. All newly-created users require a password.", "title": "Type", "type": "string" } @@ -149589,6 +150665,8 @@ "type": "string" }, "DBPort": { + "markdownDescription": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", + "title": "DBPort", "type": "number" }, "DBSubnetGroupName": { @@ -149731,12 +150809,12 @@ "additionalProperties": false, "properties": { "MaxCapacity": { - "markdownDescription": "", + "markdownDescription": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", "title": "MaxCapacity", "type": "number" }, "MinCapacity": { - "markdownDescription": "", + "markdownDescription": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on.", "title": "MinCapacity", "type": "number" } @@ -150526,7 +151604,7 @@ "additionalProperties": false, "properties": { "RuleOrder": { - "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "title": "RuleOrder", "type": "string" }, @@ -151110,7 +152188,7 @@ }, "StatefulRuleOptions": { "$ref": "#/definitions/AWS::NetworkFirewall::RuleGroup.StatefulRuleOptions", - "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.", + "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* .", "title": "StatefulRuleOptions" } }, @@ -151178,7 +152256,7 @@ "title": "RulesSourceList" }, "RulesString": { - "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "title": "RulesString", "type": "string" }, @@ -151392,7 +152470,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::ConnectAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -151510,7 +152588,7 @@ "properties": { "BgpOptions": { "$ref": "#/definitions/AWS::NetworkManager::ConnectPeer.BgpOptions", - "markdownDescription": "", + "markdownDescription": "Describes the BGP options.", "title": "BgpOptions" }, "ConnectAttachmentId": { @@ -151537,6 +152615,8 @@ "type": "string" }, "SubnetArn": { + "markdownDescription": "The subnet ARN of the Connect peer.", + "title": "SubnetArn", "type": "string" }, "Tags": { @@ -151906,7 +152986,7 @@ "properties": { "AWSLocation": { "$ref": "#/definitions/AWS::NetworkManager::Device.AWSLocation", - "markdownDescription": "", + "markdownDescription": "The AWS location of the device.", "title": "AWSLocation" }, "Description": { @@ -151988,12 +153068,12 @@ "additionalProperties": false, "properties": { "SubnetArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", "title": "SubnetArn", "type": "string" }, "Zone": { - "markdownDescription": "", + "markdownDescription": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost.", "title": "Zone", "type": "string" } @@ -152057,6 +153137,8 @@ "additionalProperties": false, "properties": { "CreatedAt": { + "markdownDescription": "The date and time that the global network was created.", + "title": "CreatedAt", "type": "string" }, "Description": { @@ -152065,6 +153147,8 @@ "type": "string" }, "State": { + "markdownDescription": "The state of the global network.", + "title": "State", "type": "string" }, "Tags": { @@ -152443,7 +153527,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::SiteToSiteVpnAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -152822,7 +153906,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::VpcAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "SubnetArns": { @@ -153041,7 +154125,7 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "", + "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "title": "AutomaticTerminationMode", "type": "string" }, @@ -153070,11 +154154,11 @@ }, "SessionBackup": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "", + "markdownDescription": "Information about the streaming session backup.", "title": "SessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "", + "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "title": "SessionPersistenceMode", "type": "string" }, @@ -153093,7 +154177,7 @@ }, "VolumeConfiguration": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "", + "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", "title": "VolumeConfiguration" } }, @@ -153108,12 +154192,12 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "", + "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "", + "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", "title": "Mode", "type": "string" } @@ -153162,17 +154246,17 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "", + "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "", + "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "", + "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", "title": "Throughput", "type": "number" } @@ -153278,12 +154362,12 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "", + "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "", + "markdownDescription": "The type of KMS key that is used to encrypt studio data.", "title": "KeyType", "type": "string" } @@ -153815,7 +154899,7 @@ "additionalProperties": false, "properties": { "LogGroup": { - "markdownDescription": "", + "markdownDescription": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` .", "title": "LogGroup", "type": "string" } @@ -153925,7 +155009,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "title": "ResourceTypes", "type": "array" }, @@ -154387,6 +155471,8 @@ "type": "number" }, "MaxGpus": { + "markdownDescription": "The maximum GPUs that can be used by a run group.", + "title": "MaxGpus", "type": "number" }, "MaxRuns": { @@ -154474,7 +155560,7 @@ "type": "string" }, "FallbackLocation": { - "markdownDescription": "", + "markdownDescription": "An S3 location that is used to store files that have failed a direct upload.", "title": "FallbackLocation", "type": "string" }, @@ -154708,6 +155794,8 @@ "additionalProperties": false, "properties": { "Accelerators": { + "markdownDescription": "", + "title": "Accelerators", "type": "string" }, "DefinitionUri": { @@ -154939,7 +156027,7 @@ "type": "array" }, "Type": { - "markdownDescription": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", + "markdownDescription": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", "title": "Type", "type": "string" } @@ -156036,7 +157124,7 @@ "type": "string" }, "Secure": { - "markdownDescription": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "markdownDescription": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "title": "Secure", "type": "boolean" }, @@ -156218,7 +157306,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "title": "AgentVersion", "type": "string" }, @@ -156269,7 +157357,7 @@ "type": "string" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156287,7 +157375,7 @@ "type": "array" }, "Os": { - "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "title": "Os", "type": "string" }, @@ -156588,7 +157676,7 @@ "type": "boolean" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156891,7 +157979,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "title": "AgentVersion", "type": "string" }, @@ -157586,7 +158674,7 @@ "type": "array" }, "RoleName": { - "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "title": "RoleName", "type": "string" }, @@ -157662,7 +158750,7 @@ "additionalProperties": false, "properties": { "FeatureSet": { - "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", + "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", "title": "FeatureSet", "type": "string" } @@ -157981,22 +159069,30 @@ "additionalProperties": false, "properties": { "CertificateAuthorityArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "title": "CertificateAuthorityArn", "type": "string" }, "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a connector consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" }, "VpcInformation": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation" + "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation", + "markdownDescription": "Information of the VPC and security group(s) used with the connector.", + "title": "VpcInformation" } }, "required": [ @@ -158034,6 +159130,8 @@ "items": { "type": "string" }, + "markdownDescription": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector.", + "title": "SecurityGroupIds", "type": "array" } }, @@ -158078,15 +159176,19 @@ "additionalProperties": false, "properties": { "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a directory registration consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158152,9 +159254,13 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "DirectoryRegistrationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) .", + "title": "DirectoryRegistrationArn", "type": "string" } }, @@ -158216,24 +159322,34 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "Definition": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "Definition" }, "Name": { + "markdownDescription": "Name of the templates. Template names must be unique.", + "title": "Name", "type": "string" }, "ReenrollAllCertificateHolders": { + "markdownDescription": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "title": "ReenrollAllCertificateHolders", "type": "boolean" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a template consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158269,12 +159385,16 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Marks the application policy extension as critical.", + "title": "Critical", "type": "boolean" }, "Policies": { "items": { "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicy" }, + "markdownDescription": "Application policies describe what the certificate can be used for.", + "title": "Policies", "type": "array" } }, @@ -158287,9 +159407,13 @@ "additionalProperties": false, "properties": { "PolicyObjectIdentifier": { + "markdownDescription": "The object identifier (OID) of an application policy.", + "title": "PolicyObjectIdentifier", "type": "string" }, "PolicyType": { + "markdownDescription": "The type of application policy", + "title": "PolicyType", "type": "string" } }, @@ -158299,10 +159423,14 @@ "additionalProperties": false, "properties": { "RenewalPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "title": "RenewalPeriod" }, "ValidityPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.", + "title": "ValidityPeriod" } }, "required": [ @@ -158315,18 +159443,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158336,18 +159474,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158357,18 +159505,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158378,10 +159536,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158393,10 +159555,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158408,10 +159574,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158423,9 +159593,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.", + "title": "MachineType", "type": "boolean" } }, @@ -158435,9 +159609,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158447,9 +159625,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158459,10 +159641,14 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Sets the key usage extension to critical.", + "title": "Critical", "type": "boolean" }, "UsageFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags", + "markdownDescription": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "UsageFlags" } }, "required": [ @@ -158474,18 +159660,28 @@ "additionalProperties": false, "properties": { "DataEncipherment": { + "markdownDescription": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "title": "DataEncipherment", "type": "boolean" }, "DigitalSignature": { + "markdownDescription": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "title": "DigitalSignature", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "title": "KeyAgreement", "type": "boolean" }, "KeyEncipherment": { + "markdownDescription": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "title": "KeyEncipherment", "type": "boolean" }, "NonRepudiation": { + "markdownDescription": "NonRepudiation is asserted when the subject public key is used to verify digital signatures.", + "title": "NonRepudiation", "type": "boolean" } }, @@ -158495,9 +159691,13 @@ "additionalProperties": false, "properties": { "PropertyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags", + "markdownDescription": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "title": "PropertyFlags" }, "PropertyType": { + "markdownDescription": "You can specify all key usages using property type ALL. You can use property type or property flags but not both.", + "title": "PropertyType", "type": "string" } }, @@ -158507,12 +159707,18 @@ "additionalProperties": false, "properties": { "Decrypt": { + "markdownDescription": "Allows key for encryption and decryption.", + "title": "Decrypt", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "Allows key exchange without encryption.", + "title": "KeyAgreement", "type": "boolean" }, "Sign": { + "markdownDescription": "Allow key use for digital signature.", + "title": "Sign", "type": "boolean" } }, @@ -158525,12 +159731,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158544,21 +159756,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158574,21 +159796,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158602,12 +159834,18 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158620,15 +159858,23 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Requirer user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158641,21 +159887,33 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "RequireSameKeyRenewal": { + "markdownDescription": "Renew certificate using the same private key.", + "title": "RequireSameKeyRenewal", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" }, "UseLegacyProvider": { + "markdownDescription": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.", + "title": "UseLegacyProvider", "type": "boolean" } }, @@ -158668,33 +159926,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158704,33 +159982,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158740,33 +160038,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158776,13 +160094,19 @@ "additionalProperties": false, "properties": { "TemplateV2": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV2" }, "TemplateV3": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV3" }, "TemplateV4": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV4" } }, "type": "object" @@ -158791,30 +160115,46 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2", + "markdownDescription": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158833,33 +160173,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3", + "markdownDescription": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3", + "markdownDescription": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158879,33 +160237,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4", + "markdownDescription": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158924,9 +160300,13 @@ "additionalProperties": false, "properties": { "Period": { + "markdownDescription": "The numeric value for the validity period.", + "title": "Period", "type": "number" }, "PeriodType": { + "markdownDescription": "The unit of time. You can select hours, days, weeks, months, and years.", + "title": "PeriodType", "type": "string" } }, @@ -158972,15 +160352,23 @@ "additionalProperties": false, "properties": { "AccessRights": { - "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights" + "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights", + "markdownDescription": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "title": "AccessRights" }, "GroupDisplayName": { + "markdownDescription": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "title": "GroupDisplayName", "type": "string" }, "GroupSecurityIdentifier": { + "markdownDescription": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "title": "GroupSecurityIdentifier", "type": "string" }, "TemplateArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) .", + "title": "TemplateArn", "type": "string" } }, @@ -159015,9 +160403,13 @@ "additionalProperties": false, "properties": { "AutoEnroll": { + "markdownDescription": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "title": "AutoEnroll", "type": "string" }, "Enroll": { + "markdownDescription": "Allow or deny an Active Directory group from enrolling certificates issued against a template.", + "title": "Enroll", "type": "string" } }, @@ -159193,7 +160585,7 @@ }, "StorageLocation": { "$ref": "#/definitions/AWS::Panorama::Package.StorageLocation", - "markdownDescription": "", + "markdownDescription": "A storage location.", "title": "StorageLocation" }, "Tags": { @@ -159235,27 +160627,27 @@ "additionalProperties": false, "properties": { "BinaryPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's binary prefix.", "title": "BinaryPrefixLocation", "type": "string" }, "Bucket": { - "markdownDescription": "", + "markdownDescription": "The location's bucket.", "title": "Bucket", "type": "string" }, "GeneratedPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's generated prefix.", "title": "GeneratedPrefixLocation", "type": "string" }, "ManifestPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's manifest prefix.", "title": "ManifestPrefixLocation", "type": "string" }, "RepoPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's repo prefix.", "title": "RepoPrefixLocation", "type": "string" } @@ -159398,7 +160790,7 @@ }, "DatasetImportJob": { "$ref": "#/definitions/AWS::Personalize::Dataset.DatasetImportJob", - "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", + "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", "title": "DatasetImportJob" }, "DatasetType": { @@ -159450,7 +160842,7 @@ "additionalProperties": false, "properties": { "DataLocation": { - "markdownDescription": "", + "markdownDescription": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`", "title": "DataLocation", "type": "string" } @@ -159539,7 +160931,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The ARN of the IAM role that has permissions to create the dataset group.", + "markdownDescription": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key.", "title": "RoleArn", "type": "string" } @@ -159753,7 +161145,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.CategoricalHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a categorical hyperparameter.", "title": "CategoricalHyperParameterRanges", "type": "array" }, @@ -159761,7 +161153,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.ContinuousHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a continuous hyperparameter.", "title": "ContinuousHyperParameterRanges", "type": "array" }, @@ -159769,7 +161161,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.IntegerHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of an integer-valued hyperparameter.", "title": "IntegerHyperParameterRanges", "type": "array" } @@ -159780,7 +161172,7 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The metric to optimize.", "title": "MetricName", "type": "string" }, @@ -159788,7 +161180,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The list of candidate recipes.", "title": "RecipeList", "type": "array" } @@ -159799,7 +161191,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" }, @@ -159807,7 +161199,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of the categories for the hyperparameter.", "title": "Values", "type": "array" } @@ -159818,17 +161210,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159840,17 +161232,17 @@ "properties": { "AlgorithmHyperParameterRanges": { "$ref": "#/definitions/AWS::Personalize::Solution.AlgorithmHyperParameterRanges", - "markdownDescription": "", + "markdownDescription": "The hyperparameters and their allowable ranges.", "title": "AlgorithmHyperParameterRanges" }, "HpoObjective": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoObjective", - "markdownDescription": "", + "markdownDescription": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", "title": "HpoObjective" }, "HpoResourceConfig": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoResourceConfig", - "markdownDescription": "", + "markdownDescription": "Describes the resource configuration for HPO.", "title": "HpoResourceConfig" } }, @@ -159860,17 +161252,17 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The name of the metric.", "title": "MetricName", "type": "string" }, "MetricRegex": { - "markdownDescription": "", + "markdownDescription": "A regular expression for finding the metric in the training job logs.", "title": "MetricRegex", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "The type of the metric. Valid values are `Maximize` and `Minimize` .", "title": "Type", "type": "string" } @@ -159881,12 +161273,12 @@ "additionalProperties": false, "properties": { "MaxNumberOfTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", "title": "MaxNumberOfTrainingJobs", "type": "string" }, "MaxParallelTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` .", "title": "MaxParallelTrainingJobs", "type": "string" } @@ -159897,17 +161289,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159919,7 +161311,7 @@ "properties": { "AlgorithmHyperParameters": { "additionalProperties": true, - "markdownDescription": "Lists the hyperparameter names and ranges.", + "markdownDescription": "Lists the algorithm hyperparameters and their values.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -160587,7 +161979,7 @@ "title": "CampaignHook" }, "CloudWatchMetricsEnabled": { - "markdownDescription": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "markdownDescription": "", "title": "CloudWatchMetricsEnabled", "type": "boolean" }, @@ -160859,7 +162251,7 @@ }, "MessageConfiguration": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.MessageConfiguration", - "markdownDescription": "The message configuration settings for the campaign.", + "markdownDescription": "The message configuration settings for the treatment.", "title": "MessageConfiguration" }, "Name": { @@ -160874,7 +162266,7 @@ }, "Schedule": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.Schedule", - "markdownDescription": "The schedule settings for the campaign.", + "markdownDescription": "The schedule settings for the treatment.", "title": "Schedule" }, "SegmentId": { @@ -160898,12 +162290,12 @@ "title": "TemplateConfiguration" }, "TreatmentDescription": { - "markdownDescription": "A custom description of the default treatment for the campaign.", + "markdownDescription": "A custom description of the treatment.", "title": "TreatmentDescription", "type": "string" }, "TreatmentName": { - "markdownDescription": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing.", + "markdownDescription": "A custom name for the treatment.", "title": "TreatmentName", "type": "string" } @@ -160941,16 +162333,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -161422,13 +162810,9 @@ "additionalProperties": false, "properties": { "ComparisonOperator": { - "markdownDescription": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "title": "ComparisonOperator", "type": "string" }, "Value": { - "markdownDescription": "The value to compare.", - "title": "Value", "type": "number" } }, @@ -162289,7 +163673,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -162557,7 +163941,7 @@ }, "Dimensions": { "$ref": "#/definitions/AWS::Pinpoint::Segment.SegmentDimensions", - "markdownDescription": "The criteria that define the dimensions for the segment.", + "markdownDescription": "An array that defines the dimensions for the segment.", "title": "Dimensions" }, "Name": { @@ -162607,16 +163991,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -162926,7 +164306,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -163891,7 +165271,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue.", + "markdownDescription": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN.", "title": "Arn", "type": "string" } @@ -164414,7 +165794,7 @@ }, "SelfManagedKafkaParameters": { "$ref": "#/definitions/AWS::Pipes::Pipe.PipeSourceSelfManagedKafkaParameters", - "markdownDescription": "The parameters for using a self-managed Apache Kafka stream as a source.", + "markdownDescription": "The parameters for using a stream as a source.", "title": "SelfManagedKafkaParameters" }, "SqsQueueParameters": { @@ -165080,12 +166460,12 @@ "additionalProperties": false, "properties": { "CodebuildRoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM service role in the environment account. AWS Proton uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", + "markdownDescription": "The Amazon Resource Name (ARN) of an service role in the environment account. uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", "title": "CodebuildRoleArn", "type": "string" }, "ComponentRoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM service role that AWS Proton uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.\n\nFor more information about components, see [AWS Proton components](https://docs.aws.amazon.com/proton/latest/userguide/ag-components.html) in the *AWS Proton User Guide* .", + "markdownDescription": "The Amazon Resource Name (ARN) of the service role that uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.", "title": "ComponentRoleArn", "type": "string" }, @@ -165113,7 +166493,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An optional list of metadata items that you can associate with the AWS Proton environment account connection. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* .", + "markdownDescription": "An optional list of metadata items that you can associate with the environment account connection. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* .", "title": "Tags", "type": "array" } @@ -165204,7 +166584,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An optional list of metadata items that you can associate with the AWS Proton environment template. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* .", + "markdownDescription": "An optional list of metadata items that you can associate with the environment template. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* .", "title": "Tags", "type": "array" } @@ -165624,7 +167004,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" } }, "required": [ @@ -165659,7 +167041,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -165917,9 +167301,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -166888,6 +168276,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -166897,7 +168287,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ColumnIdentifier", @@ -167606,12 +168998,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -168056,6 +169454,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -168065,7 +169465,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -168332,7 +169734,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -168662,7 +170066,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSelectAllOptions", @@ -169325,6 +170731,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -169457,6 +170865,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -171236,10 +172646,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171248,10 +172662,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171274,10 +172692,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIPrimaryValueConditionalFormatting", @@ -171377,7 +172799,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TrendArrowOptions", @@ -171385,7 +172809,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -171435,15 +172861,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -171506,7 +172940,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -171515,6 +172951,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -171966,7 +173404,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSearchOptions", @@ -173622,6 +175062,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -173645,9 +175087,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -173683,9 +175129,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -173821,6 +175271,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -174162,7 +175614,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -174172,6 +175624,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -174298,7 +175752,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -174436,6 +175892,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -175023,9 +176481,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -175247,7 +176709,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -175261,9 +176725,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -175288,10 +176756,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -175464,6 +176936,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -175795,18 +177269,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -175905,6 +177381,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -175985,6 +177463,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -176053,7 +177533,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176104,7 +177586,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176185,12 +177669,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -176198,7 +177684,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -176517,6 +178003,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -176526,10 +178014,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -176560,6 +178052,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -176795,6 +178289,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -177521,7 +179017,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description for the first version of the dashboard being created.", @@ -177572,7 +179070,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -177710,9 +179210,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -178681,6 +180185,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -178690,7 +180196,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColumnIdentifier", @@ -179399,12 +180907,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -180106,6 +181620,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -180115,7 +181631,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -180415,7 +181933,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -180745,7 +182265,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSelectAllOptions", @@ -181441,6 +182963,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -181573,6 +183097,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -183352,10 +184878,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183364,10 +184894,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183390,10 +184924,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIPrimaryValueConditionalFormatting", @@ -183493,7 +185031,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TrendArrowOptions", @@ -183501,7 +185041,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -183551,15 +185093,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -183622,7 +185172,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -183631,6 +185183,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -184082,7 +185636,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSearchOptions", @@ -185738,6 +187294,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -185761,9 +187319,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -185799,9 +187361,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -185937,6 +187503,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -186278,7 +187846,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -186288,6 +187856,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -186414,7 +187984,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -186552,6 +188124,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -187139,9 +188713,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -187385,7 +188963,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -187399,9 +188979,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -187426,10 +189010,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -187602,6 +189190,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -187933,18 +189523,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -188043,6 +189635,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -188123,6 +189717,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -188191,7 +189787,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188242,7 +189840,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188323,12 +189923,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -188336,7 +189938,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -188655,6 +190257,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -188664,10 +190268,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -188698,6 +190306,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -188933,6 +190543,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -189652,7 +191264,7 @@ }, "DataSetRefreshProperties": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DataSetRefreshProperties", - "markdownDescription": "", + "markdownDescription": "The refresh properties of a dataset.", "title": "DataSetRefreshProperties" }, "DataSetUsageConfiguration": { @@ -189664,7 +191276,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DatasetParameter" }, - "markdownDescription": "", + "markdownDescription": "The parameters that are declared in a dataset.", "title": "DatasetParameters", "type": "array" }, @@ -189960,22 +191572,22 @@ "properties": { "DateTimeDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A date time parameter that is created in the dataset.", "title": "DateTimeDatasetParameter" }, "DecimalDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A decimal parameter that is created in the dataset.", "title": "DecimalDatasetParameter" }, "IntegerDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameter", - "markdownDescription": "", + "markdownDescription": "An integer parameter that is created in the dataset.", "title": "IntegerDatasetParameter" }, "StringDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A string parameter that is created in the dataset.", "title": "StringDatasetParameter" } }, @@ -189986,26 +191598,26 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given date time parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the date time parameter that is created in the dataset.", "title": "Name", "type": "string" }, "TimeGranularity": { - "markdownDescription": "", + "markdownDescription": "The time granularity of the date time parameter.", "title": "TimeGranularity", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190036,21 +191648,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given decimal parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the decimal parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the decimal parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190069,7 +191681,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "StaticValues", "type": "array" } @@ -190189,21 +191801,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given integer parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the integer parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the integer parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190222,7 +191834,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "StaticValues", "type": "array" } @@ -190367,7 +191979,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "DecimalStaticValues", "type": "array" }, @@ -190375,7 +191987,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "IntegerStaticValues", "type": "array" }, @@ -190383,7 +191995,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StringStaticValues", "type": "array" } @@ -190425,7 +192037,7 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "", + "markdownDescription": "The name of the parameter to be overridden with different values.", "title": "ParameterName", "type": "string" } @@ -190488,7 +192100,7 @@ "additionalProperties": false, "properties": { "Catalog": { - "markdownDescription": "", + "markdownDescription": "The catalog associated with a table.", "title": "Catalog", "type": "string" }, @@ -190605,12 +192217,12 @@ "additionalProperties": false, "properties": { "Status": { - "markdownDescription": "", + "markdownDescription": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", "title": "Status", "type": "string" }, "TagRuleConfigurations": { - "markdownDescription": "", + "markdownDescription": "The configuration of tags on a dataset to set row-level security.", "title": "TagRuleConfigurations", "type": "object" }, @@ -190618,7 +192230,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.RowLevelPermissionTagRule" }, - "markdownDescription": "", + "markdownDescription": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to.", "title": "TagRules", "type": "array" } @@ -190632,22 +192244,22 @@ "additionalProperties": false, "properties": { "ColumnName": { - "markdownDescription": "", + "markdownDescription": "The column name that a tag key is assigned to.", "title": "ColumnName", "type": "string" }, "MatchAllValue": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", "title": "MatchAllValue", "type": "string" }, "TagKey": { - "markdownDescription": "", + "markdownDescription": "The unique key for a tag.", "title": "TagKey", "type": "string" }, "TagMultiValueDelimiter": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma.", "title": "TagMultiValueDelimiter", "type": "string" } @@ -190691,21 +192303,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the string parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the string parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190724,7 +192336,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StaticValues", "type": "array" } @@ -191818,7 +193430,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field.", @@ -191857,7 +193471,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -191995,9 +193611,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -192966,6 +194586,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -192975,7 +194597,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Template.ColumnIdentifier", @@ -193735,12 +195359,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -194185,6 +195815,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -194194,7 +195826,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -194456,7 +196090,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -194763,7 +196399,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSelectAllOptions", @@ -195426,6 +197064,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -195558,6 +197198,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -197314,10 +198956,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197326,10 +198972,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197352,10 +199002,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Template.KPIPrimaryValueConditionalFormatting", @@ -197455,7 +199109,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Template.TrendArrowOptions", @@ -197463,7 +199119,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -197513,15 +199171,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -197584,7 +199250,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -197593,6 +199261,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -198044,7 +199714,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSearchOptions", @@ -199662,6 +201334,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -199685,9 +201359,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -199723,9 +201401,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -199861,6 +201543,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -200202,7 +201886,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -200212,6 +201896,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -200338,7 +202024,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -200476,6 +202164,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -201063,9 +202753,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -201287,7 +202981,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -201301,9 +202997,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -201328,10 +203028,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -201481,6 +203185,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -201812,18 +203518,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -201922,6 +203630,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -202002,6 +203712,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -202269,7 +203981,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202320,7 +204034,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202401,12 +204117,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -202414,7 +204132,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -202733,6 +204451,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -202742,10 +204462,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -202776,6 +204500,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -203011,6 +204737,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -203799,7 +205527,7 @@ "additionalProperties": false, "properties": { "FontFamily": { - "markdownDescription": "", + "markdownDescription": "Determines the font family settings.", "title": "FontFamily", "type": "string" } @@ -203997,7 +205725,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Theme.Font" }, - "markdownDescription": "", + "markdownDescription": "Determines the list of font families.", "title": "FontFamilies", "type": "array" } @@ -204630,6 +206358,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive for the table style target.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -204708,7 +206438,7 @@ "additionalProperties": false, "properties": { "Aggregation": { - "markdownDescription": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "markdownDescription": "The type of aggregation that is performed on the column data when it's queried.", "title": "Aggregation", "type": "string" }, @@ -204777,6 +206507,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive value for the column.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -205323,6 +207055,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "Sources", "type": "array" }, "Tags": { @@ -205642,7 +207376,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "KmsKeyId", "type": "string" }, @@ -205722,7 +207456,7 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "RestoreToTime", "type": "string" }, @@ -205762,7 +207496,7 @@ "type": "boolean" }, "StorageType": { - "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "title": "StorageType", "type": "string" }, @@ -205876,7 +207610,7 @@ "additionalProperties": false, "properties": { "AutoPause": { - "markdownDescription": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "markdownDescription": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "title": "AutoPause", "type": "boolean" }, @@ -206075,6 +207809,8 @@ "type": "boolean" }, "AutomaticBackupReplicationRegion": { + "markdownDescription": "", + "title": "AutomaticBackupReplicationRegion", "type": "string" }, "AvailabilityZone": { @@ -206181,15 +207917,21 @@ "type": "string" }, "DomainAuthSecretArn": { + "markdownDescription": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "title": "DomainAuthSecretArn", "type": "string" }, "DomainDnsIps": { "items": { "type": "string" }, + "markdownDescription": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "title": "DomainDnsIps", "type": "array" }, "DomainFqdn": { + "markdownDescription": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", + "title": "DomainFqdn", "type": "string" }, "DomainIAMRoleName": { @@ -206198,13 +207940,15 @@ "type": "string" }, "DomainOu": { + "markdownDescription": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "title": "DomainOu", "type": "string" }, "EnableCloudwatchLogsExports": { "items": { "type": "string" }, - "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "title": "EnableCloudwatchLogsExports", "type": "array" }, @@ -206352,7 +208096,7 @@ "type": "string" }, "RestoreTime": { - "markdownDescription": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "markdownDescription": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "title": "RestoreTime", "type": "string" }, @@ -206362,7 +208106,7 @@ "type": "string" }, "SourceDBInstanceAutomatedBackupsArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "title": "SourceDBInstanceAutomatedBackupsArn", "type": "string" }, @@ -206382,7 +208126,7 @@ "type": "string" }, "StorageEncrypted": { - "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "title": "StorageEncrypted", "type": "boolean" }, @@ -206415,7 +208159,7 @@ "type": "boolean" }, "UseLatestRestorableTime": { - "markdownDescription": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "markdownDescription": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -206679,7 +208423,7 @@ "type": "string" }, "DebugLogging": { - "markdownDescription": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "markdownDescription": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", "title": "DebugLogging", "type": "boolean" }, @@ -206694,7 +208438,7 @@ "type": "number" }, "RequireTLS": { - "markdownDescription": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "markdownDescription": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "title": "RequireTLS", "type": "boolean" }, @@ -207022,7 +208766,7 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "title": "ConnectionBorrowTimeout", "type": "number" }, @@ -207032,12 +208776,12 @@ "type": "string" }, "MaxConnectionsPercent": { - "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", + "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "title": "MaxConnectionsPercent", "type": "number" }, "MaxIdleConnectionsPercent": { - "markdownDescription": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "markdownDescription": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "title": "MaxIdleConnectionsPercent", "type": "number" }, @@ -207379,7 +209123,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "markdownDescription": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "title": "Enabled", "type": "boolean" }, @@ -208148,7 +209892,7 @@ "type": "number" }, "MasterUserPassword": { - "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", "type": "string" }, @@ -210657,12 +212401,12 @@ "type": "string" }, "AppTemplateBody": { - "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", "title": "AppTemplateBody", "type": "string" }, "Description": { - "markdownDescription": "The optional description for an app.", + "markdownDescription": "Optional description for an application.", "title": "Description", "type": "string" }, @@ -210670,15 +212414,19 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.EventSubscription" }, + "markdownDescription": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "title": "EventSubscriptions", "type": "array" }, "Name": { - "markdownDescription": "The name for the application.", + "markdownDescription": "Name for the application.", "title": "Name", "type": "string" }, "PermissionModel": { - "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel" + "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel", + "markdownDescription": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", + "title": "PermissionModel" }, "ResiliencyPolicyArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the resiliency policy.", @@ -210689,13 +212437,13 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.ResourceMapping" }, - "markdownDescription": "An array of ResourceMapping objects.", + "markdownDescription": "An array of `ResourceMapping` objects.", "title": "ResourceMappings", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210737,12 +212485,18 @@ "additionalProperties": false, "properties": { "EventType": { + "markdownDescription": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "title": "EventType", "type": "string" }, "Name": { + "markdownDescription": "Unique name to identify an event subscription.", + "title": "Name", "type": "string" }, "SnsTopicArn": { + "markdownDescription": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` .", + "title": "SnsTopicArn", "type": "string" } }, @@ -210759,12 +212513,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "title": "CrossAccountRoleArns", "type": "array" }, "InvokerRoleName": { + "markdownDescription": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> You must have `iam:passRole` permission for this role while creating or updating the application.", + "title": "InvokerRoleName", "type": "string" }, "Type": { + "markdownDescription": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user.", + "title": "Type", "type": "string" } }, @@ -210777,17 +212537,17 @@ "additionalProperties": false, "properties": { "AwsAccountId": { - "markdownDescription": "The AWS account that owns the physical resource.", + "markdownDescription": "The account that owns the physical resource.", "title": "AwsAccountId", "type": "string" }, "AwsRegion": { - "markdownDescription": "The AWS Region that the physical resource is located in.", + "markdownDescription": "The that the physical resource is located in.", "title": "AwsRegion", "type": "string" }, "Identifier": { - "markdownDescription": "The identifier of the physical resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "Identifier", "type": "string" }, @@ -210812,22 +212572,22 @@ "type": "string" }, "LogicalStackName": { - "markdownDescription": "The name of the CloudFormation stack this resource is mapped to.", + "markdownDescription": "The name of the AWS CloudFormation stack this resource is mapped to.", "title": "LogicalStackName", "type": "string" }, "MappingType": { - "markdownDescription": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", + "markdownDescription": "Specifies the type of resource mapping.\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a AWS CloudFormation stack. The name of the AWS CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to AWS Resource Groups . The name of the resource group is contained in the `resourceGroupName` property.", "title": "MappingType", "type": "string" }, "PhysicalResourceId": { "$ref": "#/definitions/AWS::ResilienceHub::App.PhysicalResourceId", - "markdownDescription": "The identifier of this resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "PhysicalResourceId" }, "ResourceName": { - "markdownDescription": "The name of the resource this resource is mapped to.", + "markdownDescription": "Name of the resource that the resource is mapped to.", "title": "ResourceName", "type": "string" }, @@ -210906,7 +212666,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210953,12 +212713,12 @@ "additionalProperties": false, "properties": { "RpoInSecs": { - "markdownDescription": "The Recovery Point Objective (RPO), in seconds.", + "markdownDescription": "Recovery Point Objective (RPO) in seconds.", "title": "RpoInSecs", "type": "number" }, "RtoInSecs": { - "markdownDescription": "The Recovery Time Objective (RTO), in seconds.", + "markdownDescription": "Recovery Time Objective (RTO) in seconds.", "title": "RtoInSecs", "type": "number" } @@ -212124,17 +213884,17 @@ "additionalProperties": false, "properties": { "CrlData": { - "markdownDescription": "The x509 v3 specified certificate revocation list (CRL).", + "markdownDescription": "", "title": "CrlData", "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether the certificate revocation list (CRL) is enabled.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "Name": { - "markdownDescription": "The name of the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Name", "type": "string" }, @@ -212142,7 +213902,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Tags", "type": "array" }, @@ -212215,12 +213975,12 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", + "markdownDescription": "The number of seconds vended session credentials will be valid for", "title": "DurationSeconds", "type": "number" }, "Enabled": { - "markdownDescription": "Indicates whether the profile is enabled.", + "markdownDescription": "The enabled status of the resource.", "title": "Enabled", "type": "boolean" }, @@ -212228,17 +213988,17 @@ "items": { "type": "string" }, - "markdownDescription": "A list of managed policy ARNs that apply to the vended session credentials.", + "markdownDescription": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", "title": "ManagedPolicyArns", "type": "array" }, "Name": { - "markdownDescription": "The name of the profile.", + "markdownDescription": "The customer specified name of the resource.", "title": "Name", "type": "string" }, "RequireInstanceProperties": { - "markdownDescription": "Specifies whether instance properties are required in temporary credential requests with this profile.", + "markdownDescription": "Specifies whether instance properties are required in CreateSession requests with this profile.", "title": "RequireInstanceProperties", "type": "boolean" }, @@ -212246,12 +214006,12 @@ "items": { "type": "string" }, - "markdownDescription": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", + "markdownDescription": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", "title": "RoleArns", "type": "array" }, "SessionPolicy": { - "markdownDescription": "A session policy that applies to the trust boundary of the vended session credentials.", + "markdownDescription": "A session policy that will applied to the trust boundary of the vended session credentials.", "title": "SessionPolicy", "type": "string" }, @@ -212259,7 +214019,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to attach to the profile.", + "markdownDescription": "A list of Tags.", "title": "Tags", "type": "array" } @@ -212340,6 +214100,8 @@ "items": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.NotificationSetting" }, + "markdownDescription": "A list of notification settings to be associated to the trust anchor.", + "title": "NotificationSettings", "type": "array" }, "Source": { @@ -212387,15 +214149,23 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "title": "Channel", "type": "string" }, "Enabled": { + "markdownDescription": "Indicates whether the notification setting is enabled.", + "title": "Enabled", "type": "boolean" }, "Event": { + "markdownDescription": "The event to which this notification setting is applied.", + "title": "Event", "type": "string" }, "Threshold": { + "markdownDescription": "The number of days before a notification event. This value is required for a notification setting that is enabled.", + "title": "Threshold", "type": "number" } }, @@ -212410,11 +214180,11 @@ "properties": { "SourceData": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.SourceData", - "markdownDescription": "The data field of the trust anchor depending on its type.", + "markdownDescription": "A union object representing the data field of the TrustAnchor depending on its type", "title": "SourceData" }, "SourceType": { - "markdownDescription": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region.", + "markdownDescription": "The type of the TrustAnchor.", "title": "SourceType", "type": "string" } @@ -212777,7 +214547,7 @@ "type": "string" }, "RoutingControlArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "title": "RoutingControlArn", "type": "string" }, @@ -213137,7 +214907,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213444,7 +215214,7 @@ "type": "string" }, "HostedZoneId": { - "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "title": "HostedZoneId", "type": "string" }, @@ -213459,7 +215229,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213547,7 +215317,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the cluster.", "title": "Tags", "type": "array" } @@ -213643,7 +215413,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the control panel.", "title": "Tags", "type": "array" } @@ -213792,7 +215562,7 @@ "title": "AssertionRule" }, "ControlPanelArn": { - "markdownDescription": "The Amazon Resource Name (ARN) for the control panel.", + "markdownDescription": "The Amazon Resource Name (ARN) of the control panel.", "title": "ControlPanelArn", "type": "string" }, @@ -213815,7 +215585,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the safety rule.", "title": "Tags", "type": "array" } @@ -214697,21 +216467,31 @@ "additionalProperties": false, "properties": { "InstanceCount": { + "markdownDescription": "Amazon EC2 instance count for the Resolver on the Outpost.", + "title": "InstanceCount", "type": "number" }, "Name": { + "markdownDescription": "Name of the Resolver.", + "title": "Name", "type": "string" }, "OutpostArn": { + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", + "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { + "markdownDescription": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "title": "PreferredInstanceType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "A key value pair that helps you identify a Route\u00a053 Resolver .", + "title": "Tags", "type": "array" } }, @@ -214933,12 +216713,12 @@ "type": "string" }, "OutpostArn": { - "markdownDescription": "", + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { - "markdownDescription": "", + "markdownDescription": "The Amazon EC2 instance type.", "title": "PreferredInstanceType", "type": "string" }, @@ -215527,7 +217307,7 @@ "title": "AccelerateConfiguration" }, "AccessControl": { - "markdownDescription": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "markdownDescription": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "title": "AccessControl", "type": "string" }, @@ -215886,7 +217666,7 @@ "type": "string" }, "Format": { - "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.", + "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "title": "Format", "type": "string" }, @@ -218070,7 +219850,7 @@ "additionalProperties": false, "properties": { "VpcId": { - "markdownDescription": "The ID of the VPC configuration.", + "markdownDescription": "", "title": "VpcId", "type": "string" } @@ -218123,7 +219903,7 @@ "title": "LifecycleConfiguration" }, "OutpostId": { - "markdownDescription": "The ID of the Outpost of the specified bucket.", + "markdownDescription": "", "title": "OutpostId", "type": "string" }, @@ -218281,7 +220061,7 @@ "title": "Filter" }, "Id": { - "markdownDescription": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "markdownDescription": "", "title": "Id", "type": "string" }, @@ -218416,21 +220196,21 @@ }, "FailedReason": { "$ref": "#/definitions/AWS::S3Outposts::Endpoint.FailedReason", - "markdownDescription": "", + "markdownDescription": "The failure reason, if any, for a create or delete endpoint operation.", "title": "FailedReason" }, "OutpostId": { - "markdownDescription": "The ID of the Outpost.", + "markdownDescription": "", "title": "OutpostId", "type": "string" }, "SecurityGroupId": { - "markdownDescription": "The ID of the security group to use with the endpoint.", + "markdownDescription": "The ID of the security group used for the endpoint.", "title": "SecurityGroupId", "type": "string" }, "SubnetId": { - "markdownDescription": "The ID of the subnet.", + "markdownDescription": "The ID of the subnet used for the endpoint.", "title": "SubnetId", "type": "string" } @@ -218467,12 +220247,12 @@ "additionalProperties": false, "properties": { "ErrorCode": { - "markdownDescription": "", + "markdownDescription": "The failure code, if any, for a create or delete endpoint operation.", "title": "ErrorCode", "type": "string" }, "Message": { - "markdownDescription": "", + "markdownDescription": "Additional error details describing the endpoint failure and recommended action.", "title": "Message", "type": "string" } @@ -220121,6 +221901,8 @@ "additionalProperties": false, "properties": { "ArchivePolicy": { + "markdownDescription": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", + "title": "ArchivePolicy", "type": "object" }, "ContentBasedDeduplication": { @@ -220175,7 +221957,7 @@ "type": "string" }, "TracingConfig": { - "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", + "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", "title": "TracingConfig", "type": "string" } @@ -220258,9 +222040,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "title": "PolicyDocument", "type": "object" }, "TopicArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy.", + "title": "TopicArn", "type": "string" } }, @@ -220475,7 +222261,7 @@ "type": "object" }, "SqsManagedSseEnabled": { - "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", + "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", "title": "SqsManagedSseEnabled", "type": "boolean" }, @@ -220551,9 +222337,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", + "title": "PolicyDocument", "type": "object" }, "Queue": { + "markdownDescription": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource.", + "title": "Queue", "type": "string" } }, @@ -220754,8 +222544,6 @@ "title": "OutputLocation" }, "Parameters": { - "markdownDescription": "The parameters for the runtime configuration of the document.", - "title": "Parameters", "type": "object" }, "ScheduleExpression": { @@ -220782,7 +222570,7 @@ "type": "array" }, "WaitForSuccessTimeoutSeconds": { - "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.", + "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template.", "title": "WaitForSuccessTimeoutSeconds", "type": "number" } @@ -220922,7 +222710,7 @@ "type": "string" }, "DocumentType": { - "markdownDescription": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "markdownDescription": "The type of document to create.", "title": "DocumentType", "type": "string" }, @@ -222071,8 +223859,6 @@ "type": "string" }, "SyncName": { - "markdownDescription": "A name for the resource data sync.", - "title": "SyncName", "type": "string" }, "SyncSource": { @@ -223805,7 +225591,7 @@ "type": "string" }, "AppType": { - "markdownDescription": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "markdownDescription": "The type of app.", "title": "AppType", "type": "string" }, @@ -224257,30 +226043,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -224386,7 +226174,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -224422,7 +226210,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -224463,6 +226251,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -224471,7 +226261,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -224516,7 +226306,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -224912,7 +226702,7 @@ }, "DefaultSpaceSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceSettings", - "markdownDescription": "", + "markdownDescription": "A collection of settings that apply to spaces created in the Domain.", "title": "DefaultSpaceSettings" }, "DefaultUserSettings": { @@ -225443,7 +227233,9 @@ "title": "BlueGreenUpdatePolicy" }, "RollingUpdatePolicy": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy", + "markdownDescription": "Specifies a rolling deployment strategy for updating a SageMaker endpoint.", + "title": "RollingUpdatePolicy" } }, "type": "object" @@ -225452,15 +227244,23 @@ "additionalProperties": false, "properties": { "MaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "title": "MaximumBatchSize" }, "MaximumExecutionTimeoutInSeconds": { + "markdownDescription": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "title": "MaximumExecutionTimeoutInSeconds", "type": "number" }, "RollbackMaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "title": "RollbackMaximumBatchSize" }, "WaitIntervalInSeconds": { + "markdownDescription": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet.", + "title": "WaitIntervalInSeconds", "type": "number" } }, @@ -225562,7 +227362,7 @@ }, "ExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A parameter to activate explainers.", "title": "ExplainerConfig" }, "KmsKeyId": { @@ -225663,7 +227463,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "title": "IncludeInferenceResponseIn", "type": "array" }, @@ -225689,7 +227489,7 @@ "title": "NotificationConfig" }, "S3FailurePath": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location to upload failure inference responses to.", "title": "S3FailurePath", "type": "string" }, @@ -225741,18 +227541,18 @@ "additionalProperties": false, "properties": { "EnableExplanations": { - "markdownDescription": "", + "markdownDescription": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", "title": "EnableExplanations", "type": "string" }, "InferenceConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyInferenceConfig", - "markdownDescription": "", + "markdownDescription": "The inference configuration parameter for the model container.", "title": "InferenceConfig" }, "ShapConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for SHAP analysis.", "title": "ShapConfig" } }, @@ -225775,7 +227575,7 @@ "additionalProperties": false, "properties": { "ContentTemplate": { - "markdownDescription": "", + "markdownDescription": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", "title": "ContentTemplate", "type": "string" }, @@ -225783,7 +227583,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureHeaders", "type": "array" }, @@ -225791,17 +227591,17 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyFeatureType" }, - "markdownDescription": "", + "markdownDescription": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureTypes", "type": "array" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", "title": "FeaturesAttribute", "type": "string" }, "LabelAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", "title": "LabelAttribute", "type": "string" }, @@ -225809,32 +227609,32 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", "title": "LabelHeaders", "type": "array" }, "LabelIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", "title": "LabelIndex", "type": "number" }, "MaxPayloadInMB": { - "markdownDescription": "", + "markdownDescription": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", "title": "MaxPayloadInMB", "type": "number" }, "MaxRecordCount": { - "markdownDescription": "", + "markdownDescription": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", "title": "MaxRecordCount", "type": "number" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` .", "title": "ProbabilityIndex", "type": "number" } @@ -225845,17 +227645,17 @@ "additionalProperties": false, "properties": { "MimeType": { - "markdownDescription": "", + "markdownDescription": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", "title": "MimeType", "type": "string" }, "ShapBaseline": { - "markdownDescription": "", + "markdownDescription": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", "title": "ShapBaseline", "type": "string" }, "ShapBaselineUri": { - "markdownDescription": "", + "markdownDescription": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .", "title": "ShapBaselineUri", "type": "string" } @@ -225866,27 +227666,27 @@ "additionalProperties": false, "properties": { "NumberOfSamples": { - "markdownDescription": "", + "markdownDescription": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", "title": "NumberOfSamples", "type": "number" }, "Seed": { - "markdownDescription": "", + "markdownDescription": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", "title": "Seed", "type": "number" }, "ShapBaselineConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapBaselineConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", "title": "ShapBaselineConfig" }, "TextConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyTextConfig", - "markdownDescription": "", + "markdownDescription": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", "title": "TextConfig" }, "UseLogit": { - "markdownDescription": "", + "markdownDescription": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false.", "title": "UseLogit", "type": "boolean" } @@ -225900,12 +227700,12 @@ "additionalProperties": false, "properties": { "Granularity": { - "markdownDescription": "", + "markdownDescription": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", "title": "Granularity", "type": "string" }, "Language": { - "markdownDescription": "", + "markdownDescription": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` .", "title": "Language", "type": "string" } @@ -225965,7 +227765,7 @@ "properties": { "ClarifyExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer.", "title": "ClarifyExplainerConfig" } }, @@ -225980,12 +227780,12 @@ "type": "string" }, "ContainerStartupHealthCheckTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", "title": "ContainerStartupHealthCheckTimeoutInSeconds", "type": "number" }, "EnableSSMAccess": { - "markdownDescription": "", + "markdownDescription": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "title": "EnableSSMAccess", "type": "boolean" }, @@ -226005,7 +227805,7 @@ "type": "string" }, "ModelDataDownloadTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "title": "ModelDataDownloadTimeoutInSeconds", "type": "number" }, @@ -226025,7 +227825,7 @@ "type": "string" }, "VolumeSizeInGB": { - "markdownDescription": "", + "markdownDescription": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported.", "title": "VolumeSizeInGB", "type": "number" } @@ -226243,7 +228043,7 @@ "title": "S3StorageConfig" }, "TableFormat": { - "markdownDescription": "", + "markdownDescription": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) .", "title": "TableFormat", "type": "string" } @@ -226335,7 +228135,7 @@ "additionalProperties": false, "properties": { "ImageDescription": { - "markdownDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", + "markdownDescription": "The description of the image.", "title": "ImageDescription", "type": "string" }, @@ -226426,20 +228226,26 @@ "additionalProperties": false, "properties": { "Alias": { + "markdownDescription": "", + "title": "Alias", "type": "string" }, "Aliases": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "Aliases", "type": "array" }, "BaseImage": { - "markdownDescription": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", + "markdownDescription": "The container image that the SageMaker image version is based on.", "title": "BaseImage", "type": "string" }, "Horovod": { + "markdownDescription": "", + "title": "Horovod", "type": "boolean" }, "ImageName": { @@ -226448,21 +228254,33 @@ "type": "string" }, "JobType": { + "markdownDescription": "", + "title": "JobType", "type": "string" }, "MLFramework": { + "markdownDescription": "", + "title": "MLFramework", "type": "string" }, "Processor": { + "markdownDescription": "", + "title": "Processor", "type": "string" }, "ProgrammingLang": { + "markdownDescription": "", + "title": "ProgrammingLang", "type": "string" }, "ReleaseNotes": { + "markdownDescription": "", + "title": "ReleaseNotes", "type": "string" }, "VendorGuidance": { + "markdownDescription": "", + "title": "VendorGuidance", "type": "string" } }, @@ -226637,7 +228455,7 @@ "items": { "type": "string" }, - "markdownDescription": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "markdownDescription": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "title": "CsvContentTypes", "type": "array" }, @@ -227196,57 +229014,57 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -227371,7 +229189,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -227455,7 +229273,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -227506,7 +229324,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -227935,7 +229753,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::ModelCard.Container" }, - "markdownDescription": "", + "markdownDescription": "The Amazon ECR registry path of the Docker image that contains the inference code.", "title": "Containers", "type": "array" } @@ -227980,39 +229798,27 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The names of the metrics.", - "title": "Name", "type": "string" }, "Notes": { - "markdownDescription": "Any notes to add to the metric.", - "title": "Notes", "type": "string" }, "Type": { - "markdownDescription": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "title": "Type", "type": "string" }, "Value": { - "markdownDescription": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "title": "Value", "type": "object" }, "XAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the x axis.", - "title": "XAxisName", "type": "array" }, "YAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the y axis.", - "title": "YAxisName", "type": "array" } }, @@ -228221,12 +230027,12 @@ "additionalProperties": false, "properties": { "AlgorithmName": { - "markdownDescription": "", + "markdownDescription": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", "title": "AlgorithmName", "type": "string" }, "ModelDataUrl": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm.", "title": "ModelDataUrl", "type": "string" } @@ -228521,42 +230327,42 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -228671,7 +230477,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -228702,7 +230508,7 @@ "additionalProperties": false, "properties": { "ConfigUri": { - "markdownDescription": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "markdownDescription": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "title": "ConfigUri", "type": "string" }, @@ -228750,7 +230556,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -228779,7 +230585,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -229040,6 +230846,8 @@ "type": "string" }, "SkipModelValidation": { + "markdownDescription": "Indicates if you want to skip model validation.", + "title": "SkipModelValidation", "type": "string" }, "SourceAlgorithmSpecification": { @@ -230033,52 +231841,52 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -230198,7 +232006,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230276,7 +232084,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230308,7 +232116,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230359,7 +232167,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230598,30 +232406,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -230716,6 +232526,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -230724,7 +232536,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230781,7 +232593,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230849,7 +232661,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230894,7 +232706,7 @@ }, "MonitoringOutputConfig": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.MonitoringOutputConfig", - "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "title": "MonitoringOutputConfig" }, "MonitoringResources": { @@ -230945,7 +232757,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -231053,13 +232865,17 @@ "additionalProperties": false, "properties": { "DataAnalysisEndTime": { + "markdownDescription": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisEndTime", "type": "string" }, "DataAnalysisStartTime": { + "markdownDescription": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisStartTime", "type": "string" }, "ScheduleExpression": { - "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day.", + "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring.", "title": "ScheduleExpression", "type": "string" } @@ -231416,7 +233232,7 @@ "properties": { "ParallelismConfiguration": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.ParallelismConfiguration", - "markdownDescription": "", + "markdownDescription": "The parallelism configuration applied to the pipeline.", "title": "ParallelismConfiguration" }, "PipelineDefinition": { @@ -231499,13 +233315,13 @@ "additionalProperties": false, "properties": { "PipelineDefinitionBody": { - "markdownDescription": "", + "markdownDescription": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", "title": "PipelineDefinitionBody", "type": "string" }, "PipelineDefinitionS3Location": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.S3Location", - "markdownDescription": "", + "markdownDescription": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location.", "title": "PipelineDefinitionS3Location" } }, @@ -231515,22 +233331,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "The name of the S3 bucket.", "title": "Bucket", "type": "string" }, "ETag": { - "markdownDescription": "", + "markdownDescription": "A file checksum of the pipeline definition file.", "title": "ETag", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", "title": "Key", "type": "string" }, "Version": { - "markdownDescription": "", + "markdownDescription": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version.", "title": "Version", "type": "string" } @@ -231588,7 +233404,7 @@ }, "ServiceCatalogProvisionedProductDetails": { "$ref": "#/definitions/AWS::SageMaker::Project.ServiceCatalogProvisionedProductDetails", - "markdownDescription": "", + "markdownDescription": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "title": "ServiceCatalogProvisionedProductDetails" }, "ServiceCatalogProvisioningDetails": { @@ -232594,7 +234410,7 @@ "type": "number" }, "Mode": { - "markdownDescription": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`", + "markdownDescription": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`", "title": "Mode", "type": "string" } @@ -233395,13 +235211,13 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesAction" }, - "markdownDescription": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", + "markdownDescription": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", "title": "Actions", "type": "array" }, "Criteria": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesFindingFilters", - "markdownDescription": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "markdownDescription": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "title": "Criteria" }, "Description": { @@ -233410,7 +235226,7 @@ "type": "string" }, "IsTerminal": { - "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "title": "IsTerminal", "type": "boolean" }, @@ -233553,7 +235369,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS account ID in which a finding was generated.", + "markdownDescription": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "AwsAccountId", "type": "array" }, @@ -233561,7 +235377,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", + "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CompanyName", "type": "array" }, @@ -233569,7 +235385,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", + "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceAssociatedStandardsId", "type": "array" }, @@ -233577,7 +235393,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", + "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceSecurityControlId", "type": "array" }, @@ -233585,7 +235401,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.", + "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceStatus", "type": "array" }, @@ -233593,7 +235409,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Confidence", "type": "array" }, @@ -233601,7 +235417,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CreatedAt", "type": "array" }, @@ -233609,7 +235425,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Criticality", "type": "array" }, @@ -233617,7 +235433,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's description.", + "markdownDescription": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Description", "type": "array" }, @@ -233625,7 +235441,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "FirstObservedAt", "type": "array" }, @@ -233633,7 +235449,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the solution-specific component that generated a finding.", + "markdownDescription": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "GeneratorId", "type": "array" }, @@ -233641,7 +235457,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-specific identifier for a finding.", + "markdownDescription": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "array" }, @@ -233649,7 +235465,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "LastObservedAt", "type": "array" }, @@ -233657,7 +235473,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The text of a user-defined note that's added to a finding.", + "markdownDescription": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteText", "type": "array" }, @@ -233665,7 +235481,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedAt", "type": "array" }, @@ -233673,7 +235489,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The principal that created a note.", + "markdownDescription": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedBy", "type": "array" }, @@ -233681,7 +235497,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", + "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductArn", "type": "array" }, @@ -233689,7 +235505,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", + "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductName", "type": "array" }, @@ -233697,7 +235513,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the current state of a finding.", + "markdownDescription": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RecordState", "type": "array" }, @@ -233705,7 +235521,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsId", "type": "array" }, @@ -233713,7 +235529,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The ARN for the product that generated a related finding.", + "markdownDescription": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsProductArn", "type": "array" }, @@ -233721,7 +235537,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "Custom fields and values about the resource that a finding pertains to.", + "markdownDescription": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceDetailsOther", "type": "array" }, @@ -233729,7 +235545,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", + "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceId", "type": "array" }, @@ -233737,7 +235553,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", + "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourcePartition", "type": "array" }, @@ -233745,7 +235561,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.", + "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceRegion", "type": "array" }, @@ -233753,7 +235569,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.", + "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceTags", "type": "array" }, @@ -233761,7 +235577,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceType", "type": "array" }, @@ -233769,7 +235585,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The severity value of the finding.", + "markdownDescription": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SeverityLabel", "type": "array" }, @@ -233777,7 +235593,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.", + "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SourceUrl", "type": "array" }, @@ -233785,7 +235601,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "Title", "type": "array" }, @@ -233793,7 +235609,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", + "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Type", "type": "array" }, @@ -233801,7 +235617,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UpdatedAt", "type": "array" }, @@ -233809,7 +235625,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of user-defined name and value string pairs added to a finding.", + "markdownDescription": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UserDefinedFields", "type": "array" }, @@ -233817,7 +235633,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the veracity of a finding.", + "markdownDescription": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "VerificationState", "type": "array" }, @@ -233825,7 +235641,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides information about the status of the investigation into a finding.", + "markdownDescription": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "WorkflowStatus", "type": "array" } @@ -233877,7 +235693,7 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "markdownDescription": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, @@ -233887,7 +235703,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match.", + "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match.", "title": "Value", "type": "string" } @@ -233944,7 +235760,7 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "object" }, @@ -233985,12 +235801,12 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", + "markdownDescription": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, "Value": { - "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match.", + "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match.", "title": "Value", "type": "string" } @@ -234132,7 +235948,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::Standard.StandardsControl" }, - "markdownDescription": "Specifies which controls are to be disabled in a standard.", + "markdownDescription": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "title": "DisabledStandardsControls", "type": "array" }, @@ -234460,7 +236276,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file", + "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file", "title": "Type", "type": "string" } @@ -235100,7 +236916,7 @@ "type": "string" }, "PrincipalType": { - "markdownDescription": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`", + "markdownDescription": "The principal type. The supported values are `IAM` and `IAM_PATTERN` .", "title": "PrincipalType", "type": "string" } @@ -236295,8 +238111,6 @@ "type": "object" }, "InstanceId": { - "markdownDescription": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", - "title": "InstanceId", "type": "string" }, "ServiceId": { @@ -236969,7 +238783,7 @@ "properties": { "ApplicationLayerAutomaticResponseConfiguration": { "$ref": "#/definitions/AWS::Shield::Protection.ApplicationLayerAutomaticResponseConfiguration", - "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the guidance for the `AWS::WAFv2::WebACL` resource.\n\nhello!", "title": "ApplicationLayerAutomaticResponseConfiguration" }, "HealthCheckArns": { @@ -237818,7 +239632,7 @@ "properties": { "DeploymentPreference": { "$ref": "#/definitions/AWS::StepFunctions::StateMachineAlias.DeploymentPreference", - "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "DeploymentPreference" }, "Description": { @@ -237889,7 +239703,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "Type", "type": "string" } @@ -239281,7 +241095,9 @@ "title": "RetentionProperties" }, "Schema": { - "$ref": "#/definitions/AWS::Timestream::Table.Schema" + "$ref": "#/definitions/AWS::Timestream::Table.Schema", + "markdownDescription": "The schema of the table.", + "title": "Schema" }, "TableName": { "markdownDescription": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", @@ -239357,12 +241173,18 @@ "additionalProperties": false, "properties": { "EnforcementInRecord": { + "markdownDescription": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "title": "EnforcementInRecord", "type": "string" }, "Name": { + "markdownDescription": "The name of the attribute used for a dimension key.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key).", + "title": "Type", "type": "string" } }, @@ -239424,6 +241246,8 @@ "items": { "$ref": "#/definitions/AWS::Timestream::Table.PartitionKey" }, + "markdownDescription": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed.", + "title": "CompositePartitionKey", "type": "array" } }, @@ -239465,7 +241289,7 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, @@ -239680,13 +241504,13 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, "As2Config": { "$ref": "#/definitions/AWS::Transfer::Connector.As2Config", - "markdownDescription": "A structure that contains the parameters for a connector object.", + "markdownDescription": "A structure that contains the parameters for an AS2 connector object.", "title": "As2Config" }, "LoggingRole": { @@ -239695,7 +241519,9 @@ "type": "string" }, "SftpConfig": { - "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig" + "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig", + "markdownDescription": "A structure that contains the parameters for an SFTP connector object.", + "title": "SftpConfig" }, "Tags": { "items": { @@ -239706,7 +241532,7 @@ "type": "array" }, "Url": { - "markdownDescription": "The URL of the partner's AS2 endpoint.", + "markdownDescription": "The URL of the partner's AS2 or SFTP endpoint.", "title": "Url", "type": "string" } @@ -239742,6 +241568,8 @@ "additionalProperties": false, "properties": { "BasicAuthSecretId": { + "markdownDescription": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", + "title": "BasicAuthSecretId", "type": "string" }, "Compression": { @@ -239794,9 +241622,13 @@ "items": { "type": "string" }, + "markdownDescription": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "title": "TrustedHostKeys", "type": "array" }, "UserSecretId": { + "markdownDescription": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.", + "title": "UserSecretId", "type": "string" } }, @@ -239942,7 +241774,7 @@ "title": "EndpointDetails" }, "EndpointType": { - "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "title": "EndpointType", "type": "string" }, @@ -240226,7 +242058,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", "title": "HomeDirectory", "type": "string" }, @@ -240234,12 +242066,12 @@ "items": { "$ref": "#/definitions/AWS::Transfer::User.HomeDirectoryMapEntry" }, - "markdownDescription": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", + "markdownDescription": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", "title": "HomeDirectoryMappings", "type": "array" }, "HomeDirectoryType": { - "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "title": "HomeDirectoryType", "type": "string" }, @@ -240732,16 +242564,16 @@ "properties": { "Configuration": { "$ref": "#/definitions/AWS::VerifiedPermissions::IdentitySource.IdentitySourceConfiguration", - "markdownDescription": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", + "markdownDescription": "Contains configuration information used when creating a new .\n\n> At this time, the only valid member of this structure is a user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/API_CreateIdentitySource.html) operation.", "title": "Configuration" }, "PolicyStoreId": { - "markdownDescription": "Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.", + "markdownDescription": "Specifies the ID of the in which you want to store this . Only policies and requests made using this can reference identities from the identity provider configured in the new .", "title": "PolicyStoreId", "type": "string" }, "PrincipalEntityType": { - "markdownDescription": "Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.", + "markdownDescription": "Specifies the namespace and data type of the principals generated for identities authenticated by the new .", "title": "PrincipalEntityType", "type": "string" } @@ -240779,7 +242611,7 @@ "items": { "type": "string" }, - "markdownDescription": "The unique application client IDs that are associated with the specified Amazon Cognito user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", + "markdownDescription": "The unique application client IDs that are associated with the specified user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", "title": "ClientIds", "type": "array" }, @@ -240825,7 +242657,7 @@ "type": "string" }, "OpenIdIssuer": { - "markdownDescription": "A string that identifies the type of OIDC service represented by this identity source.\n\nAt this time, the only valid value is `cognito` .", + "markdownDescription": "A string that identifies the type of OIDC service represented by this .\n\nAt this time, the only valid value is `cognito` .", "title": "OpenIdIssuer", "type": "string" }, @@ -240878,7 +242710,7 @@ "title": "Definition" }, "PolicyStoreId": { - "markdownDescription": "Specifies the `PolicyStoreId` of the policy store you want to store the policy in.", + "markdownDescription": "Specifies the `PolicyStoreId` of the you want to store the policy in.", "title": "PolicyStoreId", "type": "string" } @@ -240934,12 +242766,12 @@ "properties": { "Static": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.StaticPolicyDefinition", - "markdownDescription": "A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.", + "markdownDescription": "A structure that describes . An doesn't use a template or allow placeholders for entities.", "title": "Static" }, "TemplateLinked": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.TemplateLinkedPolicyDefinition", - "markdownDescription": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.", + "markdownDescription": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.", "title": "TemplateLinked" } }, @@ -240949,12 +242781,12 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "The description of the static policy.", + "markdownDescription": "The description of the .", "title": "Description", "type": "string" }, "Statement": { - "markdownDescription": "The policy content of the static policy, written in the Cedar policy language.", + "markdownDescription": "The policy content of the , written in the .", "title": "Statement", "type": "string" } @@ -240974,12 +242806,12 @@ }, "Principal": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.EntityIdentifier", - "markdownDescription": "The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the `?principal` placeholder in the policy template when it evaluates an authorization request.", + "markdownDescription": "The principal associated with this . substitutes this principal for the `?principal` placeholder in the when it evaluates an authorization request.", "title": "Principal" }, "Resource": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.EntityIdentifier", - "markdownDescription": "The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request.", + "markdownDescription": "The resource associated with this . substitutes this resource for the `?resource` placeholder in the when it evaluates an authorization request.", "title": "Resource" } }, @@ -241030,7 +242862,7 @@ }, "ValidationSettings": { "$ref": "#/definitions/AWS::VerifiedPermissions::PolicyStore.ValidationSettings", - "markdownDescription": "Specifies the validation setting for this policy store.\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on.", + "markdownDescription": "Specifies the validation setting for this .\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on.", "title": "ValidationSettings" } }, @@ -241064,7 +242896,7 @@ "additionalProperties": false, "properties": { "CedarJson": { - "markdownDescription": "A JSON string representation of the schema supported by applications that use this policy store. For more information, see [Policy store schema](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/schema.html) in the *Amazon Verified Permissions User Guide* .", + "markdownDescription": "A JSON string representation of the schema supported by applications that use this . For more information, see [Policy store schema](https://docs.aws.amazon.com/schema.html) in the ** .", "title": "CedarJson", "type": "string" } @@ -241131,7 +242963,7 @@ "type": "string" }, "Statement": { - "markdownDescription": "Specifies the content that you want to use for the new policy template, written in the Cedar policy language.", + "markdownDescription": "Specifies the content that you want to use for the new , written in the policy language.", "title": "Statement", "type": "string" } @@ -241452,7 +243284,7 @@ "properties": { "DefaultAction": { "$ref": "#/definitions/AWS::VpcLattice::Listener.DefaultAction", - "markdownDescription": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "title": "DefaultAction" }, "Name": { @@ -241461,12 +243293,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The listener protocol HTTP or HTTPS.", + "markdownDescription": "The listener protocol.", "title": "Protocol", "type": "string" }, @@ -241516,7 +243348,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Listener.FixedResponse", - "markdownDescription": "Information about an action that returns a custom HTTP response.", + "markdownDescription": "Describes an action that returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241548,7 +243380,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Listener.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241567,7 +243399,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241687,7 +243519,7 @@ "properties": { "Action": { "$ref": "#/definitions/AWS::VpcLattice::Rule.Action", - "markdownDescription": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "Describes the action for a rule.", "title": "Action" }, "ListenerIdentifier": { @@ -241757,7 +243589,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Rule.FixedResponse", - "markdownDescription": "Describes the rule action that returns a custom HTTP response.", + "markdownDescription": "The fixed response action. The rule returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241789,7 +243621,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Rule.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241803,7 +243635,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241828,17 +243660,17 @@ "additionalProperties": false, "properties": { "Contains": { - "markdownDescription": "Specifies a contains type match.", + "markdownDescription": "A contains type match.", "title": "Contains", "type": "string" }, "Exact": { - "markdownDescription": "Specifies an exact type match.", + "markdownDescription": "An exact type match.", "title": "Exact", "type": "string" }, "Prefix": { - "markdownDescription": "Specifies a prefix type match. Matches the value with the prefix.", + "markdownDescription": "A prefix type match. Matches the value with the prefix.", "title": "Prefix", "type": "string" } @@ -241887,7 +243719,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241927,7 +243759,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241989,7 +243821,7 @@ }, "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::Service.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "Name": { @@ -242157,7 +243989,7 @@ "properties": { "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::ServiceNetworkServiceAssociation.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "ServiceIdentifier": { @@ -242338,7 +244170,7 @@ "properties": { "Config": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.TargetGroupConfig", - "markdownDescription": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "markdownDescription": "The target group configuration.", "title": "Config" }, "Name": { @@ -242419,7 +244251,7 @@ }, "Matcher": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.Matcher", - "markdownDescription": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "markdownDescription": "The codes to use when checking for a successful response from a target.", "title": "Matcher" }, "Path": { @@ -242468,12 +244300,12 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", + "markdownDescription": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", "title": "Id", "type": "string" }, "Port": { - "markdownDescription": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" } @@ -242488,34 +244320,36 @@ "properties": { "HealthCheck": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.HealthCheckConfig", - "markdownDescription": "The health check configuration.", + "markdownDescription": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", "title": "HealthCheck" }, "IpAddressType": { - "markdownDescription": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", + "markdownDescription": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", "title": "IpAddressType", "type": "string" }, "LambdaEventStructureVersion": { + "markdownDescription": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "title": "LambdaEventStructureVersion", "type": "string" }, "Port": { - "markdownDescription": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", + "markdownDescription": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", + "markdownDescription": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", "title": "Protocol", "type": "string" }, "ProtocolVersion": { - "markdownDescription": "The protocol version. Default value is `HTTP1` .", + "markdownDescription": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", "title": "ProtocolVersion", "type": "string" }, "VpcIdentifier": { - "markdownDescription": "The ID of the VPC.", + "markdownDescription": "The ID of the VPC. Not supported if the target group type is `LAMBDA` .", "title": "VpcIdentifier", "type": "string" } @@ -244551,7 +246385,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "title": "Addresses", "type": "array" }, @@ -244805,7 +246639,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" } @@ -245155,7 +246989,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245281,7 +247115,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245363,7 +247197,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -245403,7 +247237,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -245418,7 +247252,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -245524,7 +247358,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245614,12 +247448,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245729,7 +247563,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -245737,6 +247571,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -245745,13 +247581,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -245765,31 +247601,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -245798,12 +247652,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245817,12 +247675,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245836,6 +247698,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -245848,12 +247712,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245870,6 +247738,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245885,6 +247755,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245970,7 +247842,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -245994,7 +247866,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -246168,7 +248040,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -246183,7 +248055,7 @@ }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -246208,7 +248080,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -246305,7 +248177,7 @@ "properties": { "AssociationConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AssociationConfig", - "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "AssociationConfig" }, "CaptchaConfig": { @@ -246348,7 +248220,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Rule" }, - "markdownDescription": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "markdownDescription": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "title": "Rules", "type": "array" }, @@ -246411,19 +248283,29 @@ "additionalProperties": false, "properties": { "CreationPath": { + "markdownDescription": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "title": "CreationPath", "type": "string" }, "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the registration page path and the account creation path.", + "title": "EnableRegexInPath", "type": "boolean" }, "RegistrationPagePath": { + "markdownDescription": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "title": "RegistrationPagePath", "type": "string" }, "RequestInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP", + "markdownDescription": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "title": "RequestInspection" }, "ResponseInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection" + "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", + "markdownDescription": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time.", + "title": "ResponseInspection" } }, "required": [ @@ -246437,10 +248319,12 @@ "additionalProperties": false, "properties": { "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the login page path.", + "title": "EnableRegexInPath", "type": "boolean" }, "LoginPath": { - "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "title": "LoginPath", "type": "string" }, @@ -246451,7 +248335,7 @@ }, "ResponseInspection": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", - "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.", + "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.", "title": "ResponseInspection" } }, @@ -246464,10 +248348,12 @@ "additionalProperties": false, "properties": { "EnableMachineLearning": { + "markdownDescription": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "title": "EnableMachineLearning", "type": "boolean" }, "InspectionLevel": { - "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) .", + "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* .", "title": "InspectionLevel", "type": "string" } @@ -246510,7 +248396,7 @@ "properties": { "RequestBody": { "additionalProperties": false, - "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestBodyAssociatedResourceTypeConfig" @@ -246537,7 +248423,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246610,7 +248496,7 @@ "properties": { "CustomRequestHandling": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomRequestHandling", - "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", + "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "title": "CustomRequestHandling" } }, @@ -246663,7 +248549,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246745,7 +248631,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -246809,7 +248695,7 @@ "additionalProperties": false, "properties": { "Identifier": { - "markdownDescription": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .", + "markdownDescription": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties.", "title": "Identifier", "type": "string" } @@ -246829,7 +248715,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -246844,7 +248730,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -246950,7 +248836,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -247040,12 +248926,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -247113,7 +248999,9 @@ "additionalProperties": false, "properties": { "AWSManagedRulesACFPRuleSet": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet" + "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet", + "markdownDescription": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", + "title": "AWSManagedRulesACFPRuleSet" }, "AWSManagedRulesATPRuleSet": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesATPRuleSet", @@ -247132,17 +249020,17 @@ }, "PasswordField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PasswordField" }, "PayloadType": { - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PayloadType", "type": "string" }, "UsernameField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "UsernameField" } }, @@ -247163,7 +249051,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -247253,7 +249141,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -247261,6 +249149,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -247269,13 +249159,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -247289,31 +249179,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -247322,12 +249230,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247341,12 +249253,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247360,6 +249276,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -247372,12 +249290,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247394,6 +249316,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247409,6 +249333,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247479,7 +249405,7 @@ "additionalProperties": false, "properties": { "DefaultSizeInspectionLimit": { - "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`", + "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`", "title": "DefaultSizeInspectionLimit", "type": "string" } @@ -247522,25 +249448,37 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "title": "AddressFields", "type": "array" }, "EmailField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "title": "EmailField" }, "PasswordField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "title": "PasswordField" }, "PayloadType": { + "markdownDescription": "The payload type for your account creation endpoint, either JSON or form encoded.", + "title": "PayloadType", "type": "string" }, "PhoneNumberFields": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "title": "PhoneNumberFields", "type": "array" }, "UsernameField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`", + "title": "UsernameField" } }, "required": [ @@ -247553,22 +249491,22 @@ "properties": { "BodyContains": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionBodyContains", - "markdownDescription": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "markdownDescription": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", "title": "BodyContains" }, "Header": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionHeader", - "markdownDescription": "Configures inspection of the response header.", + "markdownDescription": "Configures inspection of the response header for success and failure indicators.", "title": "Header" }, "Json": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionJson", - "markdownDescription": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "markdownDescription": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", "title": "Json" }, "StatusCode": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionStatusCode", - "markdownDescription": "Configures inspection of the response status code.", + "markdownDescription": "Configures inspection of the response status code for success and failure indicators.", "title": "StatusCode" } }, @@ -247581,7 +249519,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", "title": "FailureStrings", "type": "array" }, @@ -247589,7 +249527,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`", "title": "SuccessStrings", "type": "array" } @@ -247607,12 +249545,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", "title": "FailureValues", "type": "array" }, "Name": { - "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", + "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", "title": "Name", "type": "string" }, @@ -247620,7 +249558,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`", "title": "SuccessValues", "type": "array" } @@ -247639,12 +249577,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", "title": "FailureValues", "type": "array" }, "Identifier": { - "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", + "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", "title": "Identifier", "type": "string" }, @@ -247652,7 +249590,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", "title": "SuccessValues", "type": "array" } @@ -247671,7 +249609,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "markdownDescription": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", "title": "FailureCodes", "type": "array" }, @@ -247679,7 +249617,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", + "markdownDescription": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", "title": "SuccessCodes", "type": "array" } @@ -247709,7 +249647,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -247738,7 +249676,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -247952,7 +249890,7 @@ }, "ManagedRuleGroupStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "ManagedRuleGroupStatement" }, "NotStatement": { @@ -247967,7 +249905,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -247982,12 +249920,12 @@ }, "RuleGroupReferenceStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleGroupReferenceStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", + "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", "title": "RuleGroupReferenceStatement" }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -248012,7 +249950,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -248192,7 +250130,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::Assistant.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "title": "ServerSideEncryptionConfiguration" }, "Tags": { @@ -248240,7 +250178,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "KmsKeyId", "type": "string" } @@ -248405,7 +250343,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::KnowledgeBase.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "ServerSideEncryptionConfiguration" }, "SourceConfiguration": { @@ -248453,7 +250391,7 @@ "additionalProperties": false, "properties": { "AppIntegrationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", + "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", "title": "AppIntegrationArn", "type": "string" }, @@ -248486,7 +250424,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) .", "title": "KmsKeyId", "type": "string" } @@ -248586,22 +250524,22 @@ "additionalProperties": false, "properties": { "AssociatedAccountId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the AWS account that associated the connection alias with a directory.", "title": "AssociatedAccountId", "type": "string" }, "AssociationStatus": { - "markdownDescription": "", + "markdownDescription": "The association status of the connection alias.", "title": "AssociationStatus", "type": "string" }, "ConnectionIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", "title": "ConnectionIdentifier", "type": "string" }, "ResourceId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the directory associated with a connection alias.", "title": "ResourceId", "type": "string" } @@ -248783,23 +250721,31 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the browser settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "BrowserPolicy": { + "markdownDescription": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "title": "BrowserPolicy", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248862,20 +250808,28 @@ "properties": { "IdentityProviderDetails": { "additionalProperties": true, + "markdownDescription": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "IdentityProviderDetails", "type": "object" }, "IdentityProviderName": { + "markdownDescription": "The identity provider name.", + "title": "IdentityProviderName", "type": "string" }, "IdentityProviderType": { + "markdownDescription": "The identity provider type.", + "title": "IdentityProviderType", "type": "string" }, "PortalArn": { + "markdownDescription": "The ARN of the identity provider.", + "title": "PortalArn", "type": "string" } }, @@ -248944,32 +250898,44 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the IP access settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Description": { + "markdownDescription": "The description of the IP access settings.", + "title": "Description", "type": "string" }, "DisplayName": { + "markdownDescription": "The display name of the IP access settings.", + "title": "DisplayName", "type": "string" }, "IpRules": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::IpAccessSettings.IpRule" }, + "markdownDescription": "The IP rules of the IP access settings.", + "title": "IpRules", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249003,9 +250969,13 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the IP rule.", + "title": "Description", "type": "string" }, "IpRange": { + "markdownDescription": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation.", + "title": "IpRange", "type": "string" } }, @@ -249053,21 +251023,29 @@ "items": { "type": "string" }, + "markdownDescription": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "title": "SubnetIds", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the network settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "VpcId": { + "markdownDescription": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`", + "title": "VpcId", "type": "string" } }, @@ -249136,44 +251114,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "The additional encryption context of the portal.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "AuthenticationType": { + "markdownDescription": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "title": "AuthenticationType", "type": "string" }, "BrowserSettingsArn": { + "markdownDescription": "The ARN of the browser settings that is associated with this web portal.", + "title": "BrowserSettingsArn", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "DisplayName": { + "markdownDescription": "The name of the web portal.", + "title": "DisplayName", "type": "string" }, "IpAccessSettingsArn": { + "markdownDescription": "The ARN of the IP access settings that is associated with the web portal.", + "title": "IpAccessSettingsArn", "type": "string" }, "NetworkSettingsArn": { + "markdownDescription": "The ARN of the network settings that is associated with the web portal.", + "title": "NetworkSettingsArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the web portal. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "TrustStoreArn": { + "markdownDescription": "The ARN of the trust store that is associated with the web portal.", + "title": "TrustStoreArn", "type": "string" }, "UserAccessLoggingSettingsArn": { + "markdownDescription": "The ARN of the user access logging settings that is associated with the web portal.", + "title": "UserAccessLoggingSettingsArn", "type": "string" }, "UserSettingsArn": { + "markdownDescription": "The ARN of the user settings that is associated with the web portal.", + "title": "UserSettingsArn", "type": "string" } }, @@ -249238,12 +251238,16 @@ "items": { "type": "string" }, + "markdownDescription": "A list of CA certificates to be added to the trust store.", + "title": "CertificateList", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the trust store. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249309,12 +251313,16 @@ "additionalProperties": false, "properties": { "KinesisStreamArn": { + "markdownDescription": "The ARN of the Kinesis stream.", + "title": "KinesisStreamArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user access logging settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249381,44 +251389,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CookieSynchronizationConfiguration": { - "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration" + "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration", + "markdownDescription": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "title": "CookieSynchronizationConfiguration" }, "CopyAllowed": { + "markdownDescription": "Specifies whether the user can copy text from the streaming session to the local device.", + "title": "CopyAllowed", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "", + "title": "CustomerManagedKey", "type": "string" }, "DisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that a streaming session remains active after users disconnect.", + "title": "DisconnectTimeoutInMinutes", "type": "number" }, "DownloadAllowed": { + "markdownDescription": "Specifies whether the user can download files from the streaming session to the local device.", + "title": "DownloadAllowed", "type": "string" }, "IdleDisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "title": "IdleDisconnectTimeoutInMinutes", "type": "number" }, "PasteAllowed": { + "markdownDescription": "Specifies whether the user can paste text from the local device to the streaming session.", + "title": "PasteAllowed", "type": "string" }, "PrintAllowed": { + "markdownDescription": "Specifies whether the user can print to the local device.", + "title": "PrintAllowed", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "UploadAllowed": { + "markdownDescription": "Specifies whether the user can upload files from the local device to the streaming session.", + "title": "UploadAllowed", "type": "string" } }, @@ -249456,12 +251486,18 @@ "additionalProperties": false, "properties": { "Domain": { + "markdownDescription": "The domain of the cookie.", + "title": "Domain", "type": "string" }, "Name": { + "markdownDescription": "The name of the cookie.", + "title": "Name", "type": "string" }, "Path": { + "markdownDescription": "The path of the cookie.", + "title": "Path", "type": "string" } }, @@ -249477,12 +251513,16 @@ "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "title": "Allowlist", "type": "array" }, "Blocklist": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are blocked from being synchronized to the remote browser.", + "title": "Blocklist", "type": "array" } }, diff --git a/schema_source/cloudformation-docs.json b/schema_source/cloudformation-docs.json index b924e4c16..32a66718d 100644 --- a/schema_source/cloudformation-docs.json +++ b/schema_source/cloudformation-docs.json @@ -182,6 +182,10 @@ "Surname": "Family name.", "Title": "A personal title such as Mr." }, + "AWS::ACMPCA::CertificateAuthority Tag": { + "Key": "Key (name) of the tag.", + "Value": "Value of the tag." + }, "AWS::ACMPCA::CertificateAuthorityActivation": { "Certificate": "The Base64 PEM-encoded certificate authority certificate.", "CertificateAuthorityArn": "The Amazon Resource Name (ARN) of your private CA.", @@ -200,6 +204,10 @@ "Tags": "A list of key and value pairs for the workspace resources.", "Workspace": "The ARN of the workspace that contains this rule groups namespace." }, + "AWS::APS::RuleGroupsNamespace Tag": { + "Key": "", + "Value": "" + }, "AWS::APS::Workspace": { "AlertManagerDefinition": "The alert manager definition for the workspace, as a string. For more information, see [Alert manager and templating](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-alert-manager.html) .", "Alias": "An alias that you assign to this workspace to help you identify it. It does not need to be unique.\n\nThe alias can be as many as 100 characters and can include any type of characters. Amazon Managed Service for Prometheus automatically strips any blank spaces from the beginning and end of the alias that you specify.", @@ -209,6 +217,10 @@ "AWS::APS::Workspace LoggingConfiguration": { "LogGroupArn": "The Amazon Resource Name (ARN) of the CloudWatch log group the logs are emitted to." }, + "AWS::APS::Workspace Tag": { + "Key": "", + "Value": "" + }, "AWS::AccessAnalyzer::Analyzer": { "AnalyzerName": "The name of the analyzer.", "ArchiveRules": "Specifies the archive rules to add for the analyzer.", @@ -226,11 +238,17 @@ "Neq": "A \"not equal\" condition to match for the rule.", "Property": "The property used to define the criteria in the filter for the rule." }, + "AWS::AccessAnalyzer::Analyzer Tag": { + "Key": "", + "Value": "" + }, "AWS::AmazonMQ::Broker": { "AuthenticationStrategy": "Optional. The authentication strategy used to secure the broker. The default is `SIMPLE` .", "AutoMinorVersionUpgrade": "Enables automatic upgrades to new minor versions for brokers, as new broker engine versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot.", "BrokerName": "The name of the broker. This value must be unique in your AWS account , 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.\n\n> Do not add personally identifiable information (PII) or other confidential or sensitive information in broker names. Broker names are accessible to other AWS services, including C CloudWatch Logs . Broker names are not intended to be used for private or sensitive data.", "Configuration": "A list of information about the configuration. Does not apply to RabbitMQ brokers.", + "DataReplicationMode": "Defines whether this broker is a part of a data replication pair.", + "DataReplicationPrimaryBrokerArn": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", "DeploymentMode": "The deployment mode of the broker. Available values:\n\n- `SINGLE_INSTANCE`\n- `ACTIVE_STANDBY_MULTI_AZ`\n- `CLUSTER_MULTI_AZ`", "EncryptionOptions": "Encryption options for the broker. Does not apply to RabbitMQ brokers.", "EngineType": "The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ` .", @@ -352,8 +370,13 @@ "Name": "The environment variable name.\n\n*Length Constraints:* Maximum length of 255.\n\n*Pattern:* (?s).*", "Value": "The environment variable value.\n\n*Length Constraints:* Maximum length of 5500.\n\n*Pattern:* (?s).*" }, + "AWS::Amplify::App Tag": { + "Key": "Specifies the key for the tag.", + "Value": "Specifies the value for the tag." + }, "AWS::Amplify::Branch": { - "AppId": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "AppId": "The unique ID for an Amplify app.", + "Backend": "The backend environment for an Amplify app.", "BasicAuthConfig": "The basic authorization credentials for a branch of an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .", "BranchName": "The name for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.\n\n*Pattern:* (?s).+", "BuildSpec": "The build specification (build spec) for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 25000.\n\n*Pattern:* (?s).+", @@ -367,6 +390,9 @@ "Stage": "Describes the current stage for the branch.\n\n*Valid Values:* PRODUCTION | BETA | DEVELOPMENT | EXPERIMENTAL | PULL_REQUEST", "Tags": "The tag for the branch." }, + "AWS::Amplify::Branch Backend": { + "StackArn": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack." + }, "AWS::Amplify::Branch BasicAuthConfig": { "EnableBasicAuth": "Enables basic authorization for the branch.", "Password": "The password for basic authorization.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.", @@ -376,6 +402,10 @@ "Name": "The environment variable name.\n\n*Length Constraints:* Maximum length of 255.\n\n*Pattern:* (?s).*", "Value": "The environment variable value.\n\n*Length Constraints:* Maximum length of 5500.\n\n*Pattern:* (?s).*" }, + "AWS::Amplify::Branch Tag": { + "Key": "Specifies the key for the tag.", + "Value": "Specifies the value for the tag." + }, "AWS::Amplify::Domain": { "AppId": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", "AutoSubDomainCreationPatterns": "Sets the branch patterns for automatic subdomain creation.", @@ -633,6 +663,10 @@ "RestApiId": "The string identifier of the associated RestApi.", "StageName": "The stage name associated with the stage key." }, + "AWS::ApiGateway::ApiKey Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Authorizer": { "AuthType": "Optional customer-defined field, used in OpenAPI imports and exports without functional impact.", "AuthorizerCredentials": "Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. To specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.", @@ -648,7 +682,6 @@ "AWS::ApiGateway::BasePathMapping": { "BasePath": "The base path name that callers of the API must provide as part of the URL after the domain name.", "DomainName": "The domain name of the BasePathMapping resource to be described.", - "Id": "", "RestApiId": "The string identifier of the associated RestApi.", "Stage": "The name of the associated stage." }, @@ -656,6 +689,10 @@ "Description": "The description of the client certificate.", "Tags": "The collection of tags. Each tag element is associated with a given resource." }, + "AWS::ApiGateway::ClientCertificate Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Deployment": { "DeploymentCanarySettings": "The input configuration for a canary deployment.", "Description": "The description for the Deployment resource to create.", @@ -681,7 +718,7 @@ "CacheDataEncrypted": "Specifies whether the cached responses are encrypted.", "CacheTtlInSeconds": "Specifies the time to live (TTL), in seconds, for cached responses. The higher the TTL, the longer the response will be cached.", "CachingEnabled": "Specifies whether responses should be cached and returned for requests. A cache cluster must be enabled on the stage for responses to be cached.", - "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "HttpMethod": "The HTTP method.", "LoggingLevel": "Specifies the logging level for this method, which affects the log entries pushed to Amazon CloudWatch Logs. Valid values are `OFF` , `ERROR` , and `INFO` . Choose `ERROR` to write only error-level entries to CloudWatch Logs, or choose `INFO` to include all `ERROR` events as well as extra informational events.", "MetricsEnabled": "Specifies whether Amazon CloudWatch metrics are enabled for this method.", @@ -710,6 +747,10 @@ "TracingEnabled": "Specifies whether active tracing with X-ray is enabled for this stage.\n\nFor more information, see [Trace API Gateway API Execution with AWS X-Ray](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html) in the *API Gateway Developer Guide* .", "Variables": "A map that defines the stage variables. Variable names must consist of alphanumeric characters, and the values must match the following regular expression: `[A-Za-z0-9-._~:/?#&=,]+` ." }, + "AWS::ApiGateway::Deployment Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::DocumentationPart": { "Location": "The location of the targeted API entity of the to-be-created documentation part.", "Properties": "The new documentation content map of the targeted API entity. Enclosed key-value pairs are API-specific, but only OpenAPI-compliant key-value pairs can be exported and, hence, published.", @@ -744,6 +785,10 @@ "TruststoreUri": "An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example `s3://bucket-name/key-name` . The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version. To update the truststore, you must have permissions to access the S3 object.", "TruststoreVersion": "The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket." }, + "AWS::ApiGateway::DomainName Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::GatewayResponse": { "ResponseParameters": "Response parameters (paths, query strings and headers) of the GatewayResponse as a string-to-string map of key-value pairs.", "ResponseTemplates": "Response templates of the GatewayResponse as a string-to-string map of key-value pairs.", @@ -839,6 +884,10 @@ "Key": "The file name of the OpenAPI file (Amazon S3 object name).", "Version": "For versioning-enabled buckets, a specific version of the OpenAPI file." }, + "AWS::ApiGateway::RestApi Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::Stage": { "AccessLogSetting": "Access log settings, including the access log format and access log destination ARN.", "CacheClusterEnabled": "Specifies whether a cache cluster is enabled for the stage.", @@ -869,7 +918,7 @@ "CacheDataEncrypted": "Specifies whether the cached responses are encrypted.", "CacheTtlInSeconds": "Specifies the time to live (TTL), in seconds, for cached responses. The higher the TTL, the longer the response will be cached.", "CachingEnabled": "Specifies whether responses should be cached and returned for requests. A cache cluster must be enabled on the stage for responses to be cached.", - "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "DataTraceEnabled": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "HttpMethod": "The HTTP method. To apply settings to multiple resources and methods, specify an asterisk ( `*` ) for the `HttpMethod` and `/*` for the `ResourcePath` . This parameter is required when you specify a `MethodSetting` .", "LoggingLevel": "Specifies the logging level for this method, which affects the log entries pushed to Amazon CloudWatch Logs. Valid values are `OFF` , `ERROR` , and `INFO` . Choose `ERROR` to write only error-level entries to CloudWatch Logs, or choose `INFO` to include all `ERROR` events as well as extra informational events.", "MetricsEnabled": "Specifies whether Amazon CloudWatch metrics are enabled for this method.", @@ -877,6 +926,10 @@ "ThrottlingBurstLimit": "Specifies the throttling burst limit.", "ThrottlingRateLimit": "Specifies the throttling rate limit." }, + "AWS::ApiGateway::Stage Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::UsagePlan": { "ApiStages": "The associated API stages of a usage plan.", "Description": "The description of a usage plan.", @@ -895,6 +948,10 @@ "Offset": "The number of requests subtracted from the given limit in the initial time period.", "Period": "The time period in which the limit applies. Valid values are \"DAY\", \"WEEK\" or \"MONTH\"." }, + "AWS::ApiGateway::UsagePlan Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGateway::UsagePlan ThrottleSettings": { "BurstLimit": "The API target request burst rate limit. This allows more requests through for a period of time than the target rate limit.", "RateLimit": "The API target request rate limit." @@ -910,6 +967,10 @@ "Tags": "An array of arbitrary tags (key-value pairs) to associate with the VPC link.", "TargetArns": "The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS account of the API owner." }, + "AWS::ApiGateway::VpcLink Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::ApiGatewayV2::Api": { "ApiKeySelectionExpression": "An API key selection expression. Supported only for WebSocket APIs. See [API Key Selection Expressions](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-selection-expressions.html#apigateway-websocket-api-apikey-selection-expressions) .", "BasePath": "Specifies how to interpret the base path of the API during import. Valid values are `ignore` , `prepend` , and `split` . The default value is `ignore` . To learn more, see [Set the OpenAPI basePath Property](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-import-api-basePath.html) . Supported only for HTTP APIs.", @@ -1140,6 +1201,7 @@ "AWS::AppConfig::ConfigurationProfile": { "ApplicationId": "The application ID.", "Description": "A description of the configuration profile.", + "KmsKeyIdentifier": "", "LocationUri": "A URI to locate the configuration. You can specify the following:\n\n- For the AWS AppConfig hosted configuration store and for feature flags, specify `hosted` .\n- For an AWS Systems Manager Parameter Store parameter, specify either the parameter name in the format `ssm-parameter://` or the ARN.\n- For an AWS CodePipeline pipeline, specify the URI in the following format: `codepipeline` ://.\n- For an AWS Secrets Manager secret, specify the URI in the following format: `secretsmanager` ://.\n- For an Amazon S3 object, specify the URI in the following format: `s3:///` . Here is an example: `s3://my-bucket/my-app/us-east-1/my-config.json`\n- For an SSM document, specify either the document name in the format `ssm-document://` or the Amazon Resource Name (ARN).", "Name": "A name for the configuration profile.", "RetrievalRoleArn": "The ARN of an IAM role with permission to access the configuration at the specified `LocationUri` .\n\n> A retrieval role ARN is not required for configurations stored in the AWS AppConfig hosted configuration store. It is required for all other sources that store your configuration.", @@ -1162,7 +1224,7 @@ "DeploymentStrategyId": "The deployment strategy ID.", "Description": "A description of the deployment.", "EnvironmentId": "The environment ID.", - "KmsKeyIdentifier": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "KmsKeyIdentifier": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "Tags": "Metadata to assign to the deployment. Tags help organize and categorize your AWS AppConfig resources. Each tag consists of a key and an optional value, both of which you define." }, "AWS::AppConfig::Deployment Tags": { @@ -1206,10 +1268,20 @@ "Parameters": "The parameters accepted by the extension. You specify parameter values when you associate the extension to an AWS AppConfig resource by using the `CreateExtensionAssociation` API action. For AWS Lambda extension actions, these parameters are included in the Lambda request object.", "Tags": "Adds one or more tags for the specified extension. Tags are metadata that help you categorize resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::AppConfig::Extension Action": { + "Description": "Information about the action.", + "Name": "The action name.", + "RoleArn": "An Amazon Resource Name (ARN) for an AWS Identity and Access Management assume role.", + "Uri": "The extension URI associated to the action point in the extension definition. The URI can be an Amazon Resource Name (ARN) for one of the following: an AWS Lambda function, an Amazon Simple Queue Service queue, an Amazon Simple Notification Service topic, or the Amazon EventBridge default event bus." + }, "AWS::AppConfig::Extension Parameter": { "Description": "Information about the parameter.", "Required": "A parameter value must be specified in the extension association." }, + "AWS::AppConfig::Extension Tag": { + "Key": "", + "Value": "" + }, "AWS::AppConfig::ExtensionAssociation": { "ExtensionIdentifier": "The name, the ID, or the Amazon Resource Name (ARN) of the extension.", "ExtensionVersionNumber": "The version number of the extension. If not specified, AWS AppConfig uses the maximum version of the extension.", @@ -1217,6 +1289,10 @@ "ResourceIdentifier": "The ARN of an application, configuration profile, or environment.", "Tags": "Adds one or more tags for the specified extension association. Tags are metadata that help you categorize resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::AppConfig::ExtensionAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::AppConfig::HostedConfigurationVersion": { "ApplicationId": "The application ID.", "ConfigurationProfileId": "The configuration profile ID.", @@ -1274,7 +1350,7 @@ "GoogleAnalytics": "The connector-specific credentials required when using Google Analytics.", "InforNexus": "The connector-specific credentials required when using Infor Nexus.", "Marketo": "The connector-specific credentials required when using Marketo.", - "Pardot": "", + "Pardot": "The connector-specific credentials required when using Salesforce Pardot.", "Redshift": "The connector-specific credentials required when using Amazon Redshift.", "SAPOData": "The connector-specific profile credentials required when using SAPOData.", "Salesforce": "The connector-specific credentials required when using Salesforce.", @@ -1292,7 +1368,7 @@ "Dynatrace": "The connector-specific properties required by Dynatrace.", "InforNexus": "The connector-specific properties required by Infor Nexus.", "Marketo": "The connector-specific properties required by Marketo.", - "Pardot": "", + "Pardot": "The connector-specific properties required by Salesforce Pardot.", "Redshift": "The connector-specific properties required by Amazon Redshift.", "SAPOData": "The connector-specific profile properties required when using SAPOData.", "Salesforce": "The connector-specific properties required by Salesforce.", @@ -1380,15 +1456,15 @@ "TokenUrl": "The token url required to fetch access/refresh tokens using authorization code and also to refresh expired access token using refresh token." }, "AWS::AppFlow::ConnectorProfile PardotConnectorProfileCredentials": { - "AccessToken": "", - "ClientCredentialsArn": "", + "AccessToken": "The credentials used to access protected Salesforce Pardot resources.", + "ClientCredentialsArn": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "ConnectorOAuthRequest": "", - "RefreshToken": "" + "RefreshToken": "The credentials used to acquire new access tokens." }, "AWS::AppFlow::ConnectorProfile PardotConnectorProfileProperties": { - "BusinessUnitId": "", - "InstanceUrl": "", - "IsSandboxEnvironment": "" + "BusinessUnitId": "The business unit id of Salesforce Pardot instance.", + "InstanceUrl": "The location of the Salesforce Pardot resource.", + "IsSandboxEnvironment": "Indicates whether the connector profile applies to a sandbox or production environment." }, "AWS::AppFlow::ConnectorProfile RedshiftConnectorProfileCredentials": { "Password": "The password that corresponds to the user name.", @@ -1397,13 +1473,13 @@ "AWS::AppFlow::ConnectorProfile RedshiftConnectorProfileProperties": { "BucketName": "A name for the associated Amazon S3 bucket.", "BucketPrefix": "The object key for the destination bucket in which Amazon AppFlow places the files.", - "ClusterIdentifier": "", - "DataApiRoleArn": "", - "DatabaseName": "", + "ClusterIdentifier": "The unique ID that's assigned to an Amazon Redshift cluster.", + "DataApiRoleArn": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", + "DatabaseName": "The name of an Amazon Redshift database.", "DatabaseUrl": "The JDBC URL of the Amazon Redshift cluster.", - "IsRedshiftServerless": "", + "IsRedshiftServerless": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "RoleArn": "The Amazon Resource Name (ARN) of IAM role that grants Amazon Redshift read-only access to Amazon S3. For more information, and for the polices that you attach to this role, see [Allow Amazon Redshift to access your Amazon AppFlow data in Amazon S3](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#redshift-access-s3) .", - "WorkgroupName": "" + "WorkgroupName": "The name of an Amazon Redshift workgroup." }, "AWS::AppFlow::ConnectorProfile SAPODataConnectorProfileCredentials": { "BasicAuthCredentials": "The SAPOData basic authentication credentials.", @@ -1423,16 +1499,17 @@ "AccessToken": "The credentials used to access protected Salesforce resources.", "ClientCredentialsArn": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "ConnectorOAuthRequest": "Used by select connectors for which the OAuth workflow is supported, such as Salesforce, Google Analytics, Marketo, Zendesk, and Slack.", - "JwtToken": "", - "OAuth2GrantType": "", + "JwtToken": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", + "OAuth2GrantType": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "RefreshToken": "The credentials used to acquire new access tokens." }, "AWS::AppFlow::ConnectorProfile SalesforceConnectorProfileProperties": { "InstanceUrl": "The location of the Salesforce resource.", "isSandboxEnvironment": "Indicates whether the connector profile applies to a sandbox or production environment.", - "usePrivateLinkForMetadataAndAuthorization": "" + "usePrivateLinkForMetadataAndAuthorization": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run." }, "AWS::AppFlow::ConnectorProfile ServiceNowConnectorProfileCredentials": { + "OAuth2Credentials": "", "Password": "The password that corresponds to the user name.", "Username": "The name of the user." }, @@ -1489,7 +1566,7 @@ "FlowName": "The specified name of the flow. Spaces are not allowed. Use underscores (_) or hyphens (-) only.", "FlowStatus": "Sets the status of the flow. You can specify one of the following values:\n\n- **Active** - The flow runs based on the trigger settings that you defined. Active scheduled flows run as scheduled, and active event-triggered flows run when the specified change event occurs. However, active on-demand flows run only when you manually start them by using Amazon AppFlow.\n- **Suspended** - You can use this option to deactivate an active flow. Scheduled and event-triggered flows will cease to run until you reactive them. This value only affects scheduled and event-triggered flows. It has no effect for on-demand flows.\n\nIf you omit the FlowStatus parameter, Amazon AppFlow creates the flow with a default status. The default status for on-demand flows is Active. The default status for scheduled and event-triggered flows is Draft, which means they\u2019re not yet active.", "KMSArn": "The ARN (Amazon Resource Name) of the Key Management Service (KMS) key you provide for encryption. This is required if you do not want to use the Amazon AppFlow-managed KMS key. If you don't provide anything here, Amazon AppFlow uses the Amazon AppFlow-managed KMS key.", - "MetadataCatalogConfig": "", + "MetadataCatalogConfig": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "SourceFlowConfig": "Contains information about the configuration of the source connector used in the flow.", "Tags": "The tags used to organize, track, or control access for your flow.", "Tasks": "A list of tasks that Amazon AppFlow performs while transferring the data in the flow run.", @@ -1497,7 +1574,7 @@ }, "AWS::AppFlow::Flow AggregationConfig": { "AggregationType": "Specifies whether Amazon AppFlow aggregates the flow records into a single file, or leave them unaggregated.", - "TargetFileSize": "" + "TargetFileSize": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains." }, "AWS::AppFlow::Flow AmplitudeSourceProperties": { "Object": "The object specified in the Amplitude flow source." @@ -1510,7 +1587,7 @@ "GoogleAnalytics": "The operation to be performed on the provided Google Analytics source fields.", "InforNexus": "The operation to be performed on the provided Infor Nexus source fields.", "Marketo": "The operation to be performed on the provided Marketo source fields.", - "Pardot": "", + "Pardot": "The operation to be performed on the provided Salesforce Pardot source fields.", "S3": "The operation to be performed on the provided Amazon S3 source fields.", "SAPOData": "The operation to be performed on the provided SAPOData source fields.", "Salesforce": "The operation to be performed on the provided Salesforce source fields.", @@ -1530,12 +1607,12 @@ }, "AWS::AppFlow::Flow CustomConnectorSourceProperties": { "CustomProperties": "Custom properties that are required to use the custom connector as a source.", - "DataTransferApi": "", + "DataTransferApi": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "EntityName": "The entity specified in the custom connector as a source in the flow." }, "AWS::AppFlow::Flow DataTransferApi": { - "Name": "", - "Type": "" + "Name": "The name of the connector application API.", + "Type": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets." }, "AWS::AppFlow::Flow DatadogSourceProperties": { "Object": "The object specified in the Datadog flow source." @@ -1556,7 +1633,7 @@ "AWS::AppFlow::Flow DestinationFlowConfig": { "ApiVersion": "The API version that the destination connector uses.", "ConnectorProfileName": "The name of the connector profile. This name must be unique for each connector profile in the AWS account .", - "ConnectorType": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "ConnectorType": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "DestinationConnectorProperties": "This stores the information that is required to query a particular connector." }, "AWS::AppFlow::Flow DynatraceSourceProperties": { @@ -1596,13 +1673,13 @@ "Object": "The object specified in the Marketo flow source." }, "AWS::AppFlow::Flow MetadataCatalogConfig": { - "GlueDataCatalog": "" + "GlueDataCatalog": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog ." }, "AWS::AppFlow::Flow PardotSourceProperties": { - "Object": "" + "Object": "The object specified in the Salesforce Pardot flow source." }, "AWS::AppFlow::Flow PrefixConfig": { - "PathPrefixHierarchy": "", + "PathPrefixHierarchy": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "PrefixFormat": "Determines the level of granularity for the date and time that's included in the prefix.", "PrefixType": "Determines the format of the prefix, and whether it applies to the file name, file path, or both." }, @@ -1624,7 +1701,7 @@ "AggregationConfig": "The aggregation settings that you can use to customize the output format of your flow data.", "FileType": "Indicates the file type that Amazon AppFlow places in the Amazon S3 bucket.", "PrefixConfig": "Determines the prefix that Amazon AppFlow applies to the folder name in the Amazon S3 bucket. You can name folders according to the flow frequency and date.", - "PreserveSourceDataTyping": "" + "PreserveSourceDataTyping": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output." }, "AWS::AppFlow::Flow S3SourceProperties": { "BucketName": "The Amazon S3 bucket name where the source files are stored.", @@ -1638,8 +1715,16 @@ "SuccessResponseHandlingConfig": "Determines how Amazon AppFlow handles the success response that it gets from the connector after placing data.\n\nFor example, this setting would determine where to write the response from a destination connector upon a successful insert operation.", "WriteOperationType": "The possible write operations in the destination connector. When this value is not provided, this defaults to the `INSERT` operation." }, + "AWS::AppFlow::Flow SAPODataPaginationConfig": { + "maxPageSize": "" + }, + "AWS::AppFlow::Flow SAPODataParallelismConfig": { + "maxParallelism": "" + }, "AWS::AppFlow::Flow SAPODataSourceProperties": { - "ObjectPath": "The object path specified in the SAPOData flow source." + "ObjectPath": "The object path specified in the SAPOData flow source.", + "paginationConfig": "", + "parallelismConfig": "" }, "AWS::AppFlow::Flow SalesforceDestinationProperties": { "DataTransferApi": "Specifies which Salesforce API is used by Amazon AppFlow when your flow transfers data to Salesforce.\n\n- **AUTOMATIC** - The default. Amazon AppFlow selects which API to use based on the number of records that your flow transfers to Salesforce. If your flow transfers fewer than 1,000 records, Amazon AppFlow uses Salesforce REST API. If your flow transfers 1,000 records or more, Amazon AppFlow uses Salesforce Bulk API 2.0.\n\nEach of these Salesforce APIs structures data differently. If Amazon AppFlow selects the API automatically, be aware that, for recurring flows, the data output might vary from one flow run to the next. For example, if a flow runs daily, it might use REST API on one day to transfer 900 records, and it might use Bulk API 2.0 on the next day to transfer 1,100 records. For each of these flow runs, the respective Salesforce API formats the data differently. Some of the differences include how dates are formatted and null values are represented. Also, Bulk API 2.0 doesn't transfer Salesforce compound fields.\n\nBy choosing this option, you optimize flow performance for both small and large data transfers, but the tradeoff is inconsistent formatting in the output.\n- **BULKV2** - Amazon AppFlow uses only Salesforce Bulk API 2.0. This API runs asynchronous data transfers, and it's optimal for large sets of data. By choosing this option, you ensure that your flow writes consistent output, but you optimize performance only for large data transfers.\n\nNote that Bulk API 2.0 does not transfer Salesforce compound fields.\n- **REST_SYNC** - Amazon AppFlow uses only Salesforce REST API. By choosing this option, you ensure that your flow writes consistent output, but you decrease performance for large data transfers that are better suited for Bulk API 2.0. In some cases, if your flow attempts to transfer a vary large set of data, it might fail with a timed out error.", @@ -1657,7 +1742,7 @@ "AWS::AppFlow::Flow ScheduledTriggerProperties": { "DataPullMode": "Specifies whether a scheduled flow has an incremental data transfer or a complete data transfer for each flow run.", "FirstExecutionFrom": "Specifies the date range for the records to import from the connector in the first flow run.", - "FlowErrorDeactivationThreshold": "", + "FlowErrorDeactivationThreshold": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "ScheduleEndTime": "The time at which the scheduled flow ends. The time is formatted as a timestamp that follows the ISO 8601 standard, such as `2022-04-27T13:00:00-07:00` .", "ScheduleExpression": "The scheduling expression that determines the rate at which the schedule will run, for example `rate(5minutes)` .", "ScheduleOffset": "Specifies the optional offset that is added to the time interval for a schedule-triggered flow.", @@ -1687,7 +1772,7 @@ "GoogleAnalytics": "Specifies the information that is required for querying Google Analytics.", "InforNexus": "Specifies the information that is required for querying Infor Nexus.", "Marketo": "Specifies the information that is required for querying Marketo.", - "Pardot": "", + "Pardot": "Specifies the information that is required for querying Salesforce Pardot.", "S3": "Specifies the information that is required for querying Amazon S3.", "SAPOData": "The properties that are applied when using SAPOData as a flow source.", "Salesforce": "Specifies the information that is required for querying Salesforce.", @@ -1709,6 +1794,10 @@ "BucketName": "The name of the Amazon S3 bucket.", "BucketPrefix": "The Amazon S3 bucket prefix." }, + "AWS::AppFlow::Flow Tag": { + "Key": "", + "Value": "" + }, "AWS::AppFlow::Flow Task": { "ConnectorOperator": "The operation to be performed on the provided source fields.", "DestinationField": "A field in a destination connector, or a field value against which Amazon AppFlow validates a source field.", @@ -1717,7 +1806,7 @@ "TaskType": "Specifies the particular task implementation that Amazon AppFlow performs.\n\n*Allowed values* : `Arithmetic` | `Filter` | `Map` | `Map_all` | `Mask` | `Merge` | `Truncate` | `Validate`" }, "AWS::AppFlow::Flow TaskPropertiesObject": { - "Key": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "Key": "The task property key.", "Value": "The task property value." }, "AWS::AppFlow::Flow TrendmicroSourceProperties": { @@ -1772,6 +1861,10 @@ "Object": "The name of the object to pull from the data source.", "ScheduleExpression": "How often the data should be pulled from data source." }, + "AWS::AppIntegrations::DataIntegration Tag": { + "Key": "", + "Value": "" + }, "AWS::AppIntegrations::EventIntegration": { "Description": "The event integration description.", "EventBridgeBus": "The Amazon EventBridge bus for the event integration.", @@ -1782,6 +1875,10 @@ "AWS::AppIntegrations::EventIntegration EventFilter": { "Source": "The source of the events." }, + "AWS::AppIntegrations::EventIntegration Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::GatewayRoute": { "GatewayRouteName": "The name of the gateway route.", "MeshName": "The name of the service mesh that the resource resides in.", @@ -1895,6 +1992,10 @@ "Match": "The query parameter to match on.", "Name": "A name for the query parameter that will be matched on." }, + "AWS::AppMesh::GatewayRoute Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Mesh": { "MeshName": "The name to use for the service mesh.", "Spec": "The service mesh specification to apply.", @@ -1910,6 +2011,10 @@ "EgressFilter": "The egress filter rules for the service mesh.", "ServiceDiscovery": "" }, + "AWS::AppMesh::Mesh Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Route": { "MeshName": "The name of the service mesh to create the route in.", "MeshOwner": "The AWS IAM account ID of the service mesh owner. If the account ID is not your own, then the account that you specify must share the mesh with your account before you can create the resource in the service mesh. For more information about mesh sharing, see [Working with shared meshes](https://docs.aws.amazon.com/app-mesh/latest/userguide/sharing.html) .", @@ -2022,6 +2127,10 @@ "Priority": "The priority for the route. Routes are matched based on the specified value, where 0 is the highest priority.", "TcpRoute": "An object that represents the specification of a TCP route." }, + "AWS::AppMesh::Route Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::Route TcpRoute": { "Action": "The action to take if a match is determined.", "Match": "An object that represents the criteria for determining a request match.", @@ -2062,6 +2171,10 @@ "AWS::AppMesh::VirtualGateway SubjectAlternativeNames": { "Match": "An object that represents the criteria for determining a SANs match." }, + "AWS::AppMesh::VirtualGateway Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualGateway VirtualGatewayAccessLog": { "File": "The file object to send virtual gateway access logs to." }, @@ -2315,6 +2428,10 @@ "AWS::AppMesh::VirtualNode SubjectAlternativeNames": { "Match": "An object that represents the criteria for determining a SANs match." }, + "AWS::AppMesh::VirtualNode Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualNode TcpTimeout": { "Idle": "An object that represents an idle timeout. An idle timeout bounds the amount of time that a connection may be idle. The default value is none." }, @@ -2377,6 +2494,10 @@ "Port": "The port used for the port mapping.", "Protocol": "The protocol used for the port mapping. Specify one protocol." }, + "AWS::AppMesh::VirtualRouter Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualRouter VirtualRouterListener": { "PortMapping": "The port mapping information for the listener." }, @@ -2390,6 +2511,10 @@ "Tags": "Optional metadata that you can apply to the virtual service to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.", "VirtualServiceName": "The name to use for the virtual service." }, + "AWS::AppMesh::VirtualService Tag": { + "Key": "", + "Value": "" + }, "AWS::AppMesh::VirtualService VirtualNodeServiceProvider": { "VirtualNodeName": "The name of the virtual node that is acting as a service provider." }, @@ -2410,11 +2535,19 @@ "MinSize": "The minimum number of instances that App Runner provisions for a service. The service always has at least `MinSize` provisioned instances. Some of them actively serve traffic. The rest of them (provisioned and inactive instances) are a cost-effective compute capacity reserve and are ready to be quickly activated. You pay for memory usage of all the provisioned instances. You pay for CPU usage of only the active subset.\n\nApp Runner temporarily doubles the number of provisioned instances during deployments, to maintain the same capacity for both old and new code.", "Tags": "A list of metadata items that you can associate with your auto scaling configuration resource. A tag is a key-value pair." }, + "AWS::AppRunner::AutoScalingConfiguration Tag": { + "Key": "The key of the tag assigned to the `AutoScalingConfiguration` resource of the App Runner service.", + "Value": "The value of the tag assigned to the `AutoScalingConfiguration` resource of the App Runner service." + }, "AWS::AppRunner::ObservabilityConfiguration": { "ObservabilityConfigurationName": "A name for the observability configuration. When you use it for the first time in an AWS Region , App Runner creates revision number `1` of this name. When you use the same name in subsequent calls, App Runner creates incremental revisions of the configuration.\n\n> The name `DefaultConfiguration` is reserved. You can't use it to create a new observability configuration, and you can't create a revision of it.\n> \n> When you want to use your own observability configuration for your App Runner service, *create a configuration with a different name* , and then provide it when you create or update your service. \n\nIf you don't specify a name, AWS CloudFormation generates a name for your observability configuration.", "Tags": "A list of metadata items that you can associate with your observability configuration resource. A tag is a key-value pair.", "TraceConfiguration": "The configuration of the tracing feature within this observability configuration. If you don't specify it, App Runner doesn't enable tracing." }, + "AWS::AppRunner::ObservabilityConfiguration Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppRunner::ObservabilityConfiguration TraceConfiguration": { "Vendor": "The implementation provider chosen for tracing App Runner services." }, @@ -2448,7 +2581,8 @@ "AWS::AppRunner::Service CodeRepository": { "CodeConfiguration": "Configuration for building and running the service from a source code repository.\n\n> `CodeConfiguration` is required only for `CreateService` request.", "RepositoryUrl": "The location of the repository that contains the source code.", - "SourceCodeVersion": "The version that should be used within the source code repository." + "SourceCodeVersion": "The version that should be used within the source code repository.", + "SourceDirectory": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root." }, "AWS::AppRunner::Service EgressConfiguration": { "EgressType": "The type of egress configuration.\n\nSet to `DEFAULT` for access to resources hosted on public networks.\n\nSet to `VPC` to associate your service to a custom VPC specified by `VpcConnectorArn` .", @@ -2506,12 +2640,20 @@ "CodeRepository": "The description of a source code repository.\n\nYou must provide either this member or `ImageRepository` (but not both).", "ImageRepository": "The description of a source image repository.\n\nYou must provide either this member or `CodeRepository` (but not both)." }, + "AWS::AppRunner::Service Tag": { + "Key": "The key of the tag assigned to an App Runner service.", + "Value": "The value of the tag assigned to an App Runner service." + }, "AWS::AppRunner::VpcConnector": { "SecurityGroups": "A list of IDs of security groups that App Runner should use for access to AWS resources under the specified subnets. If not specified, App Runner uses the default security group of the Amazon VPC. The default security group allows all outbound traffic.", "Subnets": "A list of IDs of subnets that App Runner should use when it associates your service with a custom Amazon VPC. Specify IDs of subnets of a single Amazon VPC. App Runner determines the Amazon VPC from the subnets you specify.\n\n> App Runner currently only provides support for IPv4.", "Tags": "A list of metadata items that you can associate with your VPC connector resource. A tag is a key-value pair.", "VpcConnectorName": "A name for the VPC connector.\n\nIf you don't specify a name, AWS CloudFormation generates a name for your VPC connector." }, + "AWS::AppRunner::VpcConnector Tag": { + "Key": "The key of the tag assigned to the `VpcConnector` resource of the App Runner service.", + "Value": "The value of the tag assigned to the `VpcConnector` resource of the App Runner service." + }, "AWS::AppRunner::VpcIngressConnection": { "IngressVpcConfiguration": "Specifications for the customer\u2019s Amazon VPC and the related AWS PrivateLink VPC endpoint that are used to create the VPC Ingress Connection resource.", "ServiceArn": "The Amazon Resource Name (ARN) for this App Runner service that is used to create the VPC Ingress Connection resource.", @@ -2522,12 +2664,16 @@ "VpcEndpointId": "The ID of the VPC endpoint that your App Runner service connects to.", "VpcId": "The ID of the VPC that is used for the VPC endpoint." }, + "AWS::AppRunner::VpcIngressConnection Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag assigned to `VpcIngressConnection` resource of the App Runner service." + }, "AWS::AppStream::AppBlock": { "Description": "The description of the app block.", "DisplayName": "The display name of the app block.", "Name": "The name of the app block.\n\n*Pattern* : `^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,100}$`", "PackagingType": "The packaging type of the app block.", - "PostSetupScriptDetails": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "PostSetupScriptDetails": "The post setup script details of the app block.", "SetupScriptDetails": "The setup script details of the app block.", "SourceS3Location": "The source S3 location of the app block.", "Tags": "The tags of the app block." @@ -2542,23 +2688,34 @@ "ScriptS3Location": "The S3 object location of the script.", "TimeoutInSeconds": "The run timeout, in seconds, for the script." }, + "AWS::AppStream::AppBlock Tag": { + "TagItems": "The items of the tag." + }, + "AWS::AppStream::AppBlock TagItems": { + "TagKey": "The key of the tag.", + "TagValue": "The value of the tag." + }, "AWS::AppStream::AppBlockBuilder": { - "AccessEndpoints": "", - "AppBlockArns": "", + "AccessEndpoints": "The access endpoints of the app block builder.", + "AppBlockArns": "The ARN of the app block.\n\n*Maximum* : `1`", "Description": "The description of the app block builder.", "DisplayName": "The display name of the app block builder.", "EnableDefaultInternetAccess": "Indicates whether default internet access is enabled for the app block builder.", "IamRoleArn": "The ARN of the IAM role that is applied to the app block builder.", "InstanceType": "The instance type of the app block builder.", "Name": "The name of the app block builder.", - "Platform": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", - "Tags": "", + "Platform": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", + "Tags": "The tags of the app block builder.", "VpcConfig": "The VPC configuration for the app block builder." }, "AWS::AppStream::AppBlockBuilder AccessEndpoint": { "EndpointType": "The type of interface endpoint.", "VpceId": "The identifier (ID) of the VPC in which the interface endpoint is used." }, + "AWS::AppStream::AppBlockBuilder Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::AppBlockBuilder VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the fleet or image builder.", "SubnetIds": "The identifiers of the subnets to which a network interface is attached from the fleet instance or image builder instance. Fleet instances use one or more subnets. Image builder instances use one subnet." @@ -2581,6 +2738,13 @@ "S3Bucket": "The S3 bucket of the S3 object.", "S3Key": "The S3 key of the S3 object." }, + "AWS::AppStream::Application Tag": { + "TagItems": "The items of the tag." + }, + "AWS::AppStream::Application TagItems": { + "TagKey": "The key of the tag.", + "TagValue": "The value of the tag." + }, "AWS::AppStream::ApplicationEntitlementAssociation": { "ApplicationIdentifier": "The identifier of the application.", "EntitlementName": "The name of the entitlement.", @@ -2629,9 +2793,10 @@ "ImageName": "The name of the image used to create the fleet.", "InstanceType": "The instance type to use when launching fleet instances. The following instance types are available for non-Elastic fleets:\n\n- stream.standard.small\n- stream.standard.medium\n- stream.standard.large\n- stream.compute.large\n- stream.compute.xlarge\n- stream.compute.2xlarge\n- stream.compute.4xlarge\n- stream.compute.8xlarge\n- stream.memory.large\n- stream.memory.xlarge\n- stream.memory.2xlarge\n- stream.memory.4xlarge\n- stream.memory.8xlarge\n- stream.memory.z1d.large\n- stream.memory.z1d.xlarge\n- stream.memory.z1d.2xlarge\n- stream.memory.z1d.3xlarge\n- stream.memory.z1d.6xlarge\n- stream.memory.z1d.12xlarge\n- stream.graphics-design.large\n- stream.graphics-design.xlarge\n- stream.graphics-design.2xlarge\n- stream.graphics-design.4xlarge\n- stream.graphics-desktop.2xlarge\n- stream.graphics.g4dn.xlarge\n- stream.graphics.g4dn.2xlarge\n- stream.graphics.g4dn.4xlarge\n- stream.graphics.g4dn.8xlarge\n- stream.graphics.g4dn.12xlarge\n- stream.graphics.g4dn.16xlarge\n- stream.graphics-pro.4xlarge\n- stream.graphics-pro.8xlarge\n- stream.graphics-pro.16xlarge\n\nThe following instance types are available for Elastic fleets:\n\n- stream.standard.small\n- stream.standard.medium", "MaxConcurrentSessions": "The maximum number of concurrent sessions that can be run on an Elastic fleet. This setting is required for Elastic fleets, but is not used for other fleet types.", - "MaxUserDurationInSeconds": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "MaxSessionsPerInstance": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "MaxUserDurationInSeconds": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "Name": "A unique name for the fleet.", - "Platform": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "Platform": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "SessionScriptS3Location": "The S3 location of the session scripts configuration zip file. This only applies to Elastic fleets.", "StreamView": "The AppStream 2.0 view that is displayed to your users when they stream from the fleet. When `APP` is specified, only the windows of applications opened by users display. When `DESKTOP` is specified, the standard desktop that is provided by the operating system displays.\n\nThe default value is `APP` .", "Tags": "An array of key-value pairs.", @@ -2639,7 +2804,8 @@ "VpcConfig": "The VPC configuration for the fleet. This is required for Elastic fleets, but not required for other fleet types." }, "AWS::AppStream::Fleet ComputeCapacity": { - "DesiredInstances": "The desired number of streaming instances." + "DesiredInstances": "The desired number of streaming instances.", + "DesiredSessions": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank." }, "AWS::AppStream::Fleet DomainJoinInfo": { "DirectoryName": "The fully qualified name of the directory (for example, corp.example.com).", @@ -2649,6 +2815,10 @@ "S3Bucket": "The S3 bucket of the S3 object.", "S3Key": "The S3 key of the S3 object." }, + "AWS::AppStream::Fleet Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::Fleet VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the fleet.", "SubnetIds": "The identifiers of the subnets to which a network interface is attached from the fleet instance. Fleet instances can use one or two subnets." @@ -2676,6 +2846,10 @@ "DirectoryName": "The fully qualified name of the directory (for example, corp.example.com).", "OrganizationalUnitDistinguishedName": "The distinguished name of the organizational unit for computer accounts." }, + "AWS::AppStream::ImageBuilder Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::ImageBuilder VpcConfig": { "SecurityGroupIds": "The identifiers of the security groups for the image builder.", "SubnetIds": "The identifier of the subnet to which a network interface is attached from the image builder instance. An image builder instance can use one subnet." @@ -2712,6 +2886,10 @@ "AWS::AppStream::Stack StreamingExperienceSettings": { "PreferredProtocol": "The preferred protocol that you want to use while streaming your application." }, + "AWS::AppStream::Stack Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::AppStream::Stack UserSetting": { "Action": "The action that is enabled or disabled.", "Permission": "Indicates whether the action is enabled or disabled." @@ -2743,7 +2921,6 @@ }, "AWS::AppSync::ApiKey": { "ApiId": "Unique AWS AppSync GraphQL API ID for this API key.", - "ApiKeyId": "The API key ID.", "Description": "Unique description of your API key.", "Expires": "The time after which the API key expires. The date is represented as seconds since the epoch, rounded down to the nearest hour." }, @@ -2832,7 +3009,7 @@ "RequestMappingTemplateS3Location": "Describes a Sync configuration for a resolver.\n\nContains information on which Conflict Detection, as well as Resolution strategy, should be performed when the resolver is invoked.", "ResponseMappingTemplate": "The `Function` response mapping template.", "ResponseMappingTemplateS3Location": "The location of a response mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", - "Runtime": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "Runtime": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "SyncConfig": "Describes a Sync configuration for a resolver.\n\nSpecifies which Conflict Detection strategy and Resolution strategy to use when the resolver is invoked." }, "AWS::AppSync::FunctionConfiguration AppSyncRuntime": { @@ -2889,6 +3066,10 @@ "IatTTL": "The number of milliseconds that a token is valid after it's issued to a user.", "Issuer": "The issuer for the OIDC configuration. The issuer returned by discovery must exactly match the value of `iss` in the ID token." }, + "AWS::AppSync::GraphQLApi Tag": { + "Key": "", + "Value": "" + }, "AWS::AppSync::GraphQLApi UserPoolConfig": { "AppIdClientRegex": "A regular expression for validating the incoming Amazon Cognito user pool app client ID. If this value isn't set, no filtering is applied.", "AwsRegion": "The AWS Region in which the user pool was created.", @@ -2914,7 +3095,7 @@ "RequestMappingTemplateS3Location": "The location of a request mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", "ResponseMappingTemplate": "The response mapping template.", "ResponseMappingTemplateS3Location": "The location of a response mapping template in an Amazon S3 bucket. Use this if you want to provision with a template file in Amazon S3 rather than embedding it in your CloudFormation template.", - "Runtime": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "Runtime": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "SyncConfig": "The `SyncConfig` for a resolver attached to a versioned data source.", "TypeName": "The GraphQL type that invokes this resolver." }, @@ -3005,7 +3186,7 @@ }, "AWS::ApplicationAutoScaling::ScalingPolicy StepScalingPolicyConfiguration": { "AdjustmentType": "Specifies whether the `ScalingAdjustment` value in the `StepAdjustment` property is an absolute number or a percentage of the current capacity.", - "Cooldown": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "Cooldown": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "MetricAggregationType": "The aggregation type for the CloudWatch metrics. Valid values are `Minimum` , `Maximum` , and `Average` . If the aggregation type is null, the value is treated as `Average` .", "MinAdjustmentMagnitude": "The minimum value to scale by when the adjustment type is `PercentChangeInCapacity` . For example, suppose that you create a step scaling policy to scale out an Amazon ECS service by 25 percent and you specify a `MinAdjustmentMagnitude` of 2. If the service has 4 tasks and the scaling policy is performed, 25 percent of 4 is 1. However, because you specified a `MinAdjustmentMagnitude` of 2, Application Auto Scaling scales out the service by 2 tasks.", "StepAdjustments": "A set of adjustments that enable you to scale based on the size of the alarm breach.\n\nAt least one step adjustment is required if you are adding a new step scaling policy configuration." @@ -3014,8 +3195,8 @@ "CustomizedMetricSpecification": "A customized metric. You can specify either a predefined metric or a customized metric.", "DisableScaleIn": "Indicates whether scale in by the target tracking scaling policy is disabled. If the value is `true` , scale in is disabled and the target tracking scaling policy won't remove capacity from the scalable target. Otherwise, scale in is enabled and the target tracking scaling policy can remove capacity from the scalable target. The default value is `false` .", "PredefinedMetricSpecification": "A predefined metric. You can specify either a predefined metric or a customized metric.", - "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", - "ScaleOutCooldown": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "ScaleOutCooldown": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "TargetValue": "The target value for the metric. Although this property accepts numbers of type Double, it won't accept values that are either too small or too large. Values must be in the range of -2^360 to 2^360. The value must be a valid number based on the choice of metric. For example, if the metric is CPU utilization, then the target value is a percent value that represents how much of the CPU can be used before scaling out." }, "AWS::ApplicationInsights::Application": { @@ -3102,6 +3283,10 @@ "SubComponentConfigurationDetails": "The configuration settings of the sub-components.", "SubComponentType": "The sub-component type." }, + "AWS::ApplicationInsights::Application Tag": { + "Key": "One part of a key-value pair that defines a tag. The maximum length of a tag key is 128 characters. The minimum length is 1 character.", + "Value": "The optional part of a key-value pair that defines a tag. The maximum length of a tag value is 256 characters. The minimum length is 0 characters. If you don't want an application to have a specific tag value, don't specify a value for this parameter." + }, "AWS::ApplicationInsights::Application WindowsEvent": { "EventLevels": "The levels of event to log. You must specify each level to log. Possible values include `INFORMATION` , `WARNING` , `ERROR` , `CRITICAL` , and `VERBOSE` . This field is required for each type of Windows Event to log.", "EventName": "The type of Windows Events to log, equivalent to the Windows Event log channel name. For example, System, Security, CustomEventName, and so on. This field is required for each type of Windows event to log.", @@ -3120,13 +3305,21 @@ "AWS::Athena::CapacityReservation CapacityAssignmentConfiguration": { "CapacityAssignments": "The list of assignments that make up the capacity assignment configuration." }, + "AWS::Athena::CapacityReservation Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::DataCatalog": { "Description": "A description of the data catalog.", "Name": "The name of the data catalog. The catalog name must be unique for the AWS account and can use a maximum of 128 alphanumeric, underscore, at sign, or hyphen characters.", - "Parameters": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "Parameters": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "Tags": "The tags (key-value pairs) to associate with this resource.", "Type": "The type of data catalog: `LAMBDA` for a federated catalog, `GLUE` for AWS Glue Catalog, or `HIVE` for an external hive metastore." }, + "AWS::Athena::DataCatalog Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::NamedQuery": { "Database": "The database to which the query belongs.", "Description": "The query description.", @@ -3152,7 +3345,7 @@ "S3AclOption": "The Amazon S3 canned ACL that Athena should specify when storing query results. Currently the only supported canned ACL is `BUCKET_OWNER_FULL_CONTROL` . If a query runs in a workgroup and the workgroup overrides client-side settings, then the Amazon S3 canned ACL specified in the workgroup's settings is used for all queries that run in the workgroup. For more information about Amazon S3 canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* ." }, "AWS::Athena::WorkGroup CustomerContentEncryptionConfiguration": { - "KmsKey": "The KMS key that is used to encrypt the user's data stores in Athena." + "KmsKey": "The customer managed KMS key that is used to encrypt the user's data stores in Athena." }, "AWS::Athena::WorkGroup EncryptionConfiguration": { "EncryptionOption": "Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys ( `SSE_S3` ), server-side encryption with KMS-managed keys ( `SSE_KMS` ), or client-side encryption with KMS-managed keys ( `CSE_KMS` ) is used.\n\nIf a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup's setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.", @@ -3168,6 +3361,20 @@ "ExpectedBucketOwner": "The account ID that you expect to be the owner of the Amazon S3 bucket specified by `ResultConfiguration:OutputLocation` . If set, Athena uses the value for `ExpectedBucketOwner` when it makes Amazon S3 calls to your specified output location. If the `ExpectedBucketOwner` account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error.\n\nThis is a client-side setting. If workgroup settings override client-side settings, then the query uses the `ExpectedBucketOwner` setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `EnforceWorkGroupConfiguration` .", "OutputLocation": "The location in Amazon S3 where your query results are stored, such as `s3://path/to/query/bucket/` . To run a query, you must specify the query results location using either a client-side setting for individual queries or a location specified by the workgroup. If workgroup settings override client-side settings, then the query uses the location specified for the workgroup. If no query location is set, Athena issues an error. For more information, see [Working with Query Results, Output Files, and Query History](https://docs.aws.amazon.com/athena/latest/ug/querying.html) and `EnforceWorkGroupConfiguration` ." }, + "AWS::Athena::WorkGroup ResultConfigurationUpdates": { + "AclConfiguration": "The ACL configuration for the query results.", + "EncryptionConfiguration": "The encryption configuration for the query results.", + "ExpectedBucketOwner": "The AWS account ID that you expect to be the owner of the Amazon S3 bucket specified by `ResultConfiguration$OutputLocation` . If set, Athena uses the value for `ExpectedBucketOwner` when it makes Amazon S3 calls to your specified output location. If the `ExpectedBucketOwner` AWS account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error.\n\nIf workgroup settings override client-side settings, then the query uses the `ExpectedBucketOwner` setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See `WorkGroupConfiguration$EnforceWorkGroupConfiguration` and [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "OutputLocation": "The location in Amazon S3 where your query results are stored, such as `s3://path/to/query/bucket/` . For more information, see [Query Results](https://docs.aws.amazon.com/athena/latest/ug/querying.html) If workgroup settings override client-side settings, then the query uses the location for the query results and the encryption configuration that are specified for the workgroup. The \"workgroup settings override\" is specified in EnforceWorkGroupConfiguration (true/false) in the WorkGroupConfiguration. See `EnforceWorkGroupConfiguration` .", + "RemoveAclConfiguration": "If set to `true` , indicates that the previously-specified ACL configuration for queries in this workgroup should be ignored and set to null. If set to `false` or not set, and a value is present in the `AclConfiguration` of `ResultConfigurationUpdates` , the `AclConfiguration` in the workgroup's `ResultConfiguration` is updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveEncryptionConfiguration": "If set to \"true\", indicates that the previously-specified encryption configuration (also known as the client-side setting) for queries in this workgroup should be ignored and set to null. If set to \"false\" or not set, and a value is present in the EncryptionConfiguration in ResultConfigurationUpdates (the client-side setting), the EncryptionConfiguration in the workgroup's ResultConfiguration will be updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveExpectedBucketOwner": "If set to \"true\", removes the AWS account ID previously specified for `ResultConfiguration$ExpectedBucketOwner` . If set to \"false\" or not set, and a value is present in the `ExpectedBucketOwner` in `ResultConfigurationUpdates` (the client-side setting), the `ExpectedBucketOwner` in the workgroup's `ResultConfiguration` is updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) .", + "RemoveOutputLocation": "If set to \"true\", indicates that the previously-specified query results location (also known as a client-side setting) for queries in this workgroup should be ignored and set to null. If set to \"false\" or not set, and a value is present in the OutputLocation in ResultConfigurationUpdates (the client-side setting), the OutputLocation in the workgroup's ResultConfiguration will be updated with the new value. For more information, see [Workgroup Settings Override Client-Side Settings](https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html) ." + }, + "AWS::Athena::WorkGroup Tag": { + "Key": "A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.", + "Value": "A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive." + }, "AWS::Athena::WorkGroup WorkGroupConfiguration": { "AdditionalConfiguration": "Specifies a user defined JSON string that is passed to the session engine.", "BytesScannedCutoffPerQuery": "The upper limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. No default is defined.\n\n> This property currently supports integer types. Support for long values is planned.", @@ -3188,7 +3395,7 @@ "Name": "The name of the assessment.", "Roles": "The roles that are associated with the assessment.", "Scope": "The wrapper of AWS accounts and services that are in scope for the assessment.", - "Status": "The overall status of the assessment.\n\nWhen you create a new assessment, the initial `Status` value is always `ACTIVE` . When you create an assessment, even if you specify the value as `INACTIVE` , the value overrides to `ACTIVE` .\n\nAfter you create an assessment, you can change the value of the `Status` property at any time. For example, when you want to stop collecting evidence for your assessment, you can change the assessment status to `INACTIVE` .", + "Status": "The overall status of the assessment.", "Tags": "The tags that are associated with the assessment." }, "AWS::AuditManager::Assessment AWSAccount": { @@ -3208,7 +3415,7 @@ "AssessmentName": "The name of the assessment that's associated with the delegation.", "Comment": "The comment that's related to the delegation.", "ControlSetId": "The identifier for the control set that's associated with the delegation.", - "CreatedBy": "The user or role that created the delegation.\n\n*Minimum* : `1`\n\n*Maximum* : `100`\n\n*Pattern* : `^[a-zA-Z0-9-_()\\\\[\\\\]\\\\s]+$`", + "CreatedBy": "The user or role that created the delegation.", "CreationTime": "Specifies when the delegation was created.", "Id": "The unique identifier for the delegation.", "LastUpdated": "Specifies when the delegation was last updated.", @@ -3224,6 +3431,10 @@ "AwsAccounts": "The AWS accounts that are included in the scope of the assessment.", "AwsServices": "The AWS services that are included in the scope of the assessment." }, + "AWS::AuditManager::Assessment Tag": { + "Key": "", + "Value": "" + }, "AWS::AutoScaling::AutoScalingGroup": { "AutoScalingGroupName": "The name of the Auto Scaling group. This name must be unique per Region per account.\n\nThe name can contain any ASCII character 33 to 126 including most punctuation characters, digits, and upper and lowercased letters.\n\n> You cannot use a colon (:) in the name.", "AvailabilityZones": "A list of Availability Zones where instances in the Auto Scaling group can be created. Used for launching into the default VPC subnet in each Availability Zone when not using the `VPCZoneIdentifier` property, or for attaching a network interface when an existing network interface ID is specified in a launch template.", @@ -3312,7 +3523,7 @@ "AWS::AutoScaling::AutoScalingGroup LaunchTemplateSpecification": { "LaunchTemplateId": "The ID of the launch template.\n\nYou must specify the `LaunchTemplateID` or the `LaunchTemplateName` , but not both.", "LaunchTemplateName": "The name of the launch template.\n\nYou must specify the `LaunchTemplateName` or the `LaunchTemplateID` , but not both.", - "Version": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource." + "Version": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource." }, "AWS::AutoScaling::AutoScalingGroup LifecycleHookSpecification": { "DefaultResult": "The action the Auto Scaling group takes when the lifecycle hook timeout elapses or if an unexpected failure occurs. The default value is `ABANDON` .\n\nValid values: `CONTINUE` | `ABANDON`", @@ -3564,7 +3775,7 @@ }, "AWS::AutoScalingPlans::ScalingPlan ScalingInstruction": { "CustomizedLoadMetricSpecification": "The customized load metric to use for predictive scaling. This property or a *PredefinedLoadMetricSpecification* is required when configuring predictive scaling, and cannot be used otherwise.", - "DisableDynamicScaling": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "DisableDynamicScaling": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "MaxCapacity": "The maximum capacity of the resource. The exception to this upper limit is if you specify a non-default setting for *PredictiveScalingMaxCapacityBehavior* .", "MinCapacity": "The minimum capacity of the resource.", "PredefinedLoadMetricSpecification": "The predefined load metric to use for predictive scaling. This property or a *CustomizedLoadMetricSpecification* is required when configuring predictive scaling, and cannot be used otherwise.", @@ -3573,7 +3784,7 @@ "PredictiveScalingMode": "The predictive scaling mode. The default value is `ForecastAndScale` . Otherwise, AWS Auto Scaling forecasts capacity but does not apply any scheduled scaling actions based on the capacity forecast.", "ResourceId": "The ID of the resource. This string consists of the resource type and unique identifier.\n\n- Auto Scaling group - The resource type is `autoScalingGroup` and the unique identifier is the name of the Auto Scaling group. Example: `autoScalingGroup/my-asg` .\n- ECS service - The resource type is `service` and the unique identifier is the cluster name and service name. Example: `service/default/sample-webapp` .\n- Spot Fleet request - The resource type is `spot-fleet-request` and the unique identifier is the Spot Fleet request ID. Example: `spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE` .\n- DynamoDB table - The resource type is `table` and the unique identifier is the resource ID. Example: `table/my-table` .\n- DynamoDB global secondary index - The resource type is `index` and the unique identifier is the resource ID. Example: `table/my-table/index/my-table-index` .\n- Aurora DB cluster - The resource type is `cluster` and the unique identifier is the cluster name. Example: `cluster:my-db-cluster` .", "ScalableDimension": "The scalable dimension associated with the resource.\n\n- `autoscaling:autoScalingGroup:DesiredCapacity` - The desired capacity of an Auto Scaling group.\n- `ecs:service:DesiredCount` - The desired task count of an ECS service.\n- `ec2:spot-fleet-request:TargetCapacity` - The target capacity of a Spot Fleet request.\n- `dynamodb:table:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB table.\n- `dynamodb:table:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB table.\n- `dynamodb:index:ReadCapacityUnits` - The provisioned read capacity for a DynamoDB global secondary index.\n- `dynamodb:index:WriteCapacityUnits` - The provisioned write capacity for a DynamoDB global secondary index.\n- `rds:cluster:ReadReplicaCount` - The count of Aurora Replicas in an Aurora DB cluster. Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.", - "ScalingPolicyUpdateBehavior": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "ScalingPolicyUpdateBehavior": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "ScheduledActionBufferTime": "The amount of time, in seconds, to buffer the run time of scheduled scaling actions when scaling out. For example, if the forecast says to add capacity at 10:00 AM, and the buffer time is 5 minutes, then the run time of the corresponding scheduled scaling action will be 9:55 AM. The intention is to give resources time to be provisioned. For example, it can take a few minutes to launch an EC2 instance. The actual amount of time required depends on several factors, such as the size of the instance and whether there are startup scripts to complete.\n\nThe value must be less than the forecast interval duration of 3600 seconds (60 minutes). The default is 300 seconds.\n\nValid only when configuring predictive scaling.", "ServiceNamespace": "The namespace of the AWS service.", "TargetTrackingConfigurations": "The target tracking configurations (up to 10). Each of these structures must specify a unique scaling metric and a target value for the metric." @@ -3612,6 +3823,7 @@ "RecoveryPointTags": "To help organize your resources, you can assign your own metadata to the resources that you create. Each tag is a key-value pair.", "RuleName": "A display name for a backup rule.", "ScheduleExpression": "A CRON expression specifying when AWS Backup initiates a backup job.", + "ScheduleExpressionTimezone": "", "StartWindowMinutes": "An optional value that specifies a period of time in minutes after a backup is scheduled before a job is canceled if it doesn't start successfully.\n\nIf this value is included, it must be at least 60 minutes to avoid errors.", "TargetBackupVault": "The name of a logical container where backups are stored. Backup vaults are identified by names that are unique to the account used to create them and the AWS Region where they are created. They consist of letters, numbers, and hyphens." }, @@ -3685,7 +3897,11 @@ "AWS::Backup::Framework FrameworkControl": { "ControlInputParameters": "A list of `ParameterName` and `ParameterValue` pairs.", "ControlName": "The name of a control. This name is between 1 and 256 characters.", - "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)" + "ControlScope": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans." + }, + "AWS::Backup::Framework Tag": { + "Key": "", + "Value": "" }, "AWS::Backup::ReportPlan": { "ReportDeliveryChannel": "Contains information about where and how to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.", @@ -3706,6 +3922,10 @@ "Regions": "These are the Regions to be included in the report.", "ReportTemplate": "Identifies the report template for the report. Reports are built using a report template. The report templates are:\n\n`RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT`" }, + "AWS::Backup::ReportPlan Tag": { + "Key": "", + "Value": "" + }, "AWS::BackupGateway::Hypervisor": { "Host": "The server host of the hypervisor. This can be either an IP address or a fully-qualified domain name (FQDN).", "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS Key Management Service used to encrypt the hypervisor.", @@ -3715,6 +3935,10 @@ "Tags": "The tags of the hypervisor configuration to import.", "Username": "The username for the hypervisor." }, + "AWS::BackupGateway::Hypervisor Tag": { + "Key": "The key part of a tag's key-value pair. The key can't start with `aws:` .", + "Value": "The value part of a tag's key-value pair." + }, "AWS::Batch::ComputeEnvironment": { "ComputeEnvironmentName": "The name for your compute environment. It can be up to 128 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_).", "ComputeResources": "The ComputeResources property type specifies details of the compute resources managed by the compute environment. This parameter is required for managed compute environments. For more information, see [Compute Environments](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html) in the ** .", @@ -3728,16 +3952,16 @@ "UpdatePolicy": "Specifies the infrastructure update policy for the compute environment. For more information about infrastructure updates, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* ." }, "AWS::Batch::ComputeEnvironment ComputeResources": { - "AllocationStrategy": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "AllocationStrategy": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "BidPercentage": "The maximum percentage that a Spot Instance price can be when compared with the On-Demand price for that instance type before instances are launched. For example, if your maximum percentage is 20%, the Spot price must be less than 20% of the current On-Demand price for that Amazon EC2 instance. You always pay the lowest (market) price and never more than your maximum percentage. For most use cases, we recommend leaving this field empty.\n\nWhen updating a compute environment, changing the bid percentage requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "DesiredvCpus": "The desired number of vCPUS in the compute environment. AWS Batch modifies this value between the minimum and maximum values based on job queue demand.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > AWS Batch doesn't support changing the desired number of vCPUs of an existing compute environment. Don't specify this parameter for compute environments using Amazon EKS clusters. > When you update the `desiredvCpus` setting, the value must be between the `minvCpus` and `maxvCpus` values.\n> \n> Additionally, the updated `desiredvCpus` value must be greater than or equal to the current `desiredvCpus` value. For more information, see [Troubleshooting AWS Batch](https://docs.aws.amazon.com/batch/latest/userguide/troubleshooting.html#error-desired-vcpus-update) in the *AWS Batch User Guide* .", "Ec2Configuration": "Provides information used to select Amazon Machine Images (AMIs) for EC2 instances in the compute environment. If `Ec2Configuration` isn't specified, the default is `ECS_AL2` .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . To remove the EC2 configuration and any custom AMI ID specified in `imageIdOverride` , set this value to an empty string.\n\nOne or two values can be provided.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "Ec2KeyPair": "The Amazon EC2 key pair that's used for instances launched in the compute environment. You can use this key pair to log in to your instances with SSH. To remove the Amazon EC2 key pair, set this value to an empty string.\n\nWhen updating a compute environment, changing the EC2 key pair requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "ImageId": "The Amazon Machine Image (AMI) ID used for instances launched in the compute environment. This parameter is overridden by the `imageIdOverride` member of the `Ec2Configuration` structure. To remove the custom AMI ID and use the default AMI ID, set this value to an empty string.\n\nWhen updating a compute environment, changing the AMI ID requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > The AMI that you choose for a compute environment must match the architecture of the instance types that you intend to use for that compute environment. For example, if your compute environment uses A1 instance types, the compute resource AMI that you choose must support ARM instances. Amazon ECS vends both x86 and ARM versions of the Amazon ECS-optimized Amazon Linux 2 AMI. For more information, see [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#ecs-optimized-ami-linux-variants.html) in the *Amazon Elastic Container Service Developer Guide* .", - "InstanceRole": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "InstanceRole": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "InstanceTypes": "The instances types that can be launched. You can specify instance families to launch any instance type within those families (for example, `c5` or `p3` ), or you can specify specific sizes within a family (such as `c5.8xlarge` ). You can also choose `optimal` to select instance types (from the C4, M4, and R4 instance families) that match the demand of your job queues.\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it. > When you create a compute environment, the instance types that you select for the compute environment must share the same architecture. For example, you can't mix x86 and ARM instances in the same compute environment. > Currently, `optimal` uses instance types from the C4, M4, and R4 instance families. In Regions that don't have instance types from those instance families, instance types from the C5, M5, and R5 instance families are used.", "LaunchTemplate": "The launch template to use for your compute resources. Any other compute resource parameters that you specify in a [CreateComputeEnvironment](https://docs.aws.amazon.com/batch/latest/APIReference/API_CreateComputeEnvironment.html) API operation override the same parameters in the launch template. You must specify either the launch template ID or launch template name in the request, but not both. For more information, see [Launch Template Support](https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html) in the ** . Removing the launch template from a compute environment will not remove the AMI specified in the launch template. In order to update the AMI specified in a launch template, the `updateToLatestImageVersion` parameter must be set to `true` .\n\nWhen updating a compute environment, changing the launch template requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the ** .\n\n> This parameter isn't applicable to jobs running on Fargate resources, and shouldn't be specified.", - "MaxvCpus": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "MaxvCpus": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "MinvCpus": "The minimum number of vCPUs that an environment should maintain (even if the compute environment is `DISABLED` ).\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "PlacementGroup": "The Amazon EC2 placement group to associate with your compute resources. If you intend to submit multi-node parallel jobs to your compute environment, you should consider creating a cluster placement group and associate it with your compute resources. This keeps your multi-node parallel job on a logical grouping of instances within a single Availability Zone with high network flow potential. For more information, see [Placement groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide for Linux Instances* .\n\nWhen updating a compute environment, changing the placement group requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "SecurityGroupIds": "The Amazon EC2 security groups that are associated with instances launched in the compute environment. This parameter is required for Fargate compute resources, where it can contain up to 5 security groups. For Fargate compute resources, providing an empty list is handled as if this parameter wasn't specified and no change is made. For EC2 compute resources, providing an empty list removes the security groups from the compute resource.\n\nWhen updating a compute environment, changing the EC2 security groups requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .", @@ -3750,7 +3974,7 @@ "AWS::Batch::ComputeEnvironment Ec2ConfigurationObject": { "ImageIdOverride": "The AMI ID used for instances launched in the compute environment that match the image type. This setting overrides the `imageId` set in the `computeResource` object.\n\n> The AMI that you choose for a compute environment must match the architecture of the instance types that you intend to use for that compute environment. For example, if your compute environment uses A1 instance types, the compute resource AMI that you choose must support ARM instances. Amazon ECS vends both x86 and ARM versions of the Amazon ECS-optimized Amazon Linux 2 AMI. For more information, see [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#ecs-optimized-ami-linux-variants.html) in the *Amazon Elastic Container Service Developer Guide* .", "ImageKubernetesVersion": "The Kubernetes version for the compute environment. If you don't specify a value, the latest version that AWS Batch supports is used.", - "ImageType": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types." + "ImageType": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types." }, "AWS::Batch::ComputeEnvironment EksConfiguration": { "EksClusterArn": "The Amazon Resource Name (ARN) of the Amazon EKS cluster. An example is `arn: *aws* :eks: *us-east-1* : *123456789012* :cluster/ *ClusterForBatch*` .", @@ -3789,7 +4013,7 @@ "EphemeralStorage": "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate .", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role. For more information, see [AWS Batch execution IAM role](https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html) in the *AWS Batch User Guide* .", "FargatePlatformConfiguration": "The platform configuration for jobs that are running on Fargate resources. Jobs that are running on EC2 resources must not specify this parameter.", - "Image": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "Image": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "InstanceType": "The instance type to use for a multi-node parallel job. All node groups in a multi-node parallel job must use the same instance type.\n\n> This parameter isn't applicable to single-node container jobs or jobs that run on Fargate resources, and shouldn't be provided.", "JobRoleArn": "The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions. For more information, see [IAM roles for tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide* .", "LinuxParameters": "Linux-specific modifications that are applied to the container, such as details for device mappings.", @@ -3800,6 +4024,7 @@ "Privileged": "When this parameter is true, the container is given elevated permissions on the host container instance (similar to the `root` user). This parameter maps to `Privileged` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--privileged` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . The default value is false.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided, or specified as false.", "ReadonlyRootFilesystem": "When this parameter is true, the container is given read-only access to its root file system. This parameter maps to `ReadonlyRootfs` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--read-only` option to `docker run` .", "ResourceRequirements": "The type and amount of resources to assign to a container. The supported resources include `GPU` , `MEMORY` , and `VCPU` .", + "RuntimePlatform": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", "Secrets": "The secrets for the container. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html) in the *AWS Batch User Guide* .", "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources and shouldn't be provided.", "User": "The user name to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .", @@ -3826,7 +4051,7 @@ "ImagePullPolicy": "The image pull policy for the container. Supported values are `Always` , `IfNotPresent` , and `Never` . This parameter defaults to `IfNotPresent` . However, if the `:latest` tag is specified, it defaults to `Always` . For more information, see [Updating images](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/containers/images/#updating-images) in the *Kubernetes documentation* .", "Name": "The name of the container. If the name isn't specified, the default name \" `Default` \" is used. Each container in a pod must have a unique name.", "Resources": "The type and amount of resources to assign to a container. The supported resources include `memory` , `cpu` , and `nvidia.com/gpu` . For more information, see [Resource management for pods and containers](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) in the *Kubernetes documentation* .", - "SecurityContext": "", + "SecurityContext": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "VolumeMounts": "The volume mounts for the container. AWS Batch supports `emptyDir` , `hostPath` , and `secret` volume types. For more information about volumes and volume mounts in Kubernetes, see [Volumes](https://docs.aws.amazon.com/https://kubernetes.io/docs/concepts/storage/volumes/) in the *Kubernetes documentation* ." }, "AWS::Batch::JobDefinition EksContainerEnvironmentVariable": { @@ -3934,6 +4159,10 @@ "Attempts": "The number of times to move a job to the `RUNNABLE` status. You can specify between 1 and 10 attempts. If the value of `attempts` is greater than one, the job is retried on failure the same number of attempts as the value.", "EvaluateOnExit": "Array of up to 5 objects that specify the conditions where jobs are retried or failed. If this parameter is specified, then the `attempts` parameter must also be specified. If none of the listed conditions match, then the job is retried." }, + "AWS::Batch::JobDefinition RuntimePlatform": { + "CpuArchitecture": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "OperatingSystemFamily": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue." + }, "AWS::Batch::JobDefinition Secret": { "Name": "The name of the secret.", "ValueFrom": "The secret to expose to the container. The supported values are either the full Amazon Resource Name (ARN) of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.\n\n> If the AWS Systems Manager Parameter Store parameter exists in the same Region as the job you're launching, then you can use either the full Amazon Resource Name (ARN) or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified." @@ -3948,7 +4177,7 @@ }, "AWS::Batch::JobDefinition Ulimit": { "HardLimit": "The hard limit for the `ulimit` type.", - "Name": "The `type` of the `ulimit` .", + "Name": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "SoftLimit": "The soft limit for the `ulimit` type." }, "AWS::Batch::JobDefinition Volumes": { @@ -3986,19 +4215,24 @@ "WeightFactor": "The weight factor for the fair share identifier. The default value is 1.0. A lower value has a higher priority for compute resources. For example, jobs that use a share identifier with a weight factor of 0.125 (1/8) get 8 times the compute resources of jobs that use a share identifier with a weight factor of 1.\n\nThe smallest supported value is 0.0001, and the largest supported value is 999.9999." }, "AWS::BillingConductor::BillingGroup": { - "AccountGrouping": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "AccountGrouping": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "ComputationPreference": "The preferences and settings that will be used to compute the AWS charges for a billing group.", "Description": "The description of the billing group.", "Name": "The billing group's name.", "PrimaryAccountId": "The account ID that serves as the main account in a billing group.", - "Tags": "" + "Tags": "A map that contains tag keys and tag values that are attached to a billing group." }, "AWS::BillingConductor::BillingGroup AccountGrouping": { + "AutoAssociate": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", "LinkedAccountIds": "The account IDs that make up the billing group. Account IDs must be a part of the consolidated billing family, and not associated with another billing group." }, "AWS::BillingConductor::BillingGroup ComputationPreference": { "PricingPlanArn": "The Amazon Resource Name (ARN) of the pricing plan used to compute the AWS charges for a billing group." }, + "AWS::BillingConductor::BillingGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::BillingConductor::CustomLineItem": { "BillingGroupArn": "The Amazon Resource Name (ARN) that references the billing group where the custom line item applies to.", "BillingPeriodRange": "A time range for which the custom line item is effective.", @@ -4013,6 +4247,7 @@ }, "AWS::BillingConductor::CustomLineItem CustomLineItemChargeDetails": { "Flat": "A `CustomLineItemFlatChargeDetails` that describes the charge details of a flat custom line item.", + "LineItemFilters": "A representation of the line item filter.", "Percentage": "A `CustomLineItemPercentageChargeDetails` that describes the charge details of a percentage custom line item.", "Type": "The type of the custom line item that indicates whether the charge is a fee or credit." }, @@ -4023,12 +4258,25 @@ "ChildAssociatedResources": "A list of resource ARNs to associate to the percentage custom line item.", "PercentageValue": "The custom line item's percentage value. This will be multiplied against the combined value of its associated resources to determine its charge value." }, + "AWS::BillingConductor::CustomLineItem LineItemFilter": { + "Attribute": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "MatchOption": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "Values": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts." + }, + "AWS::BillingConductor::CustomLineItem Tag": { + "Key": "", + "Value": "" + }, "AWS::BillingConductor::PricingPlan": { "Description": "The pricing plan description.", "Name": "The name of a pricing plan.", "PricingRuleArns": "The `PricingRuleArns` that are associated with the Pricing Plan.", "Tags": "A map that contains tag keys and tag values that are attached to a pricing plan." }, + "AWS::BillingConductor::PricingPlan Tag": { + "Key": "", + "Value": "" + }, "AWS::BillingConductor::PricingRule": { "BillingEntity": "The seller of services provided by AWS , their affiliates, or third-party providers selling services via AWS Marketplace .", "Description": "The pricing rule description.", @@ -4045,8 +4293,12 @@ "AWS::BillingConductor::PricingRule FreeTier": { "Activated": "Activate or deactivate AWS Free Tier." }, + "AWS::BillingConductor::PricingRule Tag": { + "Key": "", + "Value": "" + }, "AWS::BillingConductor::PricingRule Tiering": { - "FreeTier": "" + "FreeTier": "The possible AWS Free Tier configurations." }, "AWS::Budgets::Budget": { "Budget": "The budget object that you want to create.", @@ -4061,7 +4313,7 @@ "BudgetLimit": "The total amount of cost, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage that you want to track with your budget.\n\n`BudgetLimit` is required for cost or usage budgets, but optional for RI or Savings Plans utilization or coverage budgets. RI and Savings Plans utilization or coverage budgets default to `100` . This is the only valid value for RI or Savings Plans utilization or coverage budgets. You can't use `BudgetLimit` with `PlannedBudgetLimits` for `CreateBudget` and `UpdateBudget` actions.", "BudgetName": "The name of a budget. The value must be unique within an account. `BudgetName` can't include `:` and `\\` characters. If you don't include value for `BudgetName` in the template, Billing and Cost Management assigns your budget a randomly generated name.", "BudgetType": "Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.", - "CostFilters": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "CostFilters": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "CostTypes": "The types of costs that are included in this `COST` budget.\n\n`USAGE` , `RI_UTILIZATION` , `RI_COVERAGE` , `SAVINGS_PLANS_UTILIZATION` , and `SAVINGS_PLANS_COVERAGE` budgets do not have `CostTypes` .", "PlannedBudgetLimits": "A map containing multiple `BudgetLimit` , including current or future limits.\n\n`PlannedBudgetLimits` is available for cost or usage budget and supports both monthly and quarterly `TimeUnit` .\n\nFor monthly budgets, provide 12 months of `PlannedBudgetLimits` values. This must start from the current month and include the next 11 months. The `key` is the start of the month, `UTC` in epoch seconds.\n\nFor quarterly budgets, provide four quarters of `PlannedBudgetLimits` value entries in standard calendar quarter increments. This must start from the current quarter and include the next three quarters. The `key` is the start of the quarter, `UTC` in epoch seconds.\n\nIf the planned budget expires before 12 months for monthly or four quarters for quarterly, provide the `PlannedBudgetLimits` values only for the remaining periods.\n\nIf the budget begins at a date in the future, provide `PlannedBudgetLimits` values from the start date of the budget.\n\nAfter all of the `BudgetLimit` values in `PlannedBudgetLimits` are used, the budget continues to use the last limit as the `BudgetLimit` . At that point, the planned budget provides the same experience as a fixed budget.\n\n`DescribeBudget` and `DescribeBudgets` response along with `PlannedBudgetLimits` also contain `BudgetLimit` representing the current month or quarter limit present in `PlannedBudgetLimits` . This only applies to budgets that are created with `PlannedBudgetLimits` . Budgets that are created without `PlannedBudgetLimits` only contain `BudgetLimit` . They don't contain `PlannedBudgetLimits` .", "TimePeriod": "The period of time that is covered by a budget. The period has a start date and an end date. The start date must come before the end date. There are no restrictions on the end date.\n\nThe start date for a budget. If you created your budget and didn't specify a start date, the start date defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example, if you create your budget on January 24, 2019, choose `MONTHLY` , and don't set a start date, the start date defaults to `01/01/19 00:00 UTC` . The defaults are the same for the AWS Billing and Cost Management console and the API.\n\nYou can change your start date with the `UpdateBudget` operation.\n\nAfter the end date, AWS deletes the budget and all associated notifications and subscribers.", @@ -4095,7 +4347,7 @@ }, "AWS::Budgets::Budget Spend": { "Amount": "The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.", - "Unit": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP." + "Unit": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold." }, "AWS::Budgets::Budget Subscriber": { "Address": "The address that AWS sends budget notifications to, either an SNS topic or an email.\n\nWhen you create a subscriber, the value of `Address` can't contain line breaks.", @@ -4202,6 +4454,10 @@ "RegionList": "Specifies the AWS Regions that the keyspace is replicated in. You must specify at least two and up to six Regions, including the Region that the keyspace is being created in.", "ReplicationStrategy": "The options are:\n\n- `SINGLE_REGION` (optional)\n- `MULTI_REGION`\n\nIf no value is specified, the default is `SINGLE_REGION` . If `MULTI_REGION` is specified, `RegionList` is required." }, + "AWS::Cassandra::Keyspace Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each Amazon Keyspaces resource can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Cassandra::Table": { "BillingMode": "The billing mode for the table, which determines how you'll be charged for reads and writes:\n\n- *On-demand mode* (default) - You pay based on the actual reads and writes your application performs.\n- *Provisioned mode* - Lets you specify the number of reads and writes per second that you need for your application.\n\nIf you don't specify a value for this property, then the table will use on-demand mode.", "ClientSideTimestampsEnabled": "Enables client-side timestamps for the table. By default, the setting is disabled. You can enable client-side timestamps with the following option:\n\n- `status: \"enabled\"`\n\nAfter client-side timestamps are enabled for a table, you can't disable this setting.", @@ -4235,6 +4491,10 @@ "ReadCapacityUnits": "The amount of read capacity that's provisioned for the table. For more information, see [Read/write capacity mode](https://docs.aws.amazon.com/keyspaces/latest/devguide/ReadWriteCapacityMode.html) in the *Amazon Keyspaces Developer Guide* .", "WriteCapacityUnits": "The amount of write capacity that's provisioned for the table. For more information, see [Read/write capacity mode](https://docs.aws.amazon.com/keyspaces/latest/devguide/ReadWriteCapacityMode.html) in the *Amazon Keyspaces Developer Guide* ." }, + "AWS::Cassandra::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each Amazon Keyspaces resource can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::CertificateManager::Account": { "ExpiryEventsConfiguration": "Object containing expiration events options associated with an AWS account . For more information, see [ExpiryEventsConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExpiryEventsConfiguration.html) in the API reference." }, @@ -4246,6 +4506,7 @@ "CertificateTransparencyLoggingPreference": "You can opt out of certificate transparency logging by specifying the `DISABLED` option. Opt in by specifying `ENABLED` .\n\nIf you do not specify a certificate transparency logging preference on a new CloudFormation template, or if you remove the logging preference from an existing template, this is the same as explicitly enabling the preference.\n\nChanging the certificate transparency logging preference will update the existing resource by calling `UpdateCertificateOptions` on the certificate. This action will not create a new resource.", "DomainName": "The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, `*.example.com` protects `www.example.com` , `site.example.com` , and `images.example.com.`", "DomainValidationOptions": "Domain information that domain name registrars use to verify your identity.\n\n> In order for a AWS::CertificateManager::Certificate to be provisioned and validated in CloudFormation automatically, the `DomainName` property needs to be identical to one of the `DomainName` property supplied in DomainValidationOptions, if the ValidationMethod is **DNS**. Failing to keep them like-for-like will result in failure to create the domain validation records in Route53.", + "KeyAlgorithm": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", "SubjectAlternativeNames": "Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, you can add www.example.net to a certificate for which the `DomainName` field is www.example.com if users can reach your site by using either name.", "Tags": "Key-value pairs that can identify the certificate.", "ValidationMethod": "The method you want to use to validate that you own or control the domain associated with a public certificate. You can [validate with DNS](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html) or [validate with email](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html) . We recommend that you use DNS validation.\n\nIf not specified, this property defaults to email validation." @@ -4255,6 +4516,10 @@ "HostedZoneId": "The `HostedZoneId` option, which is available if you are using Route 53 as your domain registrar, causes ACM to add your CNAME to the domain record. Your list of `DomainValidationOptions` must contain one and only one of the domain-validation options, and the `HostedZoneId` can be used only when `DNS` is specified as your validation method.\n\nUse the Route 53 `ListHostedZones` API to discover IDs for available hosted zones.\n\nThis option is required for publicly trusted certificates.\n\n> The `ListHostedZones` API returns IDs in the format \"/hostedzone/Z111111QQQQQQQ\", but CloudFormation requires the IDs to be in the format \"Z111111QQQQQQQ\". \n\nWhen you change your `DomainValidationOptions` , a new resource is created.", "ValidationDomain": "The domain name to which you want ACM to send validation emails. This domain name is the suffix of the email addresses that you want ACM to use. This must be the same as the `DomainName` value or a superdomain of the `DomainName` value. For example, if you request a certificate for `testing.example.com` , you can specify `example.com` as this value. In that case, ACM sends domain validation emails to the following five addresses:\n\n- admin@example.com\n- administrator@example.com\n- hostmaster@example.com\n- postmaster@example.com\n- webmaster@example.com" }, + "AWS::CertificateManager::Certificate Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::Chatbot::MicrosoftTeamsChannelConfiguration": { "ConfigurationName": "The name of the configuration.", "GuardrailPolicies": "The list of IAM policy ARNs that are applied as channel guardrails. The AWS managed 'AdministratorAccess' policy is applied as a default if this is not set.", @@ -4262,7 +4527,7 @@ "LoggingLevel": "Specifies the logging level for this configuration. This property affects the log entries pushed to Amazon CloudWatch Logs.\n\nLogging levels include `ERROR` , `INFO` , or `NONE` .", "SnsTopicArns": "The ARNs of the SNS topics that deliver notifications to AWS Chatbot .", "TeamId": "The ID of the Microsoft Team authorized with AWS Chatbot .\n\nTo get the team ID, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console. Then you can copy and paste the team ID from the console. For more details, see steps 1-4 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .", - "TeamsChannelId": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "TeamsChannelId": "", "TeamsTenantId": "The ID of the Microsoft Teams tenant.\n\nTo get the tenant ID, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console. Then you can copy and paste the tenant ID from the console. For more details, see steps 1-4 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* .", "UserRoleRequired": "Enables use of a user role requirement in your chat configuration." }, @@ -4276,9 +4541,33 @@ "SnsTopicArns": "The ARNs of the SNS topics that deliver notifications to AWS Chatbot .", "UserRoleRequired": "Enables use of a user role requirement in your chat configuration." }, + "AWS::CleanRooms::AnalysisTemplate": { + "AnalysisParameters": "The parameters of the analysis template.", + "Description": "The description of the analysis template.", + "Format": "The format of the analysis template.", + "MembershipIdentifier": "The identifier for a membership resource.", + "Name": "The name of the analysis template.", + "Source": "The source of the analysis template.", + "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisParameter": { + "DefaultValue": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "Name": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "Type": "The type of parameter." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisSchema": { + "ReferencedTables": "The tables referenced in the analysis schema." + }, + "AWS::CleanRooms::AnalysisTemplate AnalysisSource": { + "Text": "The query text." + }, + "AWS::CleanRooms::AnalysisTemplate Tag": { + "Key": "", + "Value": "" + }, "AWS::CleanRooms::Collaboration": { "CreatorDisplayName": "A display name of the collaboration creator.", - "CreatorMemberAbilities": "The abilities granted to the collaboration creator.", + "CreatorMemberAbilities": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "DataEncryptionMetadata": "The settings for client-side encryption for cryptographic computing.", "Description": "A description of the collaboration provided by the collaboration owner.", "Members": "A list of initial members, not including the creator. This list is immutable.", @@ -4293,10 +4582,14 @@ "PreserveNulls": "Indicates whether NULL values are to be copied as NULL to encrypted tables (true) or cryptographically processed (false)." }, "AWS::CleanRooms::Collaboration MemberSpecification": { - "AccountId": "The identifier used to reference members of the collaboration. Currently only supports AWS account ID.", + "AccountId": "The identifier used to reference members of the collaboration. Currently only supports ID.", "DisplayName": "The member's display name.", "MemberAbilities": "The abilities granted to the collaboration member.\n\n*Allowed Values* : `CAN_QUERY` | `CAN_RECEIVE_RESULTS`" }, + "AWS::CleanRooms::Collaboration Tag": { + "Key": "", + "Value": "" + }, "AWS::CleanRooms::ConfiguredTable": { "AllowedColumns": "The columns within the underlying AWS Glue table that can be utilized within collaborations.", "AnalysisMethod": "The analysis method for the configured table. The only valid value is currently `DIRECT_QUERY`.", @@ -4317,7 +4610,7 @@ }, "AWS::CleanRooms::ConfiguredTable AnalysisRule": { "Policy": "A policy that describes the associated data usage limitations.", - "Type": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`." + "Type": "The type of analysis rule." }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleAggregation": { "AggregateColumns": "The columns that query runners are allowed to use in aggregation queries.", @@ -4328,8 +4621,12 @@ "OutputConstraints": "Columns that must meet a specific threshold value (after an aggregation function is applied to it) for each output row to be returned.", "ScalarFunctions": "Set of scalar functions that are allowed to be used on dimension columns and the output of aggregation of metrics." }, + "AWS::CleanRooms::ConfiguredTable AnalysisRuleCustom": { + "AllowedAnalyses": "The analysis templates that are allowed by the custom analysis rule.", + "AllowedAnalysisProviders": "The accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` ." + }, "AWS::CleanRooms::ConfiguredTable AnalysisRuleList": { - "AllowedJoinOperators": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "AllowedJoinOperators": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "JoinColumns": "Columns that can be used to join a configured table with the table of the member who can query and other members' configured tables.", "ListColumns": "Columns that can be listed in the output." }, @@ -4338,6 +4635,7 @@ }, "AWS::CleanRooms::ConfiguredTable ConfiguredTableAnalysisRulePolicyV1": { "Aggregation": "Analysis rule type that enables only aggregation queries on a configured table.", + "Custom": "Analysis rule type that enables custom SQL queries on a configured table.", "List": "Analysis rule type that enables only list queries on a configured table." }, "AWS::CleanRooms::ConfiguredTable GlueTableReference": { @@ -4347,6 +4645,10 @@ "AWS::CleanRooms::ConfiguredTable TableReference": { "Glue": "If present, a reference to the AWS Glue table referred to by this table reference." }, + "AWS::CleanRooms::ConfiguredTable Tag": { + "Key": "", + "Value": "" + }, "AWS::CleanRooms::ConfiguredTableAssociation": { "ConfiguredTableIdentifier": "A unique identifier for the configured table to be associated to. Currently accepts a configured table ID.", "Description": "A description of the configured table association.", @@ -4355,16 +4657,37 @@ "RoleArn": "The service will assume this role to access catalog metadata and query the table.", "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." }, + "AWS::CleanRooms::ConfiguredTableAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::CleanRooms::Membership": { "CollaborationIdentifier": "The unique ID for the associated collaboration.", + "DefaultResultConfiguration": "The default protected query result configuration as specified by the member who can receive results.", "QueryLogStatus": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", "Tags": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource." }, + "AWS::CleanRooms::Membership MembershipProtectedQueryOutputConfiguration": { + "S3": "Required configuration for a protected query with an `S3` output type." + }, + "AWS::CleanRooms::Membership MembershipProtectedQueryResultConfiguration": { + "OutputConfiguration": "Configuration for protected query results.", + "RoleArn": "The unique ARN for an IAM role that is used by to write protected query results to the result location, given by the member who can receive results." + }, + "AWS::CleanRooms::Membership ProtectedQueryS3OutputConfiguration": { + "Bucket": "The S3 bucket to unload the protected query results.", + "KeyPrefix": "The S3 prefix to unload the protected query results.", + "ResultFormat": "Intended file format of the result." + }, + "AWS::CleanRooms::Membership Tag": { + "Key": "", + "Value": "" + }, "AWS::Cloud9::EnvironmentEC2": { "AutomaticStopTimeMinutes": "The number of minutes until the running instance is shut down after the environment was last used.", "ConnectionType": "The connection type used for connecting to an Amazon EC2 environment. Valid values are `CONNECT_SSH` (default) and `CONNECT_SSM` (connected through AWS Systems Manager ).", "Description": "The description of the environment to create.", - "ImageId": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "ImageId": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom November 20, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "InstanceType": "The type of instance to connect to the environment (for example, `t2.micro` ).", "Name": "The name of the environment.", "OwnerArn": "The Amazon Resource Name (ARN) of the environment owner. This ARN can be the ARN of any AWS Identity and Access Management principal. If this value is not specified, the ARN defaults to this environment's creator.", @@ -4376,6 +4699,10 @@ "PathComponent": "The path within the development environment's default file system location to clone the AWS CodeCommit repository into. For example, `/REPOSITORY_NAME` would clone the repository into the `/home/USER_NAME/environment/REPOSITORY_NAME` directory in the environment.", "RepositoryUrl": "The clone URL of the AWS CodeCommit repository to be cloned. For example, for an AWS CodeCommit repository this might be `https://git-codecommit.us-east-2.amazonaws.com/v1/repos/REPOSITORY_NAME` ." }, + "AWS::Cloud9::EnvironmentEC2 Tag": { + "Key": "The *name* part of a tag.", + "Value": "The *value* part of a tag." + }, "AWS::CloudFormation::CustomResource": { "ServiceToken": "> Only one property is defined by AWS for a custom resource: `ServiceToken` . All other properties are defined by the service provider. \n\nThe service token that was given to the template developer by the service provider to access the service, such as an Amazon SNS topic ARN or Lambda function ARN. The service token must be from the same Region in which you are creating the stack.\n\nUpdates aren't supported." }, @@ -4443,12 +4770,40 @@ "LogRoleArn": "The ARN of the role that CloudFormation should assume when sending log entries to CloudWatch logs." }, "AWS::CloudFormation::Stack": { + "Capabilities": "In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for AWS CloudFormation to create the stack.\n\n- `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM`\n\nSome stack templates might include resources that can affect permissions in your AWS account ; for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities.\n\nThe following IAM resources require you to specify either the `CAPABILITY_IAM` or `CAPABILITY_NAMED_IAM` capability.\n\n- If you have IAM resources, you can specify either capability.\n- If you have IAM resources with custom names, you *must* specify `CAPABILITY_NAMED_IAM` .\n- If you don't specify either of these capabilities, AWS CloudFormation returns an `InsufficientCapabilities` error.\n\nIf your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.\n\n- [`AWS::IAM::AccessKey`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html)\n- [`AWS::IAM::Group`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html)\n- [`AWS::IAM::InstanceProfile`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html)\n- [`AWS::IAM::Policy`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html)\n- [`AWS::IAM::Role`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)\n- [`AWS::IAM::User`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html)\n- [`AWS::IAM::UserToGroupAddition`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html)\n\nFor more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#capabilities) .\n- `CAPABILITY_AUTO_EXPAND`\n\nSome template contain macros. Macros perform custom processing on templates; this can include simple actions like find-and-replace operations, all the way to extensive transformations of entire templates. Because of this, users typically create a change set from the processed template, so that they can review the changes resulting from the macros before actually creating the stack. If your stack template contains one or more macros, and you choose to create a stack directly from the processed template, without first reviewing the resulting changes in a change set, you must acknowledge this capability. This includes the [AWS::Include](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/create-reusable-transform-function-snippets-and-add-to-your-template-with-aws-include-transform.html) and [AWS::Serverless](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-aws-serverless.html) transforms, which are macros hosted by AWS CloudFormation .\n\nIf you want to create a stack from a stack template that contains macros *and* nested stacks, you must create the stack directly from the template using this capability.\n\n> You should only create stacks directly from a stack template that contains macros if you know what processing the macro performs.\n> \n> Each macro relies on an underlying Lambda service function for processing stack templates. Be aware that the Lambda function owner can update the function operation without AWS CloudFormation being notified. \n\nFor more information, see [Using AWS CloudFormation macros to perform custom processing on templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) .", + "ChangeSetId": "The unique ID of the change set.", + "CreationTime": "The time at which the stack was created.", + "Description": "A user-defined description associated with the stack.", + "DisableRollback": "Set to `true` to disable rollback of the stack if stack creation failed. You can specify either `DisableRollback` or `OnFailure` , but not both.\n\nDefault: `false`", + "EnableTerminationProtection": "Whether to enable termination protection on the specified stack. If a user attempts to delete a stack with termination protection enabled, the operation fails and the stack remains unchanged. For more information, see [Protecting a Stack From Being Deleted](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html) in the *AWS CloudFormation User Guide* . Termination protection is deactivated on stacks by default.\n\nFor [nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) , termination protection is set on the root stack and can't be changed directly on the nested stack.", + "LastUpdateTime": "The time the stack was last updated. This field will only be returned if the stack has been updated at least once.", "NotificationARNs": "The Amazon Simple Notification Service (Amazon SNS) topic ARNs to publish stack related events. You can find your Amazon SNS topic ARNs using the Amazon SNS console or your Command Line Interface (CLI).", + "Outputs": "A list of output structures.", "Parameters": "The set value pairs that represent the parameters passed to CloudFormation when this nested stack is created. Each parameter has a name corresponding to a parameter defined in the embedded template and a value representing the value that you want to set for the parameter.\n\n> If you use the `Ref` function to pass a parameter value to a nested stack, comma-delimited list parameters must be of type `String` . In other words, you can't pass values that are of type `CommaDelimitedList` to nested stacks. \n\nConditional. Required if the nested stack requires input parameters.\n\nWhether an update causes interruptions depends on the resources that are being updated. An update never causes a nested stack to be replaced.", + "ParentId": "For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. For the first level of nested stacks, the root stack is also the parent stack.\n\nFor more information, see [Working with Nested Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "RoleARN": "The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that AWS CloudFormation assumes to create the stack. AWS CloudFormation uses the role's credentials to make calls on your behalf. AWS CloudFormation always uses this role for all future operations on the stack. Provided that users have permission to operate on the stack, AWS CloudFormation uses this role even if the users don't have permission to pass it. Ensure that the role grants least privilege.\n\nIf you don't specify a value, AWS CloudFormation uses the role that was previously associated with the stack. If no role is available, AWS CloudFormation uses a temporary session that's generated from your user credentials.", + "RootId": "For nested stacks--stacks created as resources for another stack--the stack ID of the top-level stack to which the nested stack ultimately belongs.\n\nFor more information, see [Working with Nested Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* .", + "StackId": "Unique identifier of the stack.", + "StackName": "The name that's associated with the stack. The name must be unique in the Region in which you are creating the stack.\n\n> A stack name can contain only alphanumeric characters (case sensitive) and hyphens. It must start with an alphabetical character and can't be longer than 128 characters.", + "StackPolicyBody": "Structure containing the stack policy body. For more information, go to [Prevent Updates to Stack Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html) in the *AWS CloudFormation User Guide* . You can specify either the `StackPolicyBody` or the `StackPolicyURL` parameter, but not both.", + "StackPolicyURL": "Location of a file containing the stack policy. The URL must point to a policy (maximum size: 16 KB) located in an S3 bucket in the same Region as the stack. You can specify either the `StackPolicyBody` or the `StackPolicyURL` parameter, but not both.", + "StackStatus": "Current status of the stack.", + "StackStatusReason": "Success/failure message associated with the stack status.", "Tags": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to the resources created in the stack. A maximum number of 50 tags can be specified.", + "TemplateBody": "Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes. For more information, go to [Template anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify either the `TemplateBody` or the `TemplateURL` parameter, but not both.", "TemplateURL": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket. For more information, see [Template anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) .\n\nWhether an update causes interruptions depends on the resources that are being updated. An update never causes a nested stack to be replaced.", "TimeoutInMinutes": "The length of time, in minutes, that CloudFormation waits for the nested stack to reach the `CREATE_COMPLETE` state. The default is no timeout. When CloudFormation detects that the nested stack has reached the `CREATE_COMPLETE` state, it marks the nested stack resource as `CREATE_COMPLETE` in the parent stack and resumes creating the parent stack. If the timeout period expires before the nested stack reaches `CREATE_COMPLETE` , CloudFormation marks the nested stack as failed and rolls back both the nested stack and parent stack.\n\nUpdates aren't supported." }, + "AWS::CloudFormation::Stack Output": { + "Description": "User defined description associated with the output.", + "ExportName": "The name of the export associated with the output.", + "OutputKey": "The key associated with the output.", + "OutputValue": "The value associated with the output." + }, + "AWS::CloudFormation::Stack Tag": { + "Key": "*Required* . A string used to identify this tag. You can specify a maximum of 128 characters for a tag key. Tags owned by Amazon Web Services ( AWS ) have the reserved prefix: `aws:` .", + "Value": "*Required* . A string containing the value for this tag. You can specify a maximum of 256 characters for a tag value." + }, "AWS::CloudFormation::StackSet": { "AdministrationRoleARN": "The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.\n\nUse customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see [Prerequisites: Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the *AWS CloudFormation User Guide* .\n\n*Minimum* : `20`\n\n*Maximum* : `2048`", "AutoDeployment": "[ `Service-managed` permissions] Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).", @@ -4461,10 +4816,10 @@ "Parameters": "The input parameters for the stack set template.", "PermissionModel": "Describes how the IAM roles required for stack set operations are created.\n\n- With `SELF_MANAGED` permissions, you must create the administrator and execution roles required to deploy to target accounts. For more information, see [Grant Self-Managed Stack Set Permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) .\n- With `SERVICE_MANAGED` permissions, StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations .", "StackInstancesGroup": "A group of stack instances with parameters in some specific accounts and Regions.", - "StackSetName": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", - "Tags": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", - "TemplateBody": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", - "TemplateURL": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`" + "StackSetName": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", + "Tags": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", + "TemplateBody": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", + "TemplateURL": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` ." }, "AWS::CloudFormation::StackSet AutoDeployment": { "Enabled": "If set to `true` , StackSets automatically deploys additional stack instances to AWS Organizations accounts that are added to a target organization or organizational unit (OU) in the specified Regions. If an account is removed from a target organization or OU, StackSets deletes stack instances from the account in the specified Regions.", @@ -4473,6 +4828,7 @@ "AWS::CloudFormation::StackSet DeploymentTargets": { "AccountFilterType": "Limit deployment targets to individual accounts or include additional accounts with provided OUs.\n\nThe following is a list of possible values for the `AccountFilterType` operation.\n\n- `INTERSECTION` : StackSets deploys to the accounts specified in `Accounts` parameter.\n- `DIFFERENCE` : StackSets excludes the accounts specified in `Accounts` parameter. This enables user to avoid certain accounts within an OU such as suspended accounts.\n- `UNION` : StackSets includes additional accounts deployment targets.\n\nThis is the default value if `AccountFilterType` is not provided. This enables user to update an entire OU and individual accounts from a different OU in one request, which used to be two separate requests.\n- `NONE` : Deploys to all the accounts in specified organizational units (OU).", "Accounts": "The names of one or more AWS accounts for which you want to deploy stack set updates.\n\n*Pattern* : `^[0-9]{12}$`", + "AccountsUrl": "Returns the value of the `AccountsUrl` property.", "OrganizationalUnitIds": "The organization root ID or organizational unit (OU) IDs to which StackSets deploys.\n\n*Pattern* : `^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})$`" }, "AWS::CloudFormation::StackSet ManagedExecution": { @@ -4495,6 +4851,10 @@ "ParameterOverrides": "A list of stack set parameters whose values you want to override in the selected stack instances.", "Regions": "The names of one or more Regions where you want to create stack instances using the specified AWS accounts ." }, + "AWS::CloudFormation::StackSet Tag": { + "Key": "*Required* . A string used to identify this tag. You can specify a maximum of 128 characters for a tag key. Tags owned by Amazon Web Services ( AWS ) have the reserved prefix: `aws:` .", + "Value": "*Required* . A string containing the value for this tag. You can specify a maximum of 256 characters for a tag value." + }, "AWS::CloudFormation::TypeActivation": { "AutoUpdate": "Whether to automatically update the extension in this account and Region when a new *minor* version is published by the extension publisher. Major versions released by the publisher must be manually updated.\n\nThe default is `true` .", "ExecutionRoleArn": "The name of the IAM execution role to use to activate the extension.", @@ -4558,8 +4918,11 @@ }, "AWS::CloudFront::ContinuousDeploymentPolicy ContinuousDeploymentPolicyConfig": { "Enabled": "A Boolean that indicates whether this continuous deployment policy is enabled (in effect). When this value is `true` , this policy is enabled and in effect. When this value is `false` , this policy is not enabled and has no effect.", + "SingleHeaderPolicyConfig": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "SingleWeightPolicyConfig": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", "StagingDistributionDnsNames": "The CloudFront domain name of the staging distribution. For example: `d111111abcdef8.cloudfront.net` .", - "TrafficConfig": "Contains the parameters for routing production traffic from your primary to staging distributions." + "TrafficConfig": "Contains the parameters for routing production traffic from your primary to staging distributions.", + "Type": "The type of traffic configuration." }, "AWS::CloudFront::ContinuousDeploymentPolicy SessionStickinessConfig": { "IdleTTL": "The amount of time after which you want sessions to cease if no requests are received. Allowed values are 300\u20133600 seconds (5\u201360 minutes).", @@ -4569,10 +4932,18 @@ "Header": "The request header name that you want CloudFront to send to your staging distribution. The header must contain the prefix `aws-cf-cd-` .", "Value": "The request header value." }, + "AWS::CloudFront::ContinuousDeploymentPolicy SingleHeaderPolicyConfig": { + "Header": "", + "Value": "" + }, "AWS::CloudFront::ContinuousDeploymentPolicy SingleWeightConfig": { "SessionStickinessConfig": "Session stickiness provides the ability to define multiple requests from a single viewer as a single session. This prevents the potentially inconsistent experience of sending some of a given user's requests to your staging distribution, while others are sent to your primary distribution. Define the session duration using TTL values.", "Weight": "The percentage of traffic to send to a staging distribution, expressed as a decimal number between 0 and .15." }, + "AWS::CloudFront::ContinuousDeploymentPolicy SingleWeightPolicyConfig": { + "SessionStickinessConfig": "", + "Weight": "" + }, "AWS::CloudFront::ContinuousDeploymentPolicy TrafficConfig": { "SingleHeaderConfig": "Determines which HTTP requests are sent to the staging distribution.", "SingleWeightConfig": "Contains the percentage of traffic to send to the staging distribution.", @@ -4750,9 +5121,13 @@ "Items": "The items (status codes) for an origin group.", "Quantity": "The number of status codes." }, + "AWS::CloudFront::Distribution Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, "AWS::CloudFront::Distribution ViewerCertificate": { "AcmCertificateArn": "> In CloudFormation, this field name is `AcmCertificateArn` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) , provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region ( `us-east-1` ).\n\nIf you specify an ACM certificate ARN, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod` . (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)", - "CloudFrontDefaultCertificate": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "CloudFrontDefaultCertificate": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "IamCertificateId": "> In CloudFormation, this field name is `IamCertificateId` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) , provide the ID of the IAM certificate.\n\nIf you specify an IAM certificate ID, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod` . (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)", "MinimumProtocolVersion": "If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:\n\n- The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.\n- The ciphers that CloudFront can use to encrypt the content that it returns to viewers.\n\nFor more information, see [Security Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy) and [Supported Protocols and Ciphers Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) in the *Amazon CloudFront Developer Guide* .\n\n> On the CloudFront console, this setting is called *Security Policy* . \n\nWhen you're using SNI only (you set `SSLSupportMethod` to `sni-only` ), you must specify `TLSv1` or higher. (In CloudFormation, the field name is `SslSupportMethod` . Note the different capitalization.)\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true` ), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here.", "SslSupportMethod": "> In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization. \n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.\n\n- `sni-only` \u2013 The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Server_Name_Indication) . This is recommended. Most browsers and clients support SNI.\n- `vip` \u2013 The distribution accepts HTTPS connections from all viewers including those that don't support SNI. This is not recommended, and results in additional monthly charges from CloudFront.\n- `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [AWS Support Center](https://docs.aws.amazon.com/support/home) .\n\nIf the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , don't set a value for this field." @@ -4952,6 +5327,10 @@ "S3Origin": "A complex type that contains information about the Amazon S3 bucket from which you want CloudFront to get your media files for distribution.", "TrustedSigners": "A complex type that specifies any AWS accounts that you want to permit to create signed URLs for private content. If you want the distribution to use signed URLs, include this element; if you want the distribution to use public URLs, remove this element. For more information, see [Serving Private Content through CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide* ." }, + "AWS::CloudFront::StreamingDistribution Tag": { + "Key": "A string that contains `Tag` key.\n\nThe string length should be between 1 and 128 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` .", + "Value": "A string that contains an optional `Tag` value.\n\nThe string length should be between 0 and 256 characters. Valid characters include `a-z` , `A-Z` , `0-9` , space, and the special characters `_ - . : / = + @` ." + }, "AWS::CloudFront::StreamingDistribution TrustedSigners": { "AwsAccountNumbers": "An AWS account number that contains active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If the AWS account that owns the key pairs is the same account that owns the CloudFront distribution, the value of this field is `self` .", "Enabled": "This field is `true` if any of the AWS accounts in the list are configured as trusted signers. If not, this field is `false` ." @@ -4966,6 +5345,10 @@ "Location": "For channels used for a CloudTrail Lake integration, the location is the ARN of an event data store that receives events from a channel. For service-linked channels, the location is the name of the AWS service.", "Type": "The type of destination for events arriving from a channel. For channels used for a CloudTrail Lake integration, the value is `EventDataStore` . For service-linked channels, the value is `AWS_SERVICE` ." }, + "AWS::CloudTrail::Channel Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." + }, "AWS::CloudTrail::EventDataStore": { "AdvancedEventSelectors": "The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store.\n\nFor more information about how to use advanced event selectors to log CloudTrail events, see [Log events by using advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see [Create an event data store for AWS Config configuration items](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-eds-config) in the CloudTrail User Guide.\n\nFor more information about how to use advanced event selectors to include non- AWS events in your event data store, see [Create an integration to log events from outside AWS](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-integration) in the CloudTrail User Guide.", "IngestionEnabled": "Specifies whether the event data store should start ingesting live events. The default is true.", @@ -4984,27 +5367,31 @@ "AWS::CloudTrail::EventDataStore AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", "StartsWith": "An operator that includes events that match the first few characters of the event record field specified as the value of `Field` ." }, + "AWS::CloudTrail::EventDataStore Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." + }, "AWS::CloudTrail::ResourcePolicy": { "ResourceArn": "The Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel` .", "ResourcePolicy": "A JSON-formatted string for an AWS resource-based policy.\n\nThe following are requirements for the resource policy:\n\n- Contains only one action: cloudtrail-data:PutAuditEvents\n- Contains at least one statement. The policy can have a maximum of 20 statements.\n- Each statement contains at least one principal. A statement can have a maximum of 50 principals." }, "AWS::CloudTrail::Trail": { "AdvancedEventSelectors": "Specifies the settings for advanced event selectors. You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. You can use either `AdvancedEventSelectors` or `EventSelectors` , but not both. If you apply `AdvancedEventSelectors` to a trail, any existing `EventSelectors` are overwritten. For more information about advanced event selectors, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .", - "CloudWatchLogsLogGroupArn": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .", + "CloudWatchLogsLogGroupArn": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .\n\n> Only the management account can configure a CloudWatch Logs log group for an organization trail.", "CloudWatchLogsRoleArn": "Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. You must use a role that exists in your account.", "EnableLogFileValidation": "Specifies whether log file validation is enabled. The default is false.\n\n> When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.", - "EventSelectors": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "EventSelectors": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "IncludeGlobalServiceEvents": "Specifies whether the trail is publishing events from global services such as IAM to the log files.", "InsightSelectors": "A JSON string that contains the insight types you want to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.", "IsLogging": "Whether the CloudTrail trail is currently logging AWS API calls.", "IsMultiRegionTrail": "Specifies whether the trail applies only to the current Region or to all Regions. The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.", - "IsOrganizationTrail": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "IsOrganizationTrail": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "KMSKeyId": "Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by \"alias/\", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.\n\nCloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nExamples:\n\n- alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName\n- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012\n- 12345678-1234-1234-1234-123456789012", "S3BucketName": "Specifies the name of the Amazon S3 bucket designated for publishing log files. See [Amazon S3 Bucket Naming Requirements](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_naming_policy.html) .", "S3KeyPrefix": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html) . The maximum length is 200 characters.", @@ -5019,18 +5406,18 @@ "AWS::CloudTrail::Trail AdvancedFieldSelector": { "EndsWith": "An operator that includes events that match the last few characters of the event record field specified as the value of `Field` .", "Equals": "An operator that includes events that match the exact value of the event record field specified as the value of `Field` . This is the only valid operator that you can use with the `readOnly` , `eventCategory` , and `resources.type` fields.", - "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "Field": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "NotEndsWith": "An operator that excludes events that match the last few characters of the event record field specified as the value of `Field` .", "NotEquals": "An operator that excludes events that match the exact value of the event record field specified as the value of `Field` .", "NotStartsWith": "An operator that excludes events that match the first few characters of the event record field specified as the value of `Field` .", "StartsWith": "An operator that includes events that match the first few characters of the event record field specified as the value of `Field` ." }, "AWS::CloudTrail::Trail DataResource": { - "Type": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "Type": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are also available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "Values": "An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified objects.\n\n- To log data events for all objects in all S3 buckets in your AWS account , specify the prefix as `arn:aws:s3` .\n\n> This also enables logging of data event activity performed by any user or role in your AWS account , even if that activity is performed on a bucket that belongs to another AWS account .\n- To log data events for all objects in an S3 bucket, specify the bucket and an empty object prefix such as `arn:aws:s3:::bucket-1/` . The trail logs data events for all objects in this S3 bucket.\n- To log data events for specific objects, specify the S3 bucket and object prefix such as `arn:aws:s3:::bucket-1/example-images` . The trail logs data events for objects in this S3 bucket that match the prefix.\n- To log data events for all Lambda functions in your AWS account , specify the prefix as `arn:aws:lambda` .\n\n> This also enables logging of `Invoke` activity performed by any user or role in your AWS account , even if that activity is performed on a function that belongs to another AWS account .\n- To log data events for a specific Lambda function, specify the function ARN.\n\n> Lambda function ARNs are exact. For example, if you specify a function ARN *arn:aws:lambda:us-west-2:111111111111:function:helloworld* , data events will only be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld* . They will not be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld2* .\n- To log data events for all DynamoDB tables in your AWS account , specify the prefix as `arn:aws:dynamodb` ." }, "AWS::CloudTrail::Trail EventSelector": { - "DataResources": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "DataResources": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "ExcludeManagementEventSources": "An optional list of service event sources from which you do not want management events to be logged on your trail. In this release, the list can be empty (disables the filter), or it can filter out AWS Key Management Service or Amazon RDS Data API events by containing `kms.amazonaws.com` or `rdsdata.amazonaws.com` . By default, `ExcludeManagementEventSources` is empty, and AWS KMS and Amazon RDS Data API events are logged to your trail. You can exclude management event sources only in Regions that support the event source.", "IncludeManagementEvents": "Specify if you want your event selector to include management events for your trail.\n\nFor more information, see [Management Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide* .\n\nBy default, the value is `true` .\n\nThe first copy of management events is free. You are charged for additional copies of management events that you are logging on any subsequent trail in the same Region. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://docs.aws.amazon.com/cloudtrail/pricing/) .", "ReadWriteType": "Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 `GetConsoleOutput` is a read-only API operation and `RunInstances` is a write-only API operation.\n\nBy default, the value is `All` ." @@ -5038,6 +5425,10 @@ "AWS::CloudTrail::Trail InsightSelector": { "InsightType": "The type of Insights events to log on a trail. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.\n\nThe `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.\n\nThe `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful." }, + "AWS::CloudTrail::Trail Tag": { + "Key": "The key in a key-value pair. The key must be must be no longer than 128 Unicode characters. The key must be unique for the resource to which it applies.", + "Value": "The value in a key-value pair of a tag. The value must be no longer than 256 Unicode characters." + }, "AWS::CloudWatch::Alarm": { "ActionsEnabled": "Indicates whether actions should be executed during any changes to the alarm state. The default is TRUE.", "AlarmActions": "The list of actions to execute when this alarm transitions into an ALARM state from any other state. Specify each action as an Amazon Resource Name (ARN). For more information about creating alarms and the actions that you can specify, see [PutMetricAlarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricAlarm.html) in the *Amazon CloudWatch API Reference* .", @@ -5107,7 +5498,6 @@ "MetricName": "The name of the metric. This is a required field.", "Namespace": "The namespace of the metric." }, - "AWS::CloudWatch::AnomalyDetector MetricDataQueries": {}, "AWS::CloudWatch::AnomalyDetector MetricDataQuery": { "AccountId": "The ID of the account where the metrics are located.\n\nIf you are performing a `GetMetricData` operation in a monitoring account, use this to specify which account to retrieve this metric from.\n\nIf you are performing a `PutMetricAlarm` operation, use this to specify which account contains the metric that the alarm is watching.", "Expression": "This field can contain either a Metrics Insights query, or a metric math expression to be performed on the returned data. For more information about Metrics Insights queries, see [Metrics Insights query components and syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-querylanguage) in the *Amazon CloudWatch User Guide* .\n\nA math expression can use the `Id` of the other metrics or queries to refer to those metrics, and can also use the `Id` of other expressions to use the result of those expressions. For more information about metric math expressions, see [Metric Math Syntax and Functions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html#metric-math-syntax) in the *Amazon CloudWatch User Guide* .\n\nWithin each MetricDataQuery object, you must specify either `Expression` or `MetricStat` but not both.", @@ -5158,7 +5548,6 @@ "RuleState": "The current state of the rule. Valid values are `ENABLED` and `DISABLED` .", "Tags": "A list of key-value pairs to associate with the Contributor Insights rule. You can associate as many as 50 tags with a rule.\n\nTags can help you organize and categorize your resources. For more information, see [Tagging Your Amazon CloudWatch Resources](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Tagging.html) .\n\nTo be able to associate tags with a rule, you must have the `cloudwatch:TagResource` permission in addition to the `cloudwatch:PutInsightRule` permission." }, - "AWS::CloudWatch::InsightRule Tags": {}, "AWS::CloudWatch::MetricStream": { "ExcludeFilters": "If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces that you specify here. You cannot specify both `IncludeFilters` and `ExcludeFilters` in the same metric stream.\n\nWhen you modify the `IncludeFilters` or `ExcludeFilters` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.", "FirehoseArn": "The ARN of the Amazon Kinesis Firehose delivery stream to use for this metric stream. This Amazon Kinesis Firehose delivery stream must already exist and must be in the same account as the metric stream.", @@ -5167,7 +5556,7 @@ "Name": "If you are creating a new metric stream, this is the name for the new stream. The name must be different than the names of other metric streams in this account and Region.\n\nIf you are updating a metric stream, specify the name of that stream here.", "OutputFormat": "The output format for the stream. Valid values are `json` and `opentelemetry0.7` For more information about metric stream output formats, see [Metric streams output formats](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html) .\n\nThis parameter is required.", "RoleArn": "The ARN of an IAM role that this metric stream will use to access Amazon Kinesis Firehose resources. This IAM role must already exist and must be in the same account as the metric stream. This IAM role must include the `firehose:PutRecord` and `firehose:PutRecordBatch` permissions.", - "StatisticsConfigurations": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "StatisticsConfigurations": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", "Tags": "An array of key-value pairs to apply to the metric stream.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::CloudWatch::MetricStream MetricStreamFilter": { @@ -5182,22 +5571,32 @@ "MetricName": "The name of the metric.", "Namespace": "The namespace of the metric." }, + "AWS::CloudWatch::MetricStream Tag": { + "Key": "A string that you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::CodeArtifact::Domain": { "DomainName": "A string that specifies the name of the requested domain.", - "EncryptionKey": "The key used to encrypt the domain.", "PermissionsPolicyDocument": "The document that defines the resource policy that is set on a domain.", "Tags": "A list of tags to be applied to the domain." }, + "AWS::CodeArtifact::Domain Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::CodeArtifact::Repository": { "Description": "A text description of the repository.", "DomainName": "The name of the domain that contains the repository.", - "DomainOwner": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", "ExternalConnections": "An array of external connections associated with the repository.", "PermissionsPolicyDocument": "The document that defines the resource policy that is set on a repository.", "RepositoryName": "The name of an upstream repository.", "Tags": "A list of tags to be applied to the repository.", "Upstreams": "A list of upstream repositories to associate with the repository. The order of the upstream repositories in the list determines their priority order when AWS CodeArtifact looks for a requested package version. For more information, see [Working with upstream repositories](https://docs.aws.amazon.com/codeartifact/latest/ug/repos-upstream.html) ." }, + "AWS::CodeArtifact::Repository Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::CodeBuild::Project": { "Artifacts": "`Artifacts` is a property of the [AWS::CodeBuild::Project](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html) resource that specifies output settings for artifacts generated by an AWS CodeBuild build.", "BadgeEnabled": "Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge. For more information, see [Build Badges Sample](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-build-badges.html) in the *AWS CodeBuild User Guide* .\n\n> Including build badges with your project is currently not supported if the source type is CodePipeline. If you specify `CODEPIPELINE` for the `Source` property, do not specify the `BadgeEnabled` property.", @@ -5256,14 +5655,13 @@ "ImagePullCredentialsType": "The type of credentials AWS CodeBuild uses to pull images in your build. There are two valid values:\n\n- `CODEBUILD` specifies that AWS CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust AWS CodeBuild service principal.\n- `SERVICE_ROLE` specifies that AWS CodeBuild uses your build project's service role.\n\nWhen you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials.", "PrivilegedMode": "Enables running the Docker daemon inside a Docker container. Set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. The default setting is `false` .\n\nYou can initialize the Docker daemon during the install phase of your build by adding one of the following sets of commands to the install phase of your buildspec file:\n\nIf the operating system's base image is Ubuntu Linux:\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout 15 sh -c \"until docker info; do echo .; sleep 1; done\"`\n\nIf the operating system's base image is Alpine Linux and the previous command does not work, add the `-t` argument to `timeout` :\n\n`- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --storage-driver=overlay&`\n\n`- timeout -t 15 sh -c \"until docker info; do echo .; sleep 1; done\"`", "RegistryCredential": "`RegistryCredential` is a property of the [AWS::CodeBuild::Project Environment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html#cfn-codebuild-project-environment) property that specifies information about credentials that provide access to a private Docker registry. When this is set:\n\n- `imagePullCredentialsType` must be set to `SERVICE_ROLE` .\n- images cannot be curated or an Amazon ECR image.", - "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." + "Type": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* ." }, "AWS::CodeBuild::Project EnvironmentVariable": { "Name": "The name or key of the environment variable.", "Type": "The type of environment variable. Valid values include:\n\n- `PARAMETER_STORE` : An environment variable stored in Systems Manager Parameter Store. For environment variables of this type, specify the name of the parameter as the `value` of the EnvironmentVariable. The parameter value will be substituted for the name at runtime. You can also define Parameter Store environment variables in the buildspec. To learn how to do so, see [env/parameter-store](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.parameter-store) in the *AWS CodeBuild User Guide* .\n- `PLAINTEXT` : An environment variable in plain text format. This is the default value.\n- `SECRETS_MANAGER` : An environment variable stored in AWS Secrets Manager . For environment variables of this type, specify the name of the secret as the `value` of the EnvironmentVariable. The secret value will be substituted for the name at runtime. You can also define AWS Secrets Manager environment variables in the buildspec. To learn how to do so, see [env/secrets-manager](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.secrets-manager) in the *AWS CodeBuild User Guide* .", - "Value": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` ." + "Value": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` ." }, - "AWS::CodeBuild::Project FilterGroup": {}, "AWS::CodeBuild::Project GitSubmodulesConfig": { "FetchSubmodules": "Set to true to fetch Git submodules for your AWS CodeBuild build project." }, @@ -5324,6 +5722,10 @@ "Resource": "The resource value that applies to the specified authorization type.\n\n> This data type is used by the AWS CodeBuild console only.", "Type": "The authorization type to use. The only valid value is `OAUTH` , which represents the OAuth authorization type.\n\n> This data type is used by the AWS CodeBuild console only." }, + "AWS::CodeBuild::Project Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeBuild::Project VpcConfig": { "SecurityGroupIds": "A list of one or more security groups IDs in your Amazon VPC. The maximum count is 5.", "Subnets": "A list of one or more subnet IDs in your Amazon VPC. The maximum count is 16.", @@ -5353,6 +5755,10 @@ "Packaging": "The type of build output artifact to create. Valid values include:\n\n- `NONE` : CodeBuild creates the raw data in the output bucket. This is the default if packaging is not specified.\n- `ZIP` : CodeBuild creates a ZIP file with the raw data in the output bucket.", "Path": "The path to the exported report's raw data results." }, + "AWS::CodeBuild::ReportGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeBuild::SourceCredential": { "AuthType": "The type of authentication used by the credentials. Valid options are OAUTH, BASIC_AUTH, or PERSONAL_ACCESS_TOKEN.", "ServerType": "The type of source provider. The valid options are GITHUB, GITHUB_ENTERPRISE, or BITBUCKET.", @@ -5382,11 +5788,19 @@ "Key": "The key to use for accessing the Amazon S3 bucket. Changes to this property are ignored after initial resource creation. For more information, see [Creating object key names](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html) and [Uploading objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) in the Amazon S3 User Guide.", "ObjectVersion": "The object version of the ZIP file, if versioning is enabled for the Amazon S3 bucket. Changes to this property are ignored after initial resource creation." }, + "AWS::CodeCommit::Repository Tag": { + "Key": "", + "Value": "" + }, "AWS::CodeDeploy::Application": { "ApplicationName": "A name for the application. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the application name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> Updates to `ApplicationName` are not supported.", "ComputePlatform": "The compute platform that CodeDeploy deploys the application to.", "Tags": "The metadata that you apply to CodeDeploy applications to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define." }, + "AWS::CodeDeploy::Application Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeDeploy::DeploymentConfig": { "ComputePlatform": "The destination platform type for the deployment ( `Lambda` , `Server` , or `ECS` ).", "DeploymentConfigName": "A name for the deployment configuration. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the deployment configuration name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", @@ -5426,9 +5840,9 @@ "LoadBalancerInfo": "Information about the load balancer to use in a deployment. For more information, see [Integrating CodeDeploy with Elastic Load Balancing](https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-elastic-load-balancing.html) in the *AWS CodeDeploy User Guide* .", "OnPremisesInstanceTagFilters": "The on-premises instance tags already applied to on-premises instances that you want to include in the deployment group. CodeDeploy includes all on-premises instances identified by any of the tags you specify in this deployment group. To register on-premises instances with CodeDeploy , see [Working with On-Premises Instances for CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/instances-on-premises.html) in the *AWS CodeDeploy User Guide* . Duplicates are not allowed.\n\nYou can specify `OnPremisesInstanceTagFilters` or `OnPremisesInstanceTagSet` , but not both.", "OnPremisesTagSet": "Information about groups of tags applied to on-premises instances. The deployment group includes only on-premises instances identified by all the tag groups.\n\nYou can specify `OnPremisesInstanceTagFilters` or `OnPremisesInstanceTagSet` , but not both.", - "OutdatedInstancesStrategy": "", + "OutdatedInstancesStrategy": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "ServiceRoleArn": "A service role Amazon Resource Name (ARN) that grants CodeDeploy permission to make calls to AWS services on your behalf. For more information, see [Create a Service Role for AWS CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html) in the *AWS CodeDeploy User Guide* .\n\n> In some cases, you might need to add a dependency on the service role's policy. For more information, see IAM role policy in [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) .", - "Tags": "", + "Tags": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "TriggerConfigurations": "Information about triggers associated with the deployment group. Duplicates are not allowed" }, "AWS::CodeDeploy::DeploymentGroup Alarm": { @@ -5491,9 +5905,9 @@ "Action": "The method used to add instances to a replacement environment.\n\n- `DISCOVER_EXISTING` : Use instances that already exist or will be created manually.\n- `COPY_AUTO_SCALING_GROUP` : Use settings from a specified Auto Scaling group to define and create instances in a new Auto Scaling group." }, "AWS::CodeDeploy::DeploymentGroup LoadBalancerInfo": { - "ElbInfoList": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", - "TargetGroupInfoList": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", - "TargetGroupPairInfoList": "" + "ElbInfoList": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", + "TargetGroupInfoList": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", + "TargetGroupPairInfoList": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one." }, "AWS::CodeDeploy::DeploymentGroup OnPremisesTagSet": { "OnPremisesTagSetList": "A list that contains other lists of on-premises instance tag groups. For an instance to be included in the deployment group, it must be identified by all of the tag groups in the list.\n\nDuplicates are not allowed." @@ -5513,6 +5927,10 @@ "Key": "The name of the Amazon S3 object that represents the bundled artifacts for the application revision.", "Version": "A specific version of the Amazon S3 object that represents the bundled artifacts for the application revision.\n\nIf the version is not specified, the system uses the most recent version by default." }, + "AWS::CodeDeploy::DeploymentGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeDeploy::DeploymentGroup TagFilter": { "Key": "The on-premises instance tag filter key.", "Type": "The on-premises instance tag filter type:\n\n- KEY_ONLY: Key only.\n- VALUE_ONLY: Value only.\n- KEY_AND_VALUE: Key and value.", @@ -5522,12 +5940,12 @@ "Name": "For blue/green deployments, the name of the target group that instances in the original environment are deregistered from, and instances in the replacement environment registered with. For in-place deployments, the name of the target group that instances are deregistered from, so they are not serving traffic during a deployment, and then re-registered with after the deployment completes. No duplicates allowed.\n\n> AWS CloudFormation supports blue/green deployments on AWS Lambda compute platforms only. \n\nThis value cannot exceed 32 characters, so you should use the `Name` property of the target group, or the `TargetGroupName` attribute with the `Fn::GetAtt` intrinsic function, as shown in the following example. Don't use the group's Amazon Resource Name (ARN) or `TargetGroupFullName` attribute." }, "AWS::CodeDeploy::DeploymentGroup TargetGroupPairInfo": { - "ProdTrafficRoute": "", - "TargetGroups": "", - "TestTrafficRoute": "" + "ProdTrafficRoute": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", + "TargetGroups": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", + "TestTrafficRoute": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment." }, "AWS::CodeDeploy::DeploymentGroup TrafficRoute": { - "ListenerArns": "" + "ListenerArns": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one." }, "AWS::CodeDeploy::DeploymentGroup TriggerConfig": { "TriggerEvents": "The event type or types that trigger notifications.", @@ -5548,6 +5966,10 @@ "channelId": "The channel ID.", "channelUri": "The channel URI." }, + "AWS::CodeGuruProfiler::ProfilingGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::CodeGuruReviewer::RepositoryAssociation": { "BucketName": "The name of the bucket. This is required for your S3Bucket repository. The name must start with the prefix `codeguru-reviewer-*` .", "ConnectionArn": "The Amazon Resource Name (ARN) of an AWS CodeStar Connections connection. Its format is `arn:aws:codestar-connections:region-id:aws-account_id:connection/connection-id` . For more information, see [Connection](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/API_Connection.html) in the *AWS CodeStar Connections API Reference* .\n\n`ConnectionArn` must be specified for Bitbucket and GitHub Enterprise Server repositories. It has no effect if it is specified for an AWS CodeCommit repository.", @@ -5556,6 +5978,10 @@ "Tags": "An array of key-value pairs used to tag an associated repository. A tag is a custom attribute label with two parts:\n\n- A *tag key* (for example, `CostCenter` , `Environment` , `Project` , or `Secret` ). Tag keys are case sensitive.\n- An optional field known as a *tag value* (for example, `111122223333` , `Production` , or a team name). Omitting the tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.", "Type": "The type of repository that contains the source code to be reviewed. The valid values are:\n\n- `CodeCommit`\n- `Bitbucket`\n- `GitHubEnterpriseServer`\n- `S3Bucket`" }, + "AWS::CodeGuruReviewer::RepositoryAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::CodePipeline::CustomActionType": { "Category": "The category of the custom action, such as a build action or a test action.", "ConfigurationProperties": "The configuration properties for the custom action.\n\n> You can refer to a name in the configuration properties of the custom action within the URL templates by following the format of {Config:name}, as long as the configuration property is both required and not secret. For more information, see [Create a Custom Action for a Pipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-create-custom-action.html) .", @@ -5585,6 +6011,10 @@ "RevisionUrlTemplate": "The URL returned to the CodePipeline console that contains a link to the page where customers can update or change the configuration of the external action.", "ThirdPartyConfigurationUrl": "The URL of a sign-up page where users can sign up for an external service and perform initial configuration of the action provided by that service." }, + "AWS::CodePipeline::CustomActionType Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodePipeline::Pipeline": { "ArtifactStore": "The S3 bucket where artifacts for the pipeline are stored.\n\n> You must include either `artifactStore` or `artifactStores` in your pipeline, but you cannot use both. If you create a cross-region action in your pipeline, you must use `artifactStores` .", "ArtifactStores": "A mapping of `artifactStore` objects and their corresponding AWS Regions. There must be an artifact store for the pipeline Region and for each cross-region action in the pipeline.\n\n> You must include either `artifactStore` or `artifactStores` in your pipeline, but you cannot use both. If you create a cross-region action in your pipeline, you must use `artifactStores` .", @@ -5644,6 +6074,10 @@ "Reason": "The reason given to the user that a stage is disabled, such as waiting for manual approval or manual tests. This message is displayed in the pipeline console UI.", "StageName": "The name of the stage where you want to disable the inbound or outbound transition of artifacts." }, + "AWS::CodePipeline::Pipeline Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodePipeline::Webhook": { "Authentication": "Supported options are GITHUB_HMAC, IP, and UNAUTHENTICATED.\n\n- For information about the authentication scheme implemented by GITHUB_HMAC, see [Securing your webhooks](https://docs.aws.amazon.com/https://developer.github.com/webhooks/securing/) on the GitHub Developer website.\n- IP rejects webhooks trigger requests unless they originate from an IP address in the IP range whitelisted in the authentication configuration.\n- UNAUTHENTICATED accepts all webhook trigger requests regardless of origin.", "AuthenticationConfiguration": "Properties that configure the authentication applied to incoming webhook trigger requests. The required properties depend on the authentication type. For GITHUB_HMAC, only the `SecretToken` property must be set. For IP, only the `AllowedIPRange` property must be set to a valid CIDR range. For UNAUTHENTICATED, no properties can be set.", @@ -5686,6 +6120,10 @@ "ProviderType": "The name of the external provider where your third-party code repository is configured.", "Tags": "Specifies the tags applied to the resource." }, + "AWS::CodeStarConnections::Connection Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::CodeStarNotifications::NotificationRule": { "CreatedBy": "", "DetailType": "The level of detail to include in the notifications for this resource. `BASIC` will include only the contents of the event as it would appear in Amazon CloudWatch. `FULL` will include any supplemental information provided by AWS CodeStar Notifications and/or the service for the resource for which the notification is created.", @@ -5755,6 +6193,18 @@ "AWS::Cognito::IdentityPoolRoleAttachment RulesConfigurationType": { "Rules": "The rules. You can specify up to 25 rules per identity provider." }, + "AWS::Cognito::LogDeliveryConfiguration": { + "LogConfigurations": "The detailed activity logging destination of a user pool.", + "UserPoolId": "The ID of the user pool where you configured detailed activity logging." + }, + "AWS::Cognito::LogDeliveryConfiguration CloudWatchLogsConfiguration": { + "LogGroupArn": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) ." + }, + "AWS::Cognito::LogDeliveryConfiguration LogConfiguration": { + "CloudWatchLogsConfiguration": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "EventSource": "The source of events that your user pool sends for detailed activity logging.", + "LogLevel": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging." + }, "AWS::Cognito::UserPool": { "AccountRecoverySetting": "Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.", "AdminCreateUserConfig": "The configuration for creating a new user profile.", @@ -5774,7 +6224,7 @@ "SmsConfiguration": "The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .", "SmsVerificationMessage": "This parameter is no longer used. See [VerificationMessageTemplateType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html) .", "UserAttributeUpdateSettings": "The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate` ,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see [Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .", - "UserPoolAddOns": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "UserPoolAddOns": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "UserPoolName": "A string used to name the user pool.", "UserPoolTags": "The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.", "UsernameAttributes": "Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values: `phone_number` or `email` .\n\nThis user pool property cannot be updated.", @@ -5806,7 +6256,7 @@ "EmailSendingAccount": "Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values:\n\n- **COGNITO_DEFAULT** - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.\n\nTo look up the email delivery limit for the default option, see [Limits](https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) in the *Amazon Cognito Developer Guide* .\n\nThe default FROM address is `no-reply@verificationemail.com` . To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the `SourceArn` parameter.\n- **DEVELOPER** - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account .\n\nIf you use this option, provide the ARN of an Amazon SES verified email address for the `SourceArn` parameter.\n\nBefore Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a *service-linked role* , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see [Using Service-Linked Roles for Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/using-service-linked-roles.html) in the *Amazon Cognito Developer Guide* .", "From": "Identifies either the sender's email address or the sender's name with their email address. For example, `testuser@example.com` or `Test User ` . This address appears before the body of the email.", "ReplyToEmailAddress": "The destination to which the receiver of the email should reply.", - "SourceArn": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) ." + "SourceArn": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) ." }, "AWS::Cognito::UserPool InviteMessageTemplate": { "EmailMessage": "The message template for email messages. EmailMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", @@ -5838,7 +6288,7 @@ "RequireNumbers": "In the password policy that you have set, refers to whether you have required users to use at least one number in their password.", "RequireSymbols": "In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.", "RequireUppercase": "In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.", - "TemporaryPasswordValidityDays": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool." + "TemporaryPasswordValidityDays": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool." }, "AWS::Cognito::UserPool Policies": { "PasswordPolicy": "The password policy." @@ -5848,10 +6298,10 @@ "Priority": "A positive integer specifying priority of a method with 1 being the highest priority." }, "AWS::Cognito::UserPool SchemaAttribute": { - "AttributeDataType": "The attribute data type.", + "AttributeDataType": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "DeveloperOnlyAttribute": "> We recommend that you use [WriteAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes) in the user pool client to control how attributes can be mutated for new use cases instead of using `DeveloperOnlyAttribute` . \n\nSpecifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.", - "Mutable": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", - "Name": "A schema attribute of the name type.", + "Mutable": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "Name": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "NumberAttributeConstraints": "Specifies the constraints for an attribute of the number type.", "Required": "Specifies whether a user pool attribute is required. If the attribute is required and the user doesn't provide a value, registration or sign-in will fail.", "StringAttributeConstraints": "Specifies the constraints for an attribute of the string type." @@ -5869,7 +6319,7 @@ "AttributesRequireVerificationBeforeUpdate": "Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn\u2019t change the value of the attribute until your user responds to the verification message and confirms the new value.\n\nYou can verify an updated email address or phone number with a [VerifyUserAttribute](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html) API request. You can also call the [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) API and set `email_verified` or `phone_number_verified` to true.\n\nWhen `AttributesRequireVerificationBeforeUpdate` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where `AttributesRequireVerificationBeforeUpdate` is false, API operations that change attribute values can immediately update a user\u2019s `email` or `phone_number` attribute." }, "AWS::Cognito::UserPool UserPoolAddOns": { - "AdvancedSecurityMode": "The advanced security mode." + "AdvancedSecurityMode": "The operating mode of advanced security features in your user pool." }, "AWS::Cognito::UserPool UsernameConfiguration": { "CaseSensitive": "Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name.\n\nValid values include:\n\n- **True** - Enables case sensitivity for all username input. When this option is set to `True` , users must sign in using the exact capitalization of their given username, such as \u201cUserName\u201d. This is the default value.\n- **False** - Enables case insensitivity for all username input. For example, when this option is set to `False` , users can sign in using `username` , `USERNAME` , or `UserName` . This option also enables both `preferred_username` and `email` alias to be case insensitive, in addition to the `username` attribute." @@ -5885,7 +6335,7 @@ "AWS::Cognito::UserPoolClient": { "AccessTokenValidity": "The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours` , your user can authorize access with their access token for 10 hours.\n\nThe default time unit for `AccessTokenValidity` in an API request is hours.", "AllowedOAuthFlows": "The allowed OAuth flows.\n\n- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.\n- **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.\n- **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.", - "AllowedOAuthFlowsUserPoolClient": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "AllowedOAuthFlowsUserPoolClient": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "AllowedOAuthScopes": "The allowed OAuth scopes. Possible values provided by OAuth are `phone` , `email` , `openid` , and `profile` . Possible values provided by AWS are `aws.cognito.signin.user.admin` . Custom scopes created in Resource Servers are also supported.", "AnalyticsConfiguration": "The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.\n\n> In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.", "AuthSessionValidity": "Amazon Cognito creates a session token for each API request in an authentication flow. `AuthSessionValidity` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.", @@ -5899,12 +6349,12 @@ "IdTokenValidity": "The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours` , your user can authenticate their session with their ID token for 10 hours.\n\nThe default time unit for `IdTokenValidity` in an API request is hours.", "LogoutURLs": "A list of allowed logout URLs for the IdPs.", "PreventUserExistenceErrors": "Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.", - "ReadAttributes": "The read attributes.", + "ReadAttributes": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "RefreshTokenValidity": "The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.\n\nFor example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session and retrieve new access and ID tokens for 10 days.\n\nThe default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.", "SupportedIdentityProviders": "A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: `COGNITO` , `Facebook` , `Google` , `SignInWithApple` , and `LoginWithAmazon` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP` .", "TokenValidityUnits": "The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.", "UserPoolId": "The user pool ID for the user pool where you want to create a user pool client.", - "WriteAttributes": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) ." + "WriteAttributes": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) ." }, "AWS::Cognito::UserPoolClient AnalyticsConfiguration": { "ApplicationArn": "The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.", @@ -6007,17 +6457,17 @@ "MessageAction": "Set to `RESEND` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to `SUPPRESS` to suppress sending the message. You can specify only one value.", "UserAttributes": "The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).\n\nFor custom attributes, you must prepend the `custom:` prefix to the attribute name.\n\nTo send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.\n\nIn your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)\n\n- *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `\"EMAIL\"` is specified in the `DesiredDeliveryMediums` parameter.\n- *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `\"SMS\"` is specified in the `DesiredDeliveryMediums` parameter.", "UserPoolId": "The user pool ID for the user pool where the user will be created.", - "Username": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", - "ValidationData": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted." + "Username": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", + "ValidationData": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) ." }, "AWS::Cognito::UserPoolUser AttributeType": { "Name": "The name of the attribute.", "Value": "The value of the attribute." }, "AWS::Cognito::UserPoolUserToGroupAttachment": { - "GroupName": "The group name.", + "GroupName": "The name of the group that you want to add your user to.", "UserPoolId": "The user pool ID for the user pool.", - "Username": "The username for the user." + "Username": "" }, "AWS::Comprehend::DocumentClassifier": { "DataAccessRoleArn": "The Amazon Resource Name (ARN) of the IAM role that grants Amazon Comprehend read access to your input data.", @@ -6061,6 +6511,10 @@ "DocumentReadMode": "Determines the text extraction actions for PDF files. Enter one of the following values:\n\n- `SERVICE_DEFAULT` - use the Amazon Comprehend service defaults for PDF files.\n- `FORCE_DOCUMENT_READ_ACTION` - Amazon Comprehend uses the Textract API specified by DocumentReadAction for all PDF files, including digital PDF files.", "FeatureTypes": "Specifies the type of Amazon Textract features to apply. If you chose `TEXTRACT_ANALYZE_DOCUMENT` as the read action, you must specify one or both of the following values:\n\n- `TABLES` - Returns information about any tables that are detected in the input document.\n- `FORMS` - Returns information and the data from any forms that are detected in the input document." }, + "AWS::Comprehend::DocumentClassifier Tag": { + "Key": "The initial part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the key portion of the pair, with multiple possible values such as \u201csales,\u201d \u201clegal,\u201d and \u201cadministration.\u201d", + "Value": "The second part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the initial (key) portion of the pair, with a value of \u201csales\u201d to indicate the sales department." + }, "AWS::Comprehend::DocumentClassifier VpcConfig": { "SecurityGroupIds": "The ID number for a security group on an instance of your private VPC. Security groups on your VPC function serve as a virtual firewall to control inbound and outbound traffic and provides security for the resources that you\u2019ll be accessing on the VPC. This ID number is preceded by \"sg-\", for instance: \"sg-03b388029b0a285ea\". For more information, see [Security Groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) .", "Subnets": "The ID for each subnet being used in your private VPC. This subnet is a subset of the a range of IPv4 addresses used by the VPC and is specific to a given availability zone in the VPC\u2019s Region. This ID number is preceded by \"subnet-\", for instance: \"subnet-04ccf456919e69055\". For more information, see [VPCs and Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) ." @@ -6091,6 +6545,10 @@ "AWS::Comprehend::Flywheel EntityTypesListItem": { "Type": "An entity type within a labeled training dataset that Amazon Comprehend uses to train a custom entity recognizer.\n\nEntity types must not contain the following invalid characters: \\n (line break), \\\\n (escaped line break, \\r (carriage return), \\\\r (escaped carriage return), \\t (tab), \\\\t (escaped tab), space, and , (comma)." }, + "AWS::Comprehend::Flywheel Tag": { + "Key": "The initial part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the key portion of the pair, with multiple possible values such as \u201csales,\u201d \u201clegal,\u201d and \u201cadministration.\u201d", + "Value": "The second part of a key-value pair that forms a tag associated with a given resource. For instance, if you want to show which resources are used by which departments, you might use \u201cDepartment\u201d as the initial (key) portion of the pair, with a value of \u201csales\u201d to indicate the sales department." + }, "AWS::Comprehend::Flywheel TaskConfig": { "DocumentClassificationConfig": "Configuration required for a document classification model.", "EntityRecognitionConfig": "Configuration required for an entity recognition model.", @@ -6105,19 +6563,31 @@ "AuthorizedAwsRegion": "The region authorized to collect aggregated data.", "Tags": "An array of tag object." }, + "AWS::Config::AggregationAuthorization Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Config::ConfigRule": { + "Compliance": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", "ConfigRuleName": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", "Description": "The description that you provide for the AWS Config rule.", + "EvaluationModes": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", "InputParameters": "A string, in JSON format, that is passed to the AWS Config rule Lambda function.", "MaximumExecutionFrequency": "The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value for `MaximumExecutionFrequency` when:\n\n- You are using an AWS managed rule that is triggered at a periodic frequency.\n- Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more information, see [ConfigSnapshotDeliveryProperties](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html) .\n\n> By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the `MaximumExecutionFrequency` parameter.", "Scope": "Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.\n\n> The scope can be empty.", "Source": "Provides the rule owner ( `AWS` for managed rules, `CUSTOM_POLICY` for Custom Policy rules, and `CUSTOM_LAMBDA` for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your AWS resources." }, + "AWS::Config::ConfigRule Compliance": { + "Type": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type." + }, "AWS::Config::ConfigRule CustomPolicyDetails": { "EnableDebugLogDelivery": "The boolean expression for enabling debug logging for your AWS Config Custom Policy rule. The default value is `false` .", "PolicyRuntime": "The runtime system for your AWS Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "PolicyText": "The policy definition containing the logic for your AWS Config Custom Policy rule." }, + "AWS::Config::ConfigRule EvaluationModeConfiguration": { + "Mode": "The mode of an evaluation. The valid values are Detective or Proactive." + }, "AWS::Config::ConfigRule Scope": { "ComplianceResourceId": "The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for `ComplianceResourceTypes` .", "ComplianceResourceTypes": "The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for `ComplianceResourceId` .", @@ -6151,15 +6621,27 @@ "AwsRegions": "The source regions being aggregated.", "RoleArn": "ARN of the IAM role used to retrieve AWS Organizations details associated with the aggregator account." }, + "AWS::Config::ConfigurationAggregator Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Config::ConfigurationRecorder": { - "Name": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", - "RecordingGroup": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", - "RoleARN": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide." + "Name": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", + "RecordingGroup": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", + "RoleARN": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* ." + }, + "AWS::Config::ConfigurationRecorder ExclusionByResourceTypes": { + "ResourceTypes": "A comma-separated list of resource types to exclude from recording by the configuration recorder." }, "AWS::Config::ConfigurationRecorder RecordingGroup": { - "AllSupported": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", - "IncludeGlobalResourceTypes": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", - "ResourceTypes": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) ." + "AllSupported": "Specifies whether AWS Config records configuration changes for all supported regionally recorded resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new regionally recorded resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region Availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", + "ExclusionByResourceTypes": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "IncludeGlobalResourceTypes": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", + "RecordingStrategy": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "ResourceTypes": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config ." + }, + "AWS::Config::ConfigurationRecorder RecordingStrategy": { + "UseOnly": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)" }, "AWS::Config::ConformancePack": { "ConformancePackInputParameters": "A list of ConformancePackInputParameter objects.", @@ -6168,7 +6650,7 @@ "DeliveryS3KeyPrefix": "The prefix for the Amazon S3 bucket.", "TemplateBody": "A string containing full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\n> You can only use a YAML template with two resource types: config rule ( `AWS::Config::ConfigRule` ) and a remediation action ( `AWS::Config::RemediationConfiguration` ).", "TemplateS3Uri": "Location of file containing the template body (s3://bucketname/prefix). The uri must point to the conformance pack template (max size: 300 KB) that is located in an Amazon S3 bucket.\n\n> You must have access to read Amazon S3 bucket.", - "TemplateSSMDocumentDetails": "" + "TemplateSSMDocumentDetails": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack." }, "AWS::Config::ConformancePack ConformancePackInputParameter": { "ParameterName": "One part of a key-value pair.", @@ -6192,22 +6674,22 @@ "AWS::Config::OrganizationConfigRule": { "ExcludedAccounts": "A comma-separated list of accounts excluded from organization AWS Config rule.", "OrganizationConfigRuleName": "The name that you assign to organization AWS Config rule.", - "OrganizationCustomPolicyRuleMetadata": "", + "OrganizationCustomPolicyRuleMetadata": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "OrganizationCustomRuleMetadata": "An `OrganizationCustomRuleMetadata` object.", "OrganizationManagedRuleMetadata": "An `OrganizationManagedRuleMetadata` object." }, "AWS::Config::OrganizationConfigRule OrganizationCustomPolicyRuleMetadata": { - "DebugLogDeliveryAccounts": "", - "Description": "", - "InputParameters": "", - "MaximumExecutionFrequency": "", - "OrganizationConfigRuleTriggerTypes": "", - "PolicyText": "", - "ResourceIdScope": "", - "ResourceTypesScope": "", - "Runtime": "", - "TagKeyScope": "", - "TagValueScope": "" + "DebugLogDeliveryAccounts": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", + "Description": "The description that you provide for your organization AWS Config Custom Policy rule.", + "InputParameters": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", + "MaximumExecutionFrequency": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", + "OrganizationConfigRuleTriggerTypes": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", + "PolicyText": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", + "ResourceIdScope": "The ID of the AWS resource that was evaluated.", + "ResourceTypesScope": "The type of the AWS resource that was evaluated.", + "Runtime": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", + "TagKeyScope": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "TagValueScope": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." }, "AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata": { "Description": "The description that you provide for your organization AWS Config rule.", @@ -6262,22 +6744,20 @@ "ResourceValue": "The value is dynamic and changes at run-time.", "StaticValue": "The value is static and does not change at run-time." }, - "AWS::Config::RemediationConfiguration ResourceValue": { - "Value": "The value is a resource ID." - }, "AWS::Config::RemediationConfiguration SsmControls": { "ConcurrentExecutionRatePercentage": "The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.", "ErrorPercentage": "The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received." }, - "AWS::Config::RemediationConfiguration StaticValue": { - "Values": "A list of values. For example, the ARN of the assumed role." - }, "AWS::Config::StoredQuery": { "QueryDescription": "A unique description for the query.", "QueryExpression": "The expression of the query. For example, `SELECT resourceId, resourceType, supplementaryConfiguration.BucketVersioningConfiguration.status WHERE resourceType = 'AWS::S3::Bucket' AND supplementaryConfiguration.BucketVersioningConfiguration.status = 'Off'.`", "QueryName": "The name of the query.", "Tags": "An array of key-value pairs to apply to this resource." }, + "AWS::Config::StoredQuery Tag": { + "Key": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key)." + }, "AWS::Connect::ApprovedOrigin": { "InstanceId": "The Amazon Resource Name (ARN) of the instance.\n\n*Minimum* : `1`\n\n*Maximum* : `100`", "Origin": "Domain name to be added to the allow-list of the instance.\n\n*Maximum* : `267`" @@ -6291,6 +6771,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "Type": "The type of the flow. For descriptions of the available types, see [Choose a flow type](https://docs.aws.amazon.com/connect/latest/adminguide/create-contact-flow.html#contact-flow-types) in the *Amazon Connect Administrator Guide* ." }, + "AWS::Connect::ContactFlow Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::ContactFlowModule": { "Content": "The content of the flow module.", "Description": "The description of the flow module.", @@ -6299,6 +6783,10 @@ "State": "The state of the flow module.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Connect::ContactFlowModule Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::EvaluationForm": { "Description": "The description of the evaluation form.\n\n*Length Constraints* : Minimum length of 0. Maximum length of 1024.", "InstanceArn": "The identifier of the Amazon Connect instance.", @@ -6369,7 +6857,7 @@ "Options": "The answer options of the single select question.\n\n*Minimum* : 2\n\n*Maximum* : 256" }, "AWS::Connect::EvaluationForm NumericQuestionPropertyValueAutomation": { - "Label": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`" + "Label": "The property label of the automation." }, "AWS::Connect::EvaluationForm ScoringStrategy": { "Mode": "The scoring mode of the evaluation form.\n\n*Allowed values* : `QUESTION_ONLY` | `SECTION_ONLY`", @@ -6380,6 +6868,10 @@ "Condition": "The condition to apply for the automation option. If the condition is PRESENT, then the option is applied when the contact data includes the category. Similarly, if the condition is NOT_PRESENT, then the option is applied when the contact data does not include the category.\n\n*Allowed values* : `PRESENT` | `NOT_PRESENT`\n\n*Maximum* : 50", "OptionRefId": "The identifier of the answer option. An identifier must be unique within the question.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 40." }, + "AWS::Connect::EvaluationForm Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::HoursOfOperation": { "Config": "Configuration information for the hours of operation.", "Description": "The description for the hours of operation.", @@ -6397,6 +6889,10 @@ "Hours": "The hours.", "Minutes": "The minutes." }, + "AWS::Connect::HoursOfOperation Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Instance": { "Attributes": "A toggle for an individual feature at the instance level.", "DirectoryId": "The identifier for the directory.", @@ -6451,9 +6947,13 @@ "Description": "The description of the phone number.", "Prefix": "The prefix of the phone number. If provided, it must contain `+` as part of the country code.\n\n*Pattern* : `^\\\\+[0-9]{1,15}`", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", - "TargetArn": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "TargetArn": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "Type": "The type of phone number." }, + "AWS::Connect::PhoneNumber Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Prompt": { "Description": "The description of the prompt.", "InstanceArn": "The identifier of the Amazon Connect instance.", @@ -6461,6 +6961,30 @@ "S3Uri": "The URI for the S3 bucket where the prompt is stored. This property is required when you create a prompt.", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." }, + "AWS::Connect::Prompt Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::Queue": { + "Description": "The description of the queue.", + "HoursOfOperationArn": "The Amazon Resource Name (ARN) of the hours of operation.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "MaxContacts": "The maximum number of contacts that can be in the queue before it is considered full.", + "Name": "The name of the queue.", + "OutboundCallerConfig": "The outbound caller ID name, number, and outbound whisper flow.", + "QuickConnectArns": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "Status": "The status of the queue.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::Queue OutboundCallerConfig": { + "OutboundCallerIdName": "The caller ID name.", + "OutboundCallerIdNumberArn": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "OutboundFlowArn": "The Amazon Resource Name (ARN) of the outbound flow." + }, + "AWS::Connect::Queue Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::QuickConnect": { "Description": "The description of the quick connect.", "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", @@ -6481,10 +7005,45 @@ "QuickConnectType": "The type of quick connect. In the Amazon Connect console, when you create a quick connect, you are prompted to assign one of the following types: Agent (USER), External (PHONE_NUMBER), or Queue (QUEUE).", "UserConfig": "The user configuration. This is required only if QuickConnectType is USER." }, + "AWS::Connect::QuickConnect Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::QuickConnect UserQuickConnectConfig": { "ContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "UserArn": "The Amazon Resource Name (ARN) of the user." }, + "AWS::Connect::RoutingProfile": { + "AgentAvailabilityTimer": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "DefaultOutboundQueueArn": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "Description": "The description of the routing profile.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "MediaConcurrencies": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "Name": "The name of the routing profile.", + "QueueConfigs": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::RoutingProfile CrossChannelBehavior": { + "BehaviorType": "Specifies the other channels that can be routed to an agent handling their current channel." + }, + "AWS::Connect::RoutingProfile MediaConcurrency": { + "Channel": "The channels that agents can handle in the Contact Control Panel (CCP).", + "Concurrency": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "CrossChannelBehavior": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel." + }, + "AWS::Connect::RoutingProfile RoutingProfileQueueConfig": { + "Delay": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "Priority": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "QueueReference": "Contains information about a queue resource." + }, + "AWS::Connect::RoutingProfile RoutingProfileQueueReference": { + "Channel": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "QueueArn": "The Amazon Resource Name (ARN) of the queue." + }, + "AWS::Connect::RoutingProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Rule": { "Actions": "A list of actions to be run when the rule is triggered.", "Function": "The conditions of the rule.", @@ -6512,7 +7071,7 @@ "Value": "A valid value for the reference. For example, for a URL reference, a formatted URL that is displayed to an agent in the Contact Control Panel (CCP)." }, "AWS::Connect::Rule RuleTriggerEventSource": { - "EventSourceName": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "EventSourceName": "The name of the event source.", "IntegrationAssociationArn": "The Amazon Resource Name (ARN) of the integration association. `IntegrationAssociationArn` is required if `TriggerEventSource` is one of the following values: `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`" }, "AWS::Connect::Rule SendNotificationAction": { @@ -6522,6 +7081,10 @@ "Recipient": "Notification recipient.", "Subject": "The subject of the email if the delivery method is `EMAIL` . Supports variable injection. For more information, see [JSONPath reference](https://docs.aws.amazon.com/connect/latest/adminguide/contact-lens-variable-injection.html) in the *Amazon Connect Administrators Guide* ." }, + "AWS::Connect::Rule Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::Rule TaskAction": { "ContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "Description": "The description. Supports variable injection. For more information, see [JSONPath reference](https://docs.aws.amazon.com/connect/latest/adminguide/contact-lens-variable-injection.html) in the *Amazon Connect Administrators Guide* .", @@ -6532,6 +7095,19 @@ "InstanceId": "The Amazon Resource Name (ARN) of the instance.\n\n*Minimum* : `1`\n\n*Maximum* : `100`", "Key": "A valid security key in PEM format. For example:\n\n`\"-----BEGIN PUBLIC KEY-----\\ [a lot of characters] ----END PUBLIC KEY-----\"`\n\n*Minimum* : `1`\n\n*Maximum* : `1024`" }, + "AWS::Connect::SecurityProfile": { + "AllowedAccessControlTags": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "Description": "The description of the security profile.", + "InstanceArn": "The identifier of the Amazon Connect instance.", + "Permissions": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "SecurityProfileName": "The name for the security profile.", + "TagRestrictedResources": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::SecurityProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::TaskTemplate": { "ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", "Constraints": "Constraints that are applicable to the fields listed.\n\nThe values can be represented in either JSON or YAML format. For an example of the JSON configuration, see *Examples* at the bottom of this page.", @@ -6571,6 +7147,20 @@ "AWS::Connect::TaskTemplate RequiredFieldInfo": { "Id": "The unique identifier for the field." }, + "AWS::Connect::TaskTemplate Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::TrafficDistributionGroup": { + "Description": "The description of the traffic distribution group.", + "InstanceArn": "The Amazon Resource Name (ARN).", + "Name": "The name of the traffic distribution group.", + "Tags": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." + }, + "AWS::Connect::TrafficDistributionGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::User": { "DirectoryUserId": "The identifier of the user account in the directory used for identity management.", "HierarchyGroupArn": "The Amazon Resource Name (ARN) of the user's hierarchy group.", @@ -6583,6 +7173,10 @@ "Tags": "The tags.", "Username": "The user name assigned to the user account." }, + "AWS::Connect::User Tag": { + "Key": "", + "Value": "" + }, "AWS::Connect::User UserIdentityInfo": { "Email": "The email address. If you are using SAML for identity management and include this parameter, an error is returned.", "FirstName": "The first name. This is required if you are using Amazon Connect or SAML for identity management.", @@ -6599,7 +7193,29 @@ "AWS::Connect::UserHierarchyGroup": { "InstanceArn": "The Amazon Resource Name (ARN) of the user hierarchy group.", "Name": "The name of the user hierarchy group.", - "ParentGroupArn": "The Amazon Resource Name (ARN) of the parent group." + "ParentGroupArn": "The Amazon Resource Name (ARN) of the parent group.", + "Tags": "" + }, + "AWS::Connect::UserHierarchyGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::View": { + "Actions": "A list of actions possible from the view.", + "Description": "The description of the view.", + "InstanceArn": "The Amazon Resource Name (ARN) of the instance.", + "Name": "The name of the view.", + "Tags": "The tags associated with the view resource (not specific to view version).", + "Template": "The view template representing the structure of the view." + }, + "AWS::Connect::View Tag": { + "Key": "", + "Value": "" + }, + "AWS::Connect::ViewVersion": { + "VersionDescription": "The description of the view version.", + "ViewArn": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "ViewContentSha256": "Indicates the checksum value of the latest published view content." }, "AWS::ConnectCampaigns::Campaign": { "ConnectInstanceArn": "The Amazon Resource Name (ARN) of the Amazon Connect instance.", @@ -6608,28 +7224,38 @@ "OutboundCallConfig": "Contains information about the outbound call configuration.", "Tags": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }." }, + "AWS::ConnectCampaigns::Campaign AgentlessDialerConfig": { + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." + }, "AWS::ConnectCampaigns::Campaign AnswerMachineDetectionConfig": { - "EnableAnswerMachineDetection": "" + "EnableAnswerMachineDetection": "Whether answering machine detection is enabled." }, "AWS::ConnectCampaigns::Campaign DialerConfig": { + "AgentlessDialerConfig": "The configuration of the agentless dialer.", "PredictiveDialerConfig": "The configuration of the predictive dialer.", "ProgressiveDialerConfig": "The configuration of the progressive dialer." }, "AWS::ConnectCampaigns::Campaign OutboundCallConfig": { - "AnswerMachineDetectionConfig": "", + "AnswerMachineDetectionConfig": "Whether answering machine detection has been enabled.", "ConnectContactFlowArn": "The Amazon Resource Name (ARN) of the flow.", "ConnectQueueArn": "The Amazon Resource Name (ARN) of the queue.", "ConnectSourcePhoneNumber": "The phone number associated with the outbound call. This is the caller ID that is displayed to customers when an agent calls them." }, "AWS::ConnectCampaigns::Campaign PredictiveDialerConfig": { - "BandwidthAllocation": "Bandwidth allocation for the predictive dialer." + "BandwidthAllocation": "Bandwidth allocation for the predictive dialer.", + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." }, "AWS::ConnectCampaigns::Campaign ProgressiveDialerConfig": { - "BandwidthAllocation": "Bandwidth allocation for the progressive dialer." + "BandwidthAllocation": "Bandwidth allocation for the progressive dialer.", + "DialingCapacity": "The allocation of dialing capacity between multiple active campaigns." + }, + "AWS::ConnectCampaigns::Campaign Tag": { + "Key": "", + "Value": "" }, "AWS::ControlTower::EnabledControl": { - "ControlIdentifier": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", - "TargetIdentifier": "The ARN of the organizational unit." + "ControlIdentifier": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", + "TargetIdentifier": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) ." }, "AWS::CustomerProfiles::CalculatedAttributeDefinition": { "AttributeDetails": "Mathematical expression and a list of attribute items specified in that expression.", @@ -6657,17 +7283,82 @@ "Unit": "The unit of time.", "Value": "The amount of time of the specified unit." }, + "AWS::CustomerProfiles::CalculatedAttributeDefinition Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::CalculatedAttributeDefinition Threshold": { "Operator": "The operator of the threshold.", "Value": "The value of the threshold." }, "AWS::CustomerProfiles::Domain": { - "DeadLetterQueueUrl": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "DeadLetterQueueUrl": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "DefaultEncryptionKey": "The default encryption key, which is an AWS managed key, is used when no specific type of encryption key is specified. It is used to encrypt all data before it is placed in permanent or semi-permanent storage.", "DefaultExpirationDays": "The default number of days until the data within the domain expires.", "DomainName": "The unique name of the domain.", + "Matching": "The process of matching duplicate profiles.", + "RuleBasedMatching": "The process of matching duplicate profiles using Rule-Based matching.", "Tags": "The tags used to organize, track, or control access for this resource." }, + "AWS::CustomerProfiles::Domain AttributeTypesSelector": { + "Address": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "AttributeMatchingModel": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "EmailAddress": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "PhoneNumber": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule." + }, + "AWS::CustomerProfiles::Domain AutoMerging": { + "ConflictResolution": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "Consolidation": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "Enabled": "The flag that enables the auto-merging of duplicate profiles.", + "MinAllowedConfidenceScoreForMerging": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles." + }, + "AWS::CustomerProfiles::Domain ConflictResolution": { + "ConflictResolvingModel": "How the auto-merging process should resolve conflicts between different profiles.", + "SourceName": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` ." + }, + "AWS::CustomerProfiles::Domain Consolidation": { + "MatchingAttributesList": "A list of matching criteria." + }, + "AWS::CustomerProfiles::Domain DomainStats": { + "MeteringProfileCount": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "ObjectCount": "The total number of objects in domain.", + "ProfileCount": "The total number of profiles currently in the domain.", + "TotalSize": "The total size, in bytes, of all objects in the domain." + }, + "AWS::CustomerProfiles::Domain ExportingConfig": { + "S3Exporting": "" + }, + "AWS::CustomerProfiles::Domain JobSchedule": { + "DayOfTheWeek": "The day when the Identity Resolution Job should run every week.", + "Time": "The time when the Identity Resolution Job should run every week." + }, + "AWS::CustomerProfiles::Domain Matching": { + "AutoMerging": "Configuration information about the auto-merging process.", + "Enabled": "The flag that enables the matching process of duplicate profiles.", + "ExportingConfig": "The S3 location where Identity Resolution Jobs write result files.", + "JobSchedule": "The day and time when do you want to start the Identity Resolution Job every week." + }, + "AWS::CustomerProfiles::Domain MatchingRule": { + "Rule": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles." + }, + "AWS::CustomerProfiles::Domain RuleBasedMatching": { + "AttributeTypesSelector": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "ConflictResolution": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "Enabled": "The flag that enables the matching process of duplicate profiles.", + "ExportingConfig": "The S3 location where Identity Resolution Jobs write result files.", + "MatchingRules": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "MaxAllowedRuleLevelForMatching": "Indicates the maximum allowed rule level for matching.", + "MaxAllowedRuleLevelForMerging": "Indicates the maximum allowed rule level for merging.", + "Status": "The status of rule-based matching rule." + }, + "AWS::CustomerProfiles::Domain S3ExportingConfig": { + "S3BucketName": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "S3KeyName": "The S3 key name of the location where Identity Resolution Jobs write result files." + }, + "AWS::CustomerProfiles::Domain Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::CustomerProfiles::EventStream": { "DomainName": "The unique name of the domain.", "EventStreamName": "The name of the event stream.", @@ -6678,6 +7369,10 @@ "Status": "The status of enabling the Kinesis stream as a destination for export.", "Uri": "The StreamARN of the destination to deliver profile events to. For example, arn:aws:kinesis:region:account-id:stream/stream-name." }, + "AWS::CustomerProfiles::EventStream Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::Integration": { "DomainName": "The unique name of the domain.", "FlowDefinition": "The configuration that controls how Customer Profiles retrieves data from the source.", @@ -6745,6 +7440,10 @@ "IncrementalPullConfig": "Defines the configuration for a scheduled incremental data pull. If a valid configuration is provided, the fields specified in the configuration are used when querying for the incremental data pull.", "SourceConnectorProperties": "Specifies the information that is required to query a particular source connector." }, + "AWS::CustomerProfiles::Integration Tag": { + "Key": "", + "Value": "" + }, "AWS::CustomerProfiles::Integration Task": { "ConnectorOperator": "The operation to be performed on the provided source fields.", "DestinationField": "A field in a destination connector, or a field value against which Amazon AppFlow validates a source field.", @@ -6775,6 +7474,7 @@ "Fields": "A list of field definitions for the object type mapping.", "Keys": "A list of keys that can be used to map data to the profile or search for the profile.", "ObjectTypeName": "The name of the profile object type.", + "SourceLastUpdatedTimestampFormat": "The format of your sourceLastUpdatedTimestamp that was previously set up.", "Tags": "The tags used to organize, track, or control access for this resource.", "TemplateId": "A unique identifier for the template mapping. This can be used instead of specifying the Keys and Fields properties directly." }, @@ -6795,6 +7495,10 @@ "FieldNames": "The reference for the key name of the fields map.", "StandardIdentifiers": "The types of keys that a ProfileObject can have. Each ProfileObject can have only 1 UNIQUE key but multiple PROFILE keys. PROFILE means that this key can be used to tie an object to a PROFILE. UNIQUE means that it can be used to uniquely identify an object. If a key a is marked as SECONDARY, it will be used to search for profiles after all other PROFILE keys have been searched. A LOOKUP_ONLY key is only used to match a profile but is not persisted to be used for searching of the profile. A NEW_ONLY key is only used if the profile does not already exist before the object is ingested, otherwise it is only used for matching objects to profiles." }, + "AWS::CustomerProfiles::ObjectType Tag": { + "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", + "Value": "The value for the specified tag key." + }, "AWS::DAX::Cluster": { "AvailabilityZones": "The Availability Zones (AZs) in which the cluster nodes will reside after the cluster has been created or updated. If provided, the length of this list must equal the `ReplicationFactor` parameter. If you omit this parameter, DAX will spread the nodes across Availability Zones for the highest availability.", "ClusterEndpointEncryptionType": "The encryption type of the cluster's endpoint. Available values are:\n\n- `NONE` - The cluster's endpoint will be unencrypted.\n- `TLS` - The cluster's endpoint will be encrypted with Transport Layer Security, and will provide an x509 certificate for authentication.\n\nThe default value is `NONE` .", @@ -6836,10 +7540,10 @@ "Name": "A descriptive name for the action." }, "AWS::DLM::LifecyclePolicy ArchiveRetainRule": { - "RetentionArchiveTier": "" + "RetentionArchiveTier": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) ." }, "AWS::DLM::LifecyclePolicy ArchiveRule": { - "RetainRule": "" + "RetainRule": "Information about the retention period for the snapshot archiving rule." }, "AWS::DLM::LifecyclePolicy CreateRule": { "CronExpression": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see [Cron expressions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#CronExpressions) in the *Amazon CloudWatch User Guide* .", @@ -6854,8 +7558,8 @@ "Target": "The target Region." }, "AWS::DLM::LifecyclePolicy CrossRegionCopyDeprecateRule": { - "Interval": "", - "IntervalUnit": "" + "Interval": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", + "IntervalUnit": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` ." }, "AWS::DLM::LifecyclePolicy CrossRegionCopyRetainRule": { "Interval": "The amount of time to retain a cross-Region snapshot or AMI copy. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.", @@ -6864,16 +7568,16 @@ "AWS::DLM::LifecyclePolicy CrossRegionCopyRule": { "CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.", "CopyTags": "Indicates whether to copy all user-defined tags from the source snapshot or AMI to the cross-Region copy.", - "DeprecateRule": "", + "DeprecateRule": "*[AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "Encrypted": "To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or if encryption by default is not enabled.", "RetainRule": "The retention rule that indicates how long the cross-Region snapshot or AMI copies are to be retained in the destination Region.", - "Target": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", - "TargetRegion": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies." + "Target": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", + "TargetRegion": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies." }, "AWS::DLM::LifecyclePolicy DeprecateRule": { - "Count": "", - "Interval": "", - "IntervalUnit": "" + "Count": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", + "Interval": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", + "IntervalUnit": "The unit of time in which to measure the *Interval* ." }, "AWS::DLM::LifecyclePolicy EncryptionConfiguration": { "CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.", @@ -6896,7 +7600,7 @@ }, "AWS::DLM::LifecyclePolicy Parameters": { "ExcludeBootVolume": "*[Snapshot policies that target instances only]* Indicates whether to exclude the root volume from multi-volume snapshot sets. The default is `false` . If you specify `true` , then the root volumes attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", - "ExcludeDataVolumeTags": "", + "ExcludeDataVolumeTags": "*[Snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "NoReboot": "*[AMI policies only]* Indicates whether targeted instances are rebooted when the lifecycle policy runs. `true` indicates that targeted instances are not rebooted when the policy runs. `false` indicates that target instances are rebooted when the policy runs. The default is `true` (instances are not rebooted)." }, "AWS::DLM::LifecyclePolicy PolicyDetails": { @@ -6915,16 +7619,16 @@ "IntervalUnit": "The unit of time for time-based retention. For example, to retain snapshots for 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` . Once the snapshot has been retained for 3 months, it is deleted, or it is moved to the archive tier if you have specified an `ArchiveRule` ." }, "AWS::DLM::LifecyclePolicy RetentionArchiveTier": { - "Count": "", - "Interval": "", - "IntervalUnit": "" + "Count": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", + "Interval": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", + "IntervalUnit": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` ." }, "AWS::DLM::LifecyclePolicy Schedule": { - "ArchiveRule": "", + "ArchiveRule": "*[Snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "CopyTags": "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.", "CreateRule": "The creation rule.", "CrossRegionCopyRules": "Specifies a rule for copying snapshots or AMIs across regions.\n\n> You can't specify cross-Region copy rules for policies that create snapshots on an Outpost. If the policy creates snapshots in a Region, then snapshots can be copied to up to three Regions or Outposts.", - "DeprecateRule": "", + "DeprecateRule": "*[AMI policies only]* The AMI deprecation rule for the schedule.", "FastRestoreRule": "*[Snapshot policies only]* The rule for enabling fast snapshot restore.", "Name": "The name of the schedule.", "RetainRule": "The retention rule for snapshots or AMIs created by the policy.", @@ -6937,6 +7641,10 @@ "UnshareInterval": "The period after which snapshots that are shared with other AWS accounts are automatically unshared.", "UnshareIntervalUnit": "The unit of time for the automatic unsharing interval." }, + "AWS::DLM::LifecyclePolicy Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::DMS::Certificate": { "CertificateIdentifier": "A customer-assigned name for the certificate. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen or contain two consecutive hyphens.", "CertificatePem": "The contents of a `.pem` file, which contains an X.509 certificate.", @@ -6950,7 +7658,7 @@ "ElasticsearchSettings": "Settings in JSON format for the target OpenSearch endpoint. For more information about the available settings, see [Extra connection attributes when using OpenSearch as a target for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.Elasticsearch.html#CHAP_Target.Elasticsearch.Configuration) in the *AWS Database Migration Service User Guide* .", "EndpointIdentifier": "The database endpoint identifier. Identifiers must begin with a letter and must contain only ASCII letters, digits, and hyphens. They can't end with a hyphen, or contain two consecutive hyphens.", "EndpointType": "The type of endpoint. Valid values are `source` and `target` .", - "EngineName": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "EngineName": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "ExtraConnectionAttributes": "Additional attributes associated with the connection. Each attribute is specified as a name-value pair associated by an equal sign (=). Multiple attributes are separated by a semicolon (;) with no additional white space. For information on the attributes available for connecting your source or target endpoint, see [Working with AWS DMS Endpoints](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Endpoints.html) in the *AWS Database Migration Service User Guide* .", "GcpMySQLSettings": "Settings in JSON format for the source GCP MySQL endpoint. These settings are much the same as the settings for any MySQL-compatible endpoint. For more information, see [Extra connection attributes when using MySQL as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.MySQL.html#CHAP_Source.MySQL.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", "IbmDb2Settings": "Settings in JSON format for the source IBM Db2 LUW endpoint. For information about other available settings, see [Extra connection attributes when using Db2 LUW as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.DB2.html#CHAP_Source.DB2.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", @@ -7002,7 +7710,7 @@ "Port": "The port used by the endpoint database.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret.` The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the MySQL endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the MySQL endpoint connection details.", - "ServerName": "Endpoint TCP port.", + "ServerName": "The MySQL host name.", "ServerTimezone": "Specifies the time zone for the source MySQL database. Don't enclose time zones in single quotation marks.\n\nExample: `serverTimezone=US/Pacific;`", "Username": "Endpoint connection user name." }, @@ -7048,13 +7756,21 @@ "AWS::DMS::Endpoint MicrosoftSqlServerSettings": { "BcpPacketSize": "The maximum size of the packets (in bytes) used to transfer data using BCP.", "ControlTablesFileGroup": "Specifies a file group for the AWS DMS internal tables. When the replication task starts, all the internal AWS DMS control tables (awsdms_ apply_exception, awsdms_apply, awsdms_changes) are created for the specified file group.", + "DatabaseName": "Database name for the endpoint.", + "ForceLobLookup": "Forces LOB lookup on inline LOB.", + "Password": "Endpoint connection password.", + "Port": "Endpoint TCP port.", "QuerySingleAlwaysOnNode": "Cleans and recreates table metadata information on the replication instance when a mismatch occurs. An example is a situation where running an alter DDL statement on a table might result in different information about the table cached in the replication instance.", "ReadBackupOnly": "When this attribute is set to `Y` , AWS DMS only reads changes from transaction log backups and doesn't read from the active transaction log file during ongoing replication. Setting this parameter to `Y` enables you to control active transaction log file growth during full load and ongoing replication tasks. However, it can add some source latency to ongoing replication.", "SafeguardPolicy": "Use this attribute to minimize the need to access the backup log and enable AWS DMS to prevent truncation using one of the following two methods.\n\n*Start transactions in the database:* This is the default method. When this method is used, AWS DMS prevents TLOG truncation by mimicking a transaction in the database. As long as such a transaction is open, changes that appear after the transaction started aren't truncated. If you need Microsoft Replication to be enabled in your database, then you must choose this method.\n\n*Exclusively use sp_repldone within a single task* : When this method is used, AWS DMS reads the changes and then uses sp_repldone to mark the TLOG transactions as ready for truncation. Although this method doesn't involve any transactional activities, it can only be used when Microsoft Replication isn't running. Also, when using this method, only one AWS DMS task can access the database at any given time. Therefore, if you need to run parallel AWS DMS tasks against the same database, use the default method.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the SQL Server endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the MicrosoftSQLServer endpoint connection details.", + "ServerName": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "TlogAccessMode": "Indicates the mode used to fetch CDC data.", + "TrimSpaceInChar": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", "UseBcpFullLoad": "Use this to attribute to transfer data for full-load operations using BCP. When the target table contains an identity column that does not exist in the source table, you must disable the use BCP for loading table option.", - "UseThirdPartyBackupDevice": "When this attribute is set to `Y` , DMS processes third-party transaction log backups if they are created in native format." + "UseThirdPartyBackupDevice": "When this attribute is set to `Y` , DMS processes third-party transaction log backups if they are created in native format.", + "Username": "Endpoint connection user name." }, "AWS::DMS::Endpoint MongoDbSettings": { "AuthMechanism": "The authentication mechanism you use to access the MongoDB source endpoint.\n\nFor the default value, in MongoDB version 2.x, `\"default\"` is `\"mongodb_cr\"` . For MongoDB version 3.x or later, `\"default\"` is `\"scram_sha_1\"` . This setting isn't used when `AuthType` is set to `\"no\"` .", @@ -7115,7 +7831,7 @@ "ReplacePathPrefix": "Set this attribute to true in order to use the Binary Reader to capture change data for an Amazon RDS for Oracle as the source. This setting tells DMS instance to replace the default Oracle root with the specified `usePathPrefix` setting to access the redo logs.", "RetryInterval": "Specifies the number of seconds that the system waits before resending a query.\n\nExample: `retryInterval=6;`", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the Oracle endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", - "SecretsManagerOracleAsmAccessRoleArn": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "SecretsManagerOracleAsmAccessRoleArn": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerOracleAsmSecretId": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN, partial ARN, or display name of the `SecretsManagerOracleAsmSecret` that contains the Oracle ASM connection details for the Oracle endpoint.", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the Oracle endpoint connection details.", "SecurityDbEncryption": "For an Oracle source endpoint, the transparent data encryption (TDE) password required by AWM DMS to access Oracle redo logs encrypted by TDE using Binary Reader. It is also the `*TDE_Password*` part of the comma-separated value you set to the `Password` request parameter when you create the endpoint. The `SecurityDbEncryptian` setting is related to this `SecurityDbEncryptionName` setting. For more information, see [Supported encryption methods for using Oracle as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Encryption) in the *AWS Database Migration Service User Guide* .", @@ -7130,14 +7846,16 @@ }, "AWS::DMS::Endpoint PostgreSqlSettings": { "AfterConnectScript": "For use with change data capture (CDC) only, this attribute has AWS DMS bypass foreign keys and user triggers to reduce the time it takes to bulk load data.\n\nExample: `afterConnectScript=SET session_replication_role='replica'`", + "BabelfishDatabaseName": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", "CaptureDdls": "To capture DDL events, AWS DMS creates various artifacts in the PostgreSQL database when the task starts. You can later remove these artifacts.\n\nIf this value is set to `N` , you don't have to create tables or triggers on the source database.", + "DatabaseMode": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", "DdlArtifactsSchema": "The schema in which the operational DDL database artifacts are created.\n\nExample: `ddlArtifactsSchema=xyzddlschema;`", "ExecuteTimeout": "Sets the client statement timeout for the PostgreSQL instance, in seconds. The default value is 60 seconds.\n\nExample: `executeTimeout=100;`", "FailTasksOnLobTruncation": "When set to `true` , this value causes a task to fail if the actual size of a LOB column is greater than the specified `LobMaxSize` .\n\nIf task is set to Limited LOB mode and this option is set to true, the task fails instead of truncating the LOB data.", "HeartbeatEnable": "The write-ahead log (WAL) heartbeat feature mimics a dummy transaction. By doing this, it prevents idle logical replication slots from holding onto old WAL logs, which can result in storage full situations on the source. This heartbeat keeps `restart_lsn` moving and prevents storage full scenarios.", "HeartbeatFrequency": "Sets the WAL heartbeat frequency (in minutes).", "HeartbeatSchema": "Sets the schema in which the heartbeat artifacts are created.", - "MapBooleanAsBoolean": "", + "MapBooleanAsBoolean": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "MaxFileSize": "Specifies the maximum size (in KB) of any .csv file used to transfer data to PostgreSQL.\n\nExample: `maxFileSize=512`", "PluginName": "Specifies the plugin to use to create a replication slot.", "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the PostgreSQL endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", @@ -7167,7 +7885,7 @@ "ExplicitIds": "This setting is only valid for a full-load migration task. Set `ExplicitIds` to `true` to have tables with `IDENTITY` columns override their auto-generated values with explicit values loaded from the source data files used to populate the tables. The default is `false` .", "FileTransferUploadStreams": "The number of threads used to upload a single file. This parameter accepts a value from 1 through 64. It defaults to 10.\n\nThe number of parallel streams used to upload a single .csv file to an S3 bucket using S3 Multipart Upload. For more information, see [Multipart upload overview](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html) .\n\n`FileTransferUploadStreams` accepts a value from 1 through 64. It defaults to 10.", "LoadTimeout": "The amount of time to wait (in milliseconds) before timing out of operations performed by AWS DMS on a Redshift cluster, such as Redshift COPY, INSERT, DELETE, and UPDATE.", - "MapBooleanAsBoolean": "", + "MapBooleanAsBoolean": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "MaxFileSize": "The maximum size (in KB) of any .csv file used to load data on an S3 bucket and transfer data to Amazon Redshift. It defaults to 1048576KB (1 GB).", "RemoveQuotes": "A value that specifies to remove surrounding quotation marks from strings in the incoming data. All characters within the quotation marks, including delimiters, are retained. Choose `true` to remove quotation marks. The default is `false` .", "ReplaceChars": "A value that specifies to replaces the invalid characters specified in `ReplaceInvalidChars` , substituting the specified characters instead. The default is `\"?\"` .", @@ -7225,6 +7943,10 @@ "SecretsManagerAccessRoleArn": "The full Amazon Resource Name (ARN) of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the value in `SecretsManagerSecret` . The role must allow the `iam:PassRole` action. `SecretsManagerSecret` has the value of the AWS Secrets Manager secret that allows access to the SAP ASE endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerSecretId` . Or you can specify clear-text values for `UserName` , `Password` , `ServerName` , and `Port` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerSecret` , the corresponding `SecretsManagerAccessRoleArn` , and the `SecretsManagerSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "SecretsManagerSecretId": "The full ARN, partial ARN, or display name of the `SecretsManagerSecret` that contains the SAP SAE endpoint connection details." }, + "AWS::DMS::Endpoint Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::EventSubscription": { "Enabled": "Indicates whether to activate the subscription. If you don't specify this property, AWS CloudFormation activates the subscription.", "EventCategories": "A list of event categories for a source type that you want to subscribe to. If you don't specify this property, you are notified about all event categories. For more information, see [Working with Events and Notifications](https://docs.aws.amazon.com//dms/latest/userguide/CHAP_Events.html) in the *AWS DMS User Guide* .", @@ -7234,6 +7956,38 @@ "SubscriptionName": "The name of the AWS DMS event notification subscription. This name must be less than 255 characters.", "Tags": "One or more tags to be assigned to the event subscription." }, + "AWS::DMS::EventSubscription Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, + "AWS::DMS::ReplicationConfig": { + "ComputeConfig": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "ReplicationConfigArn": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "ReplicationConfigIdentifier": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "ReplicationSettings": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "ReplicationType": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "ResourceIdentifier": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "SourceEndpointArn": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "SupplementalSettings": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "TableMappings": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "Tags": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "TargetEndpointArn": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration." + }, + "AWS::DMS::ReplicationConfig ComputeConfig": { + "AvailabilityZone": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "DnsNameServers": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "KmsKeyId": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "MaxCapacityUnits": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "MinCapacityUnits": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. You don't have to specify a value for the `MinCapacityUnits` parameter. If you don't set this value, AWS DMS scans the current activity of available source tables to identify an optimum setting for this parameter. If there is no current source activity or AWS DMS can't otherwise identify a more appropriate value, it sets this parameter to the minimum DCU value allowed, 1.", + "MultiAZ": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "ReplicationSubnetGroupId": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "VpcSecurityGroupIds": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication." + }, + "AWS::DMS::ReplicationConfig Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationInstance": { "AllocatedStorage": "The amount of storage (in gigabytes) to be initially allocated for the replication instance.", "AllowMajorVersionUpgrade": "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage, and the change is asynchronously applied as soon as possible.\n\nThis parameter must be set to `true` when specifying a value for the `EngineVersion` parameter that is a different major version than the replication instance's current version.", @@ -7251,12 +8005,20 @@ "Tags": "One or more tags to be assigned to the replication instance.", "VpcSecurityGroupIds": "Specifies the virtual private cloud (VPC) security group to be used with the replication instance. The VPC security group must work with the VPC containing the replication instance." }, + "AWS::DMS::ReplicationInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationSubnetGroup": { "ReplicationSubnetGroupDescription": "The description for the subnet group.", "ReplicationSubnetGroupIdentifier": "The identifier for the replication subnet group. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the identifier.", "SubnetIds": "One or more subnet IDs to be assigned to the subnet group.", "Tags": "One or more tags to be assigned to the subnet group." }, + "AWS::DMS::ReplicationSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DMS::ReplicationTask": { "CdcStartPosition": "Indicates when you want a change data capture (CDC) operation to start. Use either `CdcStartPosition` or `CdcStartTime` to specify when you want a CDC operation to start. Specifying both values results in an error.\n\nThe value can be in date, checkpoint, log sequence number (LSN), or system change number (SCN) format.\n\nHere is a date example: `--cdc-start-position \"2018-03-08T12:12:12\"`\n\nHere is a checkpoint example: `--cdc-start-position \"checkpoint:V1#27#mysql-bin-changelog.157832:1975:-1:2002:677883278264080:mysql-bin-changelog.157832:1876#0#0#*#0#93\"`\n\nHere is an LSN example: `--cdc-start-position \u201cmysql-bin-changelog.000024:373\u201d`\n\n> When you use this task setting with a source PostgreSQL database, a logical replication slot should already be created and associated with the source endpoint. You can verify this by setting the `slotName` extra connection attribute to the name of this logical replication slot. For more information, see [Extra Connection Attributes When Using PostgreSQL as a Source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.PostgreSQL.html#CHAP_Source.PostgreSQL.ConnectionAttrib) in the *AWS Database Migration Service User Guide* .", "CdcStartTime": "Indicates the start time for a change data capture (CDC) operation.", @@ -7270,7 +8032,11 @@ "TableMappings": "The table mappings for the task, in JSON format. For more information, see [Using Table Mapping to Specify Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.html) in the *AWS Database Migration Service User Guide* .", "Tags": "One or more tags to be assigned to the replication task.", "TargetEndpointArn": "An Amazon Resource Name (ARN) that uniquely identifies the target endpoint.", - "TaskData": "" + "TaskData": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*" + }, + "AWS::DMS::ReplicationTask Tag": { + "Key": "A key is the required name of the tag. The string value can be 1-128 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be 1-256 Unicode characters in length and can't be prefixed with \"aws:\" or \"dms:\". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regular expressions: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." }, "AWS::DataBrew::Dataset": { "Format": "The file format of a dataset that is created from an Amazon S3 file or folder.", @@ -7356,6 +8122,10 @@ "Bucket": "The Amazon S3 bucket name.", "Key": "The unique name of the object in the bucket." }, + "AWS::DataBrew::Dataset Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Job": { "DataCatalogOutputs": "One or more artifacts that represent the AWS Glue Data Catalog output from running the job.", "DatabaseOutputs": "Represents a list of JDBC database output objects which defines the output destination for a DataBrew recipe job to write into.", @@ -7367,7 +8137,7 @@ "MaxCapacity": "The maximum number of nodes that can be consumed when the job processes data.", "MaxRetries": "The maximum number of times to retry the job after a job run fails.", "Name": "The unique name of the job.", - "OutputLocation": "", + "OutputLocation": "The location in Amazon S3 where the job writes its output.", "Outputs": "One or more artifacts that represent output from running the job.", "ProfileConfiguration": "Configuration for profile jobs. Configuration can be used to select columns, do evaluations, and override default parameters of evaluations. When configuration is undefined, the profile job will apply default settings to all supported columns.", "ProjectName": "The name of the project that the job is associated with.", @@ -7460,6 +8230,10 @@ "IncludedStatistics": "List of included evaluations. When the list is undefined, all supported evaluations will be included.", "Overrides": "List of overrides for evaluations." }, + "AWS::DataBrew::Job Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Job ValidationConfiguration": { "RulesetArn": "The Amazon Resource Name (ARN) for the ruleset to be validated in the profile job. The TargetArn of the selected ruleset should be the same as the Amazon Resource Name (ARN) of the dataset that is associated with the profile job.", "ValidationMode": "Mode of data quality validation. Default mode is \u201cCHECK_ALL\u201d which verifies all rules defined in the selected ruleset." @@ -7476,6 +8250,10 @@ "Size": "The number of rows in the sample.", "Type": "The way in which DataBrew obtains rows from a dataset." }, + "AWS::DataBrew::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Recipe": { "Description": "The description of the recipe.", "Name": "The unique name for the recipe.", @@ -7498,8 +8276,11 @@ "TempDirectory": "Represents an Amazon location where DataBrew can store intermediate results." }, "AWS::DataBrew::Recipe Input": { - "DataCatalogInputDefinition": "", - "S3InputDefinition": "" + "DataCatalogInputDefinition": "The AWS Glue Data Catalog parameters for the data.", + "S3InputDefinition": "The Amazon S3 location where the data is stored." + }, + "AWS::DataBrew::Recipe Parameters": { + "Parameters": "Contextual parameters for the transformation." }, "AWS::DataBrew::Recipe RecipeParameters": { "AggregateFunction": "The name of an aggregation function to apply.", @@ -7616,6 +8397,10 @@ "DataCatalogInputDefinition": "The AWS Glue Data Catalog parameters for the data.", "S3InputDefinition": "The Amazon S3 location where the data is stored." }, + "AWS::DataBrew::Recipe Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Ruleset": { "Description": "The description of the ruleset.", "Name": "The name of the ruleset.", @@ -7639,6 +8424,10 @@ "Value": "Value or column name.", "ValueReference": "Variable name." }, + "AWS::DataBrew::Ruleset Tag": { + "Key": "", + "Value": "" + }, "AWS::DataBrew::Ruleset Threshold": { "Type": "The type of a threshold. Used for comparison of an actual count of rows that satisfy the rule to the threshold value.", "Unit": "Unit of threshold value. Can be either a COUNT or PERCENTAGE of the full sample size used for validation.", @@ -7650,6 +8439,10 @@ "Name": "The name of the schedule.", "Tags": "Metadata tags that have been applied to the schedule." }, + "AWS::DataBrew::Schedule Tag": { + "Key": "", + "Value": "" + }, "AWS::DataPipeline::Pipeline": { "Activate": "Indicates whether to validate and start the pipeline or stop an active pipeline. By default, the value is set to `true` .", "Description": "A description of the pipeline.", @@ -7693,6 +8486,27 @@ "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least one tag for your agent.", "VpcEndpointId": "The ID of the virtual private cloud (VPC) endpoint that the agent has access to. This is the client-side VPC endpoint, powered by AWS PrivateLink . If you don't have an AWS PrivateLink VPC endpoint, see [AWS PrivateLink and VPC endpoints](https://docs.aws.amazon.com//vpc/latest/userguide/endpoint-services-overview.html) in the *Amazon VPC User Guide* .\n\nFor more information about activating your agent in a private network based on a VPC, see [Using AWS DataSync in a Virtual Private Cloud](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-in-vpc.html) in the *AWS DataSync User Guide.*\n\nA VPC endpoint ID looks like this: `vpce-01234d5aff67890e1` ." }, + "AWS::DataSync::Agent Tag": { + "Key": "", + "Value": "" + }, + "AWS::DataSync::LocationAzureBlob": { + "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "AzureAccessTier": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "AzureBlobAuthenticationType": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "AzureBlobContainerUrl": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "AzureBlobSasConfiguration": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "AzureBlobType": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "Subdirectory": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location." + }, + "AWS::DataSync::LocationAzureBlob AzureBlobSasConfiguration": { + "AzureBlobSasToken": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`" + }, + "AWS::DataSync::LocationAzureBlob Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationEFS": { "AccessPointArn": "Specifies the Amazon Resource Name (ARN) of the access point that DataSync uses to access the Amazon EFS file system.", "Ec2Config": "Specifies the subnet and security groups DataSync uses to access your Amazon EFS file system.", @@ -7706,12 +8520,20 @@ "SecurityGroupArns": "Specifies the Amazon Resource Names (ARNs) of the security groups associated with an Amazon EFS file system's mount target.", "SubnetArn": "Specifies the ARN of a subnet where DataSync creates the [network interfaces](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces) for managing traffic during your transfer.\n\nThe subnet must be located:\n\n- In the same virtual private cloud (VPC) as the Amazon EFS file system.\n- In the same Availability Zone as at least one mount target for the Amazon EFS file system.\n\n> You don't need to specify a subnet that includes a file system mount target." }, + "AWS::DataSync::LocationEFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxLustre": { "FsxFilesystemArn": "The Amazon Resource Name (ARN) for the FSx for Lustre file system.", "SecurityGroupArns": "The ARNs of the security groups that are used to configure the FSx for Lustre file system.\n\n*Pattern* : `^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`\n\n*Length constraints* : Maximum length of 128.", "Subdirectory": "A subdirectory in the location's path. This subdirectory in the FSx for Lustre file system is used to read data from the FSx for Lustre source location or write data to the FSx for Lustre destination.", "Tags": "The key-value pair that represents a tag that you want to add to the resource. The value can be an empty string. This value helps you manage, filter, and search for your resources. We recommend that you create a name tag for your location." }, + "AWS::DataSync::LocationFSxLustre Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxONTAP": { "Protocol": "Specifies the data transfer protocol that DataSync uses to access your Amazon FSx file system.", "SecurityGroupArns": "Specifies the Amazon Resource Names (ARNs) of the security groups that DataSync can use to access your FSx for ONTAP file system. You must configure the security groups to allow outbound traffic on the following ports (depending on the protocol that you're using):\n\n- *Network File System (NFS)* : TCP ports 111, 635, and 2049\n- *Server Message Block (SMB)* : TCP port 445\n\nYour file system's security groups must also allow inbound traffic on the same port.", @@ -7738,6 +8560,10 @@ "AWS::DataSync::LocationFSxONTAP SmbMountOptions": { "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, + "AWS::DataSync::LocationFSxONTAP Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxOpenZFS": { "FsxFilesystemArn": "The Amazon Resource Name (ARN) of the FSx for OpenZFS file system.", "Protocol": "The type of protocol that AWS DataSync uses to access your file system.", @@ -7754,15 +8580,23 @@ "AWS::DataSync::LocationFSxOpenZFS Protocol": { "NFS": "Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system." }, + "AWS::DataSync::LocationFSxOpenZFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationFSxWindows": { - "Domain": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "Domain": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "FsxFilesystemArn": "Specifies the Amazon Resource Name (ARN) for the FSx for Windows File Server file system.", - "Password": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "Password": "Specifies the password of the user who has the permissions to access files and folders in the file system.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "SecurityGroupArns": "The Amazon Resource Names (ARNs) of the security groups that are used to configure the FSx for Windows File Server file system.\n\n*Pattern* : `^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`\n\n*Length constraints* : Maximum length of 128.", "Subdirectory": "Specifies a mount path for your file system using forward slashes. This is where DataSync reads or writes data (depending on if this is a source or destination location).", "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.", "User": "The user who has the permissions to access files and folders in the FSx for Windows File Server file system.\n\nFor information about choosing a user name that ensures sufficient permissions to files, folders, and metadata, see [user](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#FSxWuser) ." }, + "AWS::DataSync::LocationFSxWindows Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationHDFS": { "AgentArns": "The Amazon Resource Names (ARNs) of the agents that are used to connect to the HDFS cluster.", "AuthenticationType": "", @@ -7786,18 +8620,26 @@ "DataTransferProtection": "The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your `dfs.data.transfer.protection` setting in the `hdfs-site.xml` file on your Hadoop cluster.", "RpcProtection": "The Remote Procedure Call (RPC) protection setting configured on the HDFS cluster. This setting corresponds to your `hadoop.rpc.protection` setting in your `core-site.xml` file on your Hadoop cluster." }, + "AWS::DataSync::LocationHDFS Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationNFS": { - "MountOptions": "Specifies the mount options that DataSync can use to mount your NFS share.", - "OnPremConfig": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", - "ServerHostname": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", - "Subdirectory": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "MountOptions": "Specifies the options that DataSync can use to mount your NFS file server.", + "OnPremConfig": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "ServerHostname": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", + "Subdirectory": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "Tags": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location." }, "AWS::DataSync::LocationNFS MountOptions": { "Version": "Specifies the NFS version that you want DataSync to use when mounting your NFS share. If the server refuses to use the version specified, the task fails.\n\nYou can specify the following options:\n\n- `AUTOMATIC` (default): DataSync chooses NFS version 4.1.\n- `NFS3` : Stateless protocol version that allows for asynchronous writes on the server.\n- `NFSv4_0` : Stateful, firewall-friendly protocol version that supports delegations and pseudo file systems.\n- `NFSv4_1` : Stateful protocol version that supports sessions, directory delegations, and parallel data processing. NFS version 4.1 also includes all features available in version 4.0.\n\n> DataSync currently only supports NFS version 3 with Amazon FSx for NetApp ONTAP locations." }, "AWS::DataSync::LocationNFS OnPremConfig": { - "AgentArns": "ARNs of the agents to use for an NFS location." + "AgentArns": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location." + }, + "AWS::DataSync::LocationNFS Tag": { + "Key": "", + "Value": "" }, "AWS::DataSync::LocationObjectStorage": { "AccessKey": "Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.", @@ -7811,6 +8653,10 @@ "Subdirectory": "Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.", "Tags": "Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location." }, + "AWS::DataSync::LocationObjectStorage Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationS3": { "S3BucketArn": "The ARN of the Amazon S3 bucket.", "S3Config": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that is used to access an Amazon S3 bucket.\n\nFor detailed information about using such a role, see [Creating a Location for Amazon S3](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html#create-s3-location) in the *AWS DataSync User Guide* .", @@ -7821,9 +8667,13 @@ "AWS::DataSync::LocationS3 S3Config": { "BucketAccessRoleArn": "The ARN of the IAM role for accessing the S3 bucket." }, + "AWS::DataSync::LocationS3 Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::LocationSMB": { "AgentArns": "The Amazon Resource Names (ARNs) of agents to use for a Server Message Block (SMB) location.", - "Domain": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "Domain": "Specifies the Windows domain name that your SMB file server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", "MountOptions": "Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.", "Password": "The password of the user who can mount the share and has the permissions to access files and folders in the SMB share.", "ServerHostname": "Specifies the Domain Name Service (DNS) name or IP address of the SMB file server that your DataSync agent will mount.\n\n> You can't specify an IP version 6 (IPv6) address.", @@ -7834,6 +8684,10 @@ "AWS::DataSync::LocationSMB MountOptions": { "Version": "By default, DataSync automatically chooses an SMB protocol version based on negotiation with your SMB file server. You also can configure DataSync to use a specific SMB version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.\n\nThese are the following options for configuring the SMB version:\n\n- `AUTOMATIC` (default): DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.\n\nThis is the recommended option. If you instead choose a specific version that your file server doesn't support, you may get an `Operation Not Supported` error.\n- `SMB3` : Restricts the protocol negotiation to only SMB version 3.0.2.\n- `SMB2` : Restricts the protocol negotiation to only SMB version 2.1.\n- `SMB2_0` : Restricts the protocol negotiation to only SMB version 2.0.\n- `SMB1` : Restricts the protocol negotiation to only SMB version 1.0.\n\n> The `SMB1` option isn't available when [creating an Amazon FSx for NetApp ONTAP location](https://docs.aws.amazon.com/datasync/latest/userguide/API_CreateLocationFsxOntap.html) ." }, + "AWS::DataSync::LocationSMB Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::StorageSystem": { "AgentArns": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.", "CloudWatchLogGroupArn": "Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.", @@ -7851,6 +8705,10 @@ "Password": "Specifies the password for your storage system's management interface.", "Username": "Specifies the user name for your storage system's management interface." }, + "AWS::DataSync::StorageSystem Tag": { + "Key": "", + "Value": "" + }, "AWS::DataSync::Task": { "CloudWatchLogGroupArn": "The Amazon Resource Name (ARN) of the Amazon CloudWatch log group that is used to monitor and log events in the task.\n\nFor more information about how to use CloudWatch Logs with DataSync, see [Monitoring Your Task](https://docs.aws.amazon.com/datasync/latest/userguide/monitor-datasync.html#cloudwatchlogs) in the *AWS DataSync User Guide.*\n\nFor more information about these groups, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in the *Amazon CloudWatch Logs User Guide* .", "DestinationLocationArn": "The Amazon Resource Name (ARN) of an AWS storage resource's location.", @@ -7860,7 +8718,14 @@ "Options": "Specifies the configuration options for a task. Some options include preserving file or object metadata and verifying data integrity.\n\nYou can also override these options before starting an individual run of a task (also known as a *task execution* ). For more information, see [StartTaskExecution](https://docs.aws.amazon.com/datasync/latest/userguide/API_StartTaskExecution.html) .", "Schedule": "Specifies a schedule used to periodically transfer files from a source to a destination location. The schedule should be specified in UTC time. For more information, see [Scheduling your task](https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html) .", "SourceLocationArn": "The Amazon Resource Name (ARN) of the source location for the task.", - "Tags": "Specifies the tags that you want to apply to the Amazon Resource Name (ARN) representing the task.\n\n*Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources." + "Tags": "Specifies the tags that you want to apply to the Amazon Resource Name (ARN) representing the task.\n\n*Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.", + "TaskReportConfig": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer." + }, + "AWS::DataSync::Task Deleted": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete." + }, + "AWS::DataSync::Task Destination": { + "S3": "Specifies the Amazon S3 bucket where DataSync uploads your task report." }, "AWS::DataSync::Task FilterRule": { "FilterType": "The type of filter rule to apply. AWS DataSync only supports the SIMPLE_PATTERN rule type.", @@ -7883,13 +8748,48 @@ "Uid": "The user ID (UID) of the file's owner.\n\nDefault value: `INT_VALUE`\n\n`INT_VALUE` : Preserve the integer value of the UID and group ID (GID) (recommended).\n\n`NAME` : Currently not supported\n\n`NONE` : Ignore the UID and GID.", "VerifyMode": "A value that determines whether a data integrity verification is performed at the end of a task execution after all data and metadata have been transferred. For more information, see [Configure task settings](https://docs.aws.amazon.com/datasync/latest/userguide/create-task.html) .\n\nDefault value: `POINT_IN_TIME_CONSISTENT`\n\n`ONLY_FILES_TRANSFERRED` (recommended): Perform verification only on files that were transferred.\n\n`POINT_IN_TIME_CONSISTENT` : Scan the entire source and entire destination at the end of the transfer to verify that the source and destination are fully synchronized. This option isn't supported when transferring to S3 Glacier or S3 Glacier Deep Archive storage classes.\n\n`NONE` : No additional verification is done at the end of the transfer, but all data transmissions are integrity-checked with checksum verification during the transfer." }, + "AWS::DataSync::Task Overrides": { + "Deleted": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "Skipped": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "Transferred": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "Verified": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer." + }, + "AWS::DataSync::Task S3": { + "BucketAccessRoleArn": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "S3BucketArn": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "Subdirectory": "Specifies a bucket prefix for your report." + }, + "AWS::DataSync::Task Skipped": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip." + }, + "AWS::DataSync::Task Tag": { + "Key": "", + "Value": "" + }, + "AWS::DataSync::Task TaskReportConfig": { + "Destination": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "ObjectVersionIds": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "OutputType": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "Overrides": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete." + }, "AWS::DataSync::Task TaskSchedule": { "ScheduleExpression": "A cron expression that specifies when AWS DataSync initiates a scheduled transfer from a source to a destination location." }, + "AWS::DataSync::Task Transferred": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer." + }, + "AWS::DataSync::Task Verified": { + "ReportLevel": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify." + }, "AWS::Detective::Graph": { "AutoEnableMembers": "Indicates whether to automatically enable new organization accounts as member accounts in the organization behavior graph.\n\nBy default, this property is set to `false` . If you want to change the value of this property, you must be the Detective administrator for the organization. For more information on setting a Detective administrator account, see [AWS::Detective::OrganizationAdmin](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-detective-organizationadmin.html)", "Tags": "The tag values to assign to the new behavior graph." }, + "AWS::Detective::Graph Tag": { + "Key": "", + "Value": "" + }, "AWS::Detective::MemberInvitation": { "DisableEmailNotification": "Whether to send an invitation email to the member account. If set to true, the member account does not receive an invitation email.", "GraphArn": "The ARN of the behavior graph to invite the account to contribute data to.", @@ -7922,7 +8822,7 @@ "StackNames": "An array of CloudFormation stack names." }, "AWS::DevOpsGuru::ResourceCollection ResourceCollectionFilter": { - "CloudFormation": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "CloudFormation": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "Tags": "The AWS tags used to filter the resources in the resource collection.\n\nTags help you identify and organize your AWS resources. Many AWS services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to an Amazon DynamoDB table resource that you assign to an AWS Lambda function. For more information about using tags, see the [Tagging best practices](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html) whitepaper.\n\nEach AWS tag has two parts.\n\n- A tag *key* (for example, `CostCenter` , `Environment` , `Project` , or `Secret` ). Tag *keys* are case-sensitive.\n- A field known as a tag *value* (for example, `111122223333` , `Production` , or a team name). Omitting the tag *value* is the same as using an empty string. Like tag *keys* , tag *values* are case-sensitive. The tag value is a required property when AppBoundaryKey is specified.\n\nTogether these are known as *key* - *value* pairs.\n\n> The string used for a *key* in a tag that you use to define your resource coverage must begin with the prefix `Devops-guru-` . The tag *key* might be `DevOps-Guru-deployment-application` or `devops-guru-rds-application` . When you create a *key* , the case of characters in the *key* can be whatever you choose. After you create a *key* , it is case-sensitive. For example, DevOps Guru works with a *key* named `devops-guru-rds` and a *key* named `DevOps-Guru-RDS` , and these act as two different *keys* . Possible *key* / *value* pairs in your application might be `Devops-Guru-production-application/RDS` or `Devops-Guru-production-application/containers` ." }, "AWS::DevOpsGuru::ResourceCollection TagCollection": { @@ -7942,6 +8842,10 @@ "Operator": "Specifies how Device Farm compares the rule's attribute to the value. For the operators that are supported by each attribute, see the attribute descriptions.", "Value": "The rule's value." }, + "AWS::DeviceFarm::DevicePool Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::InstanceProfile": { "Description": "The description of the instance profile.", "ExcludeAppPackagesFromCleanup": "An array of strings containing the list of app packages that should not be cleaned up from the device after a test run completes.\n\nThe list of packages is considered only if you set `packageCleanup` to `true` .", @@ -7950,6 +8854,10 @@ "RebootAfterUse": "When set to `true` , Device Farm reboots the instance after a test run. The default value is `true` .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *guide* ." }, + "AWS::DeviceFarm::InstanceProfile Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::NetworkProfile": { "Description": "The description of the network profile.", "DownlinkBandwidthBits": "The data throughput rate in bits per second, as an integer from 0 to 104857600.", @@ -7964,12 +8872,20 @@ "UplinkJitterMs": "Time variation in the delay of received packets in milliseconds as an integer from 0 to 2000.", "UplinkLossPercent": "Proportion of transmitted packets that fail to arrive from 0 to 100 percent." }, + "AWS::DeviceFarm::NetworkProfile Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::Project": { "DefaultJobTimeoutMinutes": "Sets the execution timeout value (in minutes) for a project. All test runs in this project use the specified execution timeout value unless overridden when scheduling a run.", "Name": "The project's name.", "Tags": "The tags to add to the resource. A tag is an array of key-value pairs. Tag keys can have a maximum character length of 128 characters. Tag values can have a maximum length of 256 characters.", "VpcConfig": "The VPC security groups and subnets that are attached to a project." }, + "AWS::DeviceFarm::Project Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::Project VpcConfig": { "SecurityGroupIds": "A list of VPC security group IDs.\n\nA security group allows inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. See [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud user guide* .", "SubnetIds": "A subnet is a range of IP addresses in your VPC. You can launch Amazon resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. See [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon Virtual Private Cloud user guide* .", @@ -7981,6 +8897,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *guide* .", "VpcConfig": "The VPC security groups and subnets that are attached to a project." }, + "AWS::DeviceFarm::TestGridProject Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DeviceFarm::TestGridProject VpcConfig": { "SecurityGroupIds": "A list of VPC security group IDs.\n\nA security group allows inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. See [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon Virtual Private Cloud user guide* .", "SubnetIds": "A list of VPC subnet IDs.\n\nA subnet is a range of IP addresses in your VPC. You can launch Amazon resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. See [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon Virtual Private Cloud user guide* .", @@ -7993,6 +8913,10 @@ "VpceConfigurationName": "The friendly name you give to your VPC endpoint configuration to manage your configurations more easily.", "VpceServiceName": "The name of the VPC endpoint service that you want to access from Device Farm.\n\nThe name follows the format `com.amazonaws.vpce.us-west-2.vpce-svc-id` ." }, + "AWS::DeviceFarm::VPCEConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor in a tag category (key)." + }, "AWS::DirectoryService::MicrosoftAD": { "CreateAlias": "Specifies an alias for a directory and assigns the alias to the directory. The alias is used to construct the access URL for the directory, such as `http://.awsapps.com` . By default, AWS CloudFormation does not create an alias.\n\n> After an alias has been created, it cannot be deleted or reused, so this operation should only be used when absolutely necessary.", "Edition": "AWS Managed Microsoft AD is available in two editions: `Standard` and `Enterprise` . `Enterprise` is the default.", @@ -8036,15 +8960,19 @@ "Port": "Specifies the port that the database engine is listening on.", "PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled using the `BackupRetentionPeriod` parameter.\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region .\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region , occurring on a random day of the week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.", - "RestoreToTime": "", - "RestoreType": "", + "RestoreToTime": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", + "RestoreType": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "SnapshotIdentifier": "The identifier for the snapshot or cluster snapshot to restore from.\n\nYou can use either the name or the Amazon Resource Name (ARN) to specify a cluster snapshot. However, you can use only the ARN to specify a snapshot.\n\nConstraints:\n\n- Must match the identifier of an existing snapshot.", - "SourceDBClusterIdentifier": "", + "SourceDBClusterIdentifier": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "StorageEncrypted": "Specifies whether the cluster is encrypted.", "Tags": "The tags to be assigned to the cluster.", - "UseLatestRestorableTime": "", + "UseLatestRestorableTime": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with this cluster." }, + "AWS::DocDB::DBCluster Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBClusterParameterGroup": { "Description": "The description for the cluster parameter group.", "Family": "The cluster parameter group family name.", @@ -8052,22 +8980,34 @@ "Parameters": "Provides a list of parameters for the cluster parameter group.", "Tags": "The tags to be assigned to the cluster parameter group." }, + "AWS::DocDB::DBClusterParameterGroup Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBInstance": { "AutoMinorVersionUpgrade": "This parameter does not apply to Amazon DocumentDB. Amazon DocumentDB does not perform minor version upgrades regardless of the value set.\n\nDefault: `false`", "AvailabilityZone": "The Amazon EC2 Availability Zone that the instance is created in.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's AWS Region .\n\nExample: `us-east-1d`", "DBClusterIdentifier": "The identifier of the cluster that the instance will belong to.", "DBInstanceClass": "The compute and memory capacity of the instance; for example, `db.m4.large` . If you change the class of an instance there can be some interruption in the cluster's service.", "DBInstanceIdentifier": "The instance identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- Must contain from 1 to 63 letters, numbers, or hyphens.\n- The first character must be a letter.\n- Cannot end with a hyphen or contain two consecutive hyphens.\n\nExample: `mydbinstance`", - "EnablePerformanceInsights": "", + "EnablePerformanceInsights": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "PreferredMaintenanceWindow": "The time range each week during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region , occurring on a random day of the week.\n\nValid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun\n\nConstraints: Minimum 30-minute window.", "Tags": "The tags to be assigned to the instance. You can assign up to 10 tags to an instance." }, + "AWS::DocDB::DBInstance Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDB::DBSubnetGroup": { "DBSubnetGroupDescription": "The description for the subnet group.", "DBSubnetGroupName": "The name for the subnet group. This value is stored as a lowercase string.\n\nConstraints: Must contain no more than 255 letters, numbers, periods, underscores, spaces, or hyphens. Must not be default.\n\nExample: `mySubnetgroup`", "SubnetIds": "The Amazon EC2 subnet IDs for the subnet group.", "Tags": "The tags to be assigned to the subnet group." }, + "AWS::DocDB::DBSubnetGroup Tag": { + "Key": "The required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "The optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with \" `aws:` \" or \" `rds:` \". The string can contain only the set of Unicode letters, digits, white space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::DocDBElastic::Cluster": { "AdminUserName": "The name of the Amazon DocumentDB elastic clusters administrator.\n\n*Constraints* :\n\n- Must be from 1 to 63 letters or numbers.\n- The first character must be a letter.\n- Cannot be a reserved word.", "AdminUserPassword": "The password for the Elastic DocumentDB cluster administrator and can contain any printable ASCII characters.\n\n*Constraints* :\n\n- Must contain from 8 to 100 characters.\n- Cannot contain a forward slash (/), double quote (\"), or the \"at\" symbol (@).\n- A valid `AdminUserName` entry is also required.", @@ -8081,6 +9021,10 @@ "Tags": "The tags to be assigned to the new elastic cluster.", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with the new elastic cluster." }, + "AWS::DocDBElastic::Cluster Tag": { + "Key": "", + "Value": "" + }, "AWS::DynamoDB::GlobalTable": { "AttributeDefinitions": "A list of attributes that describe the key schema for the global table and indexes.", "BillingMode": "Specifies how you are charged for read and write throughput and how you manage capacity. Valid values are:\n\n- `PAY_PER_REQUEST`\n- `PROVISIONED`\n\nAll replicas in your global table will have the same billing mode. If you use `PROVISIONED` billing mode, you must provide an auto scaling configuration via the `WriteProvisionedThroughputSettings` property. The default value of this property is `PROVISIONED` .", @@ -8163,6 +9107,10 @@ "AWS::DynamoDB::GlobalTable StreamSpecification": { "StreamViewType": "When an item in the table is modified, `StreamViewType` determines what information is written to the stream for this table. Valid values for `StreamViewType` are:\n\n- `KEYS_ONLY` - Only the key attributes of the modified item are written to the stream.\n- `NEW_IMAGE` - The entire item, as it appears after it was modified, is written to the stream.\n- `OLD_IMAGE` - The entire item, as it appeared before it was modified, is written to the stream.\n- `NEW_AND_OLD_IMAGES` - Both the new and the old item images of the item are written to the stream." }, + "AWS::DynamoDB::GlobalTable Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each DynamoDB table can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::DynamoDB::GlobalTable TargetTrackingScalingPolicyConfiguration": { "DisableScaleIn": "Indicates whether scale in by the target tracking scaling policy is disabled. The default value is `false` .", "ScaleInCooldown": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start.", @@ -8258,6 +9206,10 @@ "AWS::DynamoDB::Table StreamSpecification": { "StreamViewType": "When an item in the table is modified, `StreamViewType` determines what information is written to the stream for this table. Valid values for `StreamViewType` are:\n\n- `KEYS_ONLY` - Only the key attributes of the modified item are written to the stream.\n- `NEW_IMAGE` - The entire item, as it appears after it was modified, is written to the stream.\n- `OLD_IMAGE` - The entire item, as it appeared before it was modified, is written to the stream.\n- `NEW_AND_OLD_IMAGES` - Both the new and the old item images of the item are written to the stream." }, + "AWS::DynamoDB::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive. Each DynamoDB table can only have up to one tag with the same key. If you try to add an existing tag (same key), the existing tag value will be updated to the new value.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::DynamoDB::Table TimeToLiveSpecification": { "AttributeName": "The name of the TTL attribute used to store the expiration time for items in the table.\n\n> - The `AttributeName` property is required when enabling the TTL, or when TTL is already enabled.\n> - To update this property, you must first disable TTL and then enable TTL with the new attribute name.", "Enabled": "Indicates whether TTL is to be enabled (true) or disabled (false) on the table." @@ -8277,6 +9229,10 @@ "TagSpecifications": "The tags to apply to the Capacity Reservation during launch.", "Tenancy": "Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:\n\n- `default` - The Capacity Reservation is created on hardware that is shared with other AWS accounts .\n- `dedicated` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account ." }, + "AWS::EC2::CapacityReservation Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with `aws:` .", + "Value": "The value of the tag.\n\nConstraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters." + }, "AWS::EC2::CapacityReservation TagSpecification": { "ResourceType": "The type of resource to tag. Specify `capacity-reservation` .", "Tags": "The tags to apply to the resource." @@ -8301,6 +9257,10 @@ "Priority": "The priority to assign to the instance type. This value is used to determine which of the instance types specified for the Fleet should be prioritized for use. A lower value indicates a high priority. For more information, see [Instance type priority](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/crfleet-concepts.html#instance-priority) in the Amazon EC2 User Guide.", "Weight": "The number of capacity units provided by the specified instance type. This value, together with the total target capacity that you specify for the Fleet determine the number of instances for which the Fleet reserves capacity. Both values are based on units that make sense for your workload. For more information, see [Total target capacity](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/crfleet-concepts.html#target-capacity) in the Amazon EC2 User Guide.\n\nValid Range: Minimum value of `0.001` . Maximum value of `99.999` ." }, + "AWS::EC2::CapacityReservationFleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::CapacityReservationFleet TagSpecification": { "ResourceType": "The type of resource to tag on creation. Specify `capacity-reservation-fleet` .\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "Tags": "The tags to apply to the resource." @@ -8309,6 +9269,10 @@ "Tags": "The tags assigned to the carrier gateway.", "VpcId": "The ID of the VPC associated with the carrier gateway." }, + "AWS::EC2::CarrierGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::ClientVpnAuthorizationRule": { "AccessGroupId": "The ID of the group to grant access to, for example, the Active Directory group or identity provider (IdP) group. Required if `AuthorizeAllGroups` is `false` or not specified.", "AuthorizeAllGroups": "Indicates whether to grant access to all clients. Specify `true` to grant all clients who successfully establish a VPN connection access to the network. Must be set to `true` if `AccessGroupId` is not specified.", @@ -8363,6 +9327,10 @@ "SAMLProviderArn": "The Amazon Resource Name (ARN) of the IAM SAML identity provider.", "SelfServiceSAMLProviderArn": "The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal." }, + "AWS::EC2::ClientVpnEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::ClientVpnEndpoint TagSpecification": { "ResourceType": "The type of resource to tag.", "Tags": "The tags to apply to the resource." @@ -8384,6 +9352,10 @@ "Tags": "One or more tags for the customer gateway.", "Type": "The type of VPN connection that this customer gateway supports ( `ipsec.1` )." }, + "AWS::EC2::CustomerGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::DHCPOptions": { "DomainName": "This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in `us-east-1` , specify `ec2.internal` . If you're using AmazonProvidedDNS in another Region, specify *region* . `compute.internal` (for example, `ap-northeast-1.compute.internal` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).", "DomainNameServers": "The IPv4 addresses of up to four domain name servers, or `AmazonProvidedDNS` . The default is `AmazonProvidedDNS` . To have your instance receive a custom DNS hostname as specified in `DomainName` , you must set this property to a custom DNS server.", @@ -8392,6 +9364,10 @@ "NtpServers": "The IPv4 addresses of up to four Network Time Protocol (NTP) servers.", "Tags": "Any tags assigned to the DHCP options set." }, + "AWS::EC2::DHCPOptions Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EC2Fleet": { "Context": "Reserved.", "ExcessCapacityTerminationPolicy": "Indicates whether running instances should be terminated if the total target capacity of the EC2 Fleet is decreased below the current size of the EC2 Fleet.\n\nSupported only for fleets of type `maintain` .", @@ -8399,7 +9375,7 @@ "OnDemandOptions": "Describes the configuration of On-Demand Instances in an EC2 Fleet.", "ReplaceUnhealthyInstances": "Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported only for fleets of type `maintain` . For more information, see [EC2 Fleet health checks](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks) in the *Amazon EC2 User Guide* .", "SpotOptions": "Describes the configuration of Spot Instances in an EC2 Fleet.", - "TagSpecifications": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "TagSpecifications": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "TargetCapacitySpecification": "The number of units to request.", "TerminateInstancesWithExpiration": "Indicates whether running instances should be terminated when the EC2 Fleet expires.", "Type": "The fleet type. The default value is `maintain` .\n\n- `maintain` - The EC2 Fleet places an asynchronous request for your desired capacity, and continues to maintain your desired Spot capacity by replenishing interrupted Spot Instances.\n- `request` - The EC2 Fleet places an asynchronous one-time request for your desired capacity, but does submit Spot requests in alternative capacity pools if Spot capacity is unavailable, and does not maintain Spot capacity if Spot Instances are interrupted.\n- `instant` - The EC2 Fleet places a synchronous one-time request for your desired capacity, and returns errors for any instances that could not be launched.\n\nFor more information, see [EC2 Fleet request types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-request-type.html) in the *Amazon EC2 User Guide* .", @@ -8491,7 +9467,7 @@ "AWS::EC2::EC2Fleet OnDemandOptionsRequest": { "AllocationStrategy": "The strategy that determines the order of the launch template overrides to use in fulfilling On-Demand capacity.\n\n`lowest-price` - EC2 Fleet uses price to determine the order, launching the lowest price first.\n\n`prioritized` - EC2 Fleet uses the priority that you assigned to each launch template override, launching the highest priority first.\n\nDefault: `lowest-price`", "CapacityReservationOptions": "The strategy for using unused Capacity Reservations for fulfilling On-Demand capacity.\n\nSupported only for fleets of type `instant` .", - "MaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "MaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "MinTargetCapacity": "The minimum target capacity for On-Demand Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances.\n\nSupported only for fleets of type `instant` .\n\nAt least one of the following must be specified: `SingleAvailabilityZone` | `SingleInstanceType`", "SingleAvailabilityZone": "Indicates that the fleet launches all On-Demand Instances into a single Availability Zone.\n\nSupported only for fleets of type `instant` .", "SingleInstanceType": "Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet.\n\nSupported only for fleets of type `instant` ." @@ -8511,13 +9487,17 @@ "InstanceInterruptionBehavior": "The behavior when a Spot Instance is interrupted.\n\nDefault: `terminate`", "InstancePoolsToUseCount": "The number of Spot pools across which to allocate your target Spot capacity. Supported only when Spot `AllocationStrategy` is set to `lowest-price` . EC2 Fleet selects the cheapest Spot pools and evenly allocates your target Spot capacity across the number of Spot pools that you specify.\n\nNote that EC2 Fleet attempts to draw Spot Instances from the number of pools that you specify on a best effort basis. If a pool runs out of Spot capacity before fulfilling your target capacity, EC2 Fleet will continue to fulfill your request by drawing from the next cheapest pool. To ensure that your target capacity is met, you might receive Spot Instances from more than the number of pools that you specified. Similarly, if most of the pools have no Spot capacity, you might receive your full target capacity from fewer than the number of pools that you specified.", "MaintenanceStrategies": "The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.", - "MaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "MaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "MinTargetCapacity": "The minimum target capacity for Spot Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances.\n\nSupported only for fleets of type `instant` .\n\nAt least one of the following must be specified: `SingleAvailabilityZone` | `SingleInstanceType`", "SingleAvailabilityZone": "Indicates that the fleet launches all Spot Instances into a single Availability Zone.\n\nSupported only for fleets of type `instant` .", "SingleInstanceType": "Indicates that the fleet uses a single instance type to launch all Spot Instances in the fleet.\n\nSupported only for fleets of type `instant` ." }, + "AWS::EC2::EC2Fleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EC2Fleet TagSpecification": { - "ResourceType": "The type of resource to tag. `ResourceType` must be `fleet` .", + "ResourceType": "The type of resource to tag.", "Tags": "The tags to apply to the resource." }, "AWS::EC2::EC2Fleet TargetCapacitySpecificationRequest": { @@ -8538,14 +9518,17 @@ "AWS::EC2::EIP": { "Domain": "The network ( `vpc` ).\n\nIf you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) on this resource.", "InstanceId": "The ID of the instance.\n\n> Updates to the `InstanceId` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", - "NetworkBorderGroup": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "NetworkBorderGroup": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "PublicIpv4Pool": "The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool.\n\n> Updates to the `PublicIpv4Pool` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", "Tags": "Any tags assigned to the Elastic IP address.\n\n> Updates to the `Tags` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.", "TransferAddress": "The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see [Transfer Elastic IP addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#transfer-EIPs-intro) in the *Amazon Virtual Private Cloud User Guide* ." }, + "AWS::EC2::EIP Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::EIPAssociation": { "AllocationId": "The allocation ID. This is required.", - "EIP": "Deprecated.", "InstanceId": "The ID of the instance. The instance must have exactly one attached network interface. You can specify either the instance ID or the network interface ID, but not both.", "NetworkInterfaceId": "The ID of the network interface. If the instance has more than one network interface, you must specify a network interface ID.\n\nYou can specify either the instance ID or the network interface ID, but not both.", "PrivateIpAddress": "The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address." @@ -8558,6 +9541,7 @@ "RoleArn": "The ARN of the IAM role to associate with the ACM certificate. You can associate up to 16 IAM roles with an ACM certificate." }, "AWS::EC2::FlowLog": { + "DeliverCrossAccountRole": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", "DeliverLogsPermissionArn": "The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.\n\nThis parameter is required if the destination type is `cloud-watch-logs` and unsupported otherwise.", "DestinationOptions": "The destination options. The following options are supported:\n\n- `FileFormat` - The format for the flow log ( `plain-text` | `parquet` ). The default is `plain-text` .\n- `HiveCompatiblePartitions` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( `true` | `false` ). The default is `false` .\n- `PerHourPartition` - Indicates whether to partition the flow log per hour ( `true` | `false` ). The default is `false` .", "LogDestination": "The destination for the flow log data. The meaning of this parameter depends on the destination type.\n\n- If the destination type is `cloud-watch-logs` , specify the ARN of a CloudWatch Logs log group. For example:\n\narn:aws:logs: *region* : *account_id* :log-group: *my_group*\n\nAlternatively, use the `LogGroupName` parameter.\n- If the destination type is `s3` , specify the ARN of an S3 bucket. For example:\n\narn:aws:s3::: *my_bucket* / *my_subfolder* /\n\nThe subfolder is optional. Note that you can't use `AWSLogs` as a subfolder name.\n- If the destination type is `kinesis-data-firehose` , specify the ARN of a Kinesis Data Firehose delivery stream. For example:\n\narn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*", @@ -8575,11 +9559,16 @@ "HiveCompatiblePartitions": "Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. The default is `false` .", "PerHourPartition": "Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. The default is `false` ." }, + "AWS::EC2::FlowLog Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::GatewayRouteTableAssociation": { "GatewayId": "The ID of the gateway.", "RouteTableId": "The ID of the route table." }, "AWS::EC2::Host": { + "AssetId": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", "AutoPlacement": "Indicates whether the host accepts any untargeted instance launches that match its instance type configuration, or if it only accepts Host tenancy instance launches that specify its unique host ID. For more information, see [Understanding auto-placement and affinity](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-understanding) in the *Amazon EC2 User Guide* .\n\nDefault: `on`", "AvailabilityZone": "The Availability Zone in which to allocate the Dedicated Host.", "HostMaintenance": "Indicates whether host maintenance is enabled or disabled for the Dedicated Host.", @@ -8589,15 +9578,18 @@ "OutpostArn": "The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated." }, "AWS::EC2::IPAM": { - "DefaultResourceDiscoveryAssociationId": "The IPAM's default resource discovery association ID.", - "DefaultResourceDiscoveryId": "The IPAM's default resource discovery ID.", "Description": "The description for the IPAM.", "OperatingRegions": "The operating Regions for an IPAM. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions.\n\nFor more information about operating Regions, see [Create an IPAM](https://docs.aws.amazon.com//vpc/latest/ipam/create-ipam.html) in the *Amazon VPC IPAM User Guide* .", - "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value." + "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value.", + "Tier": "" }, "AWS::EC2::IPAM IpamOperatingRegion": { "RegionName": "The name of the operating Region." }, + "AWS::EC2::IPAM Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMAllocation": { "Cidr": "The CIDR you would like to allocate from the IPAM pool. Note the following:\n\n- If there is no DefaultNetmaskLength allocation rule set on the pool, you must specify either the NetmaskLength or the CIDR.\n- If the DefaultNetmaskLength allocation rule is set on the pool, you can specify either the NetmaskLength or the CIDR and the DefaultNetmaskLength allocation rule will be ignored.\n\nPossible values: Any available IPv4 or IPv6 CIDR.", "Description": "A description for the allocation.", @@ -8624,6 +9616,10 @@ "AWS::EC2::IPAMPool ProvisionedCidr": { "Cidr": "The CIDR provisioned to the IPAM pool. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is `10.24.34.0/23` . An IPv6 CIDR example is `2001:DB8::/32` ." }, + "AWS::EC2::IPAMPool Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMPoolCidr": { "Cidr": "The CIDR provisioned to the IPAM pool. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is `10.24.34.0/23` . An IPv6 CIDR example is `2001:DB8::/32` .", "IpamPoolId": "The ID of the IPAM pool.", @@ -8637,16 +9633,28 @@ "AWS::EC2::IPAMResourceDiscovery IpamOperatingRegion": { "RegionName": "The name of the operating Region." }, + "AWS::EC2::IPAMResourceDiscovery Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMResourceDiscoveryAssociation": { "IpamId": "The IPAM ID.", "IpamResourceDiscoveryId": "The resource discovery ID.", "Tags": "A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your AWS costs." }, + "AWS::EC2::IPAMResourceDiscoveryAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::IPAMScope": { "Description": "The description of the scope.", "IpamId": "The ID of the IPAM for which you're creating this scope.", "Tags": "The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key `Owner` and the value `TeamA` , specify `tag:Owner` for the filter name and `TeamA` for the filter value." }, + "AWS::EC2::IPAMScope Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Instance": { "AdditionalInfo": "This property is reserved for internal use. If you use it, the stack fails with this error: `Bad property set: [Testing this property] (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 0XXXXXX-49c7-4b40-8bcc-76885dcXXXXX)` .", "Affinity": "Indicates whether the instance is associated with a dedicated host. If you want the instance to always restart on the same host on which it was launched, specify `host` . If you want the instance to restart on any available host, but try to launch onto the last host it ran on (on a best-effort basis), specify `default` .", @@ -8704,7 +9712,7 @@ "ThreadsPerCore": "The number of threads per CPU core." }, "AWS::EC2::Instance CreditSpecification": { - "CPUCredits": "The credit option for CPU usage of the instance.\n\nValid values: `standard` | `unlimited`\n\nT3 instances with `host` tenancy do not support the `unlimited` CPU credit option." + "CPUCredits": "The credit option for CPU usage of a T instance.\n\nValid values: `standard` | `unlimited`" }, "AWS::EC2::Instance Ebs": { "DeleteOnTermination": "Indicates whether the EBS volume is deleted on instance termination. For more information, see [Preserving Amazon EBS volumes on instance termination](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#preserving-volumes-on-termination) in the *Amazon EC2 User Guide* .", @@ -8726,7 +9734,7 @@ "Enabled": "If this parameter is set to `true` , the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves." }, "AWS::EC2::Instance HibernationOptions": { - "Configured": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`" + "Configured": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`" }, "AWS::EC2::Instance InstanceIpv6Address": { "Ipv6Address": "The IPv6 address." @@ -8754,7 +9762,6 @@ "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option.", "SubnetId": "The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance." }, - "AWS::EC2::Instance NoDevice": {}, "AWS::EC2::Instance PrivateDnsNameOptions": { "EnableResourceNameDnsAAAARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .", "EnableResourceNameDnsARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *Amazon Elastic Compute Cloud User Guide* .", @@ -8768,13 +9775,32 @@ "AssociationParameters": "The input parameter values to use with the associated SSM document.", "DocumentName": "The name of an SSM document to associate with the instance." }, + "AWS::EC2::Instance Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Instance Volume": { "Device": "The device name (for example, `/dev/sdh` or `xvdh` ).", "VolumeId": "The ID of the EBS volume. The volume and instance must be within the same Availability Zone." }, + "AWS::EC2::InstanceConnectEndpoint": { + "ClientToken": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "PreserveClientIp": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "SecurityGroupIds": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "SubnetId": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "Tags": "The tags to apply to the EC2 Instance Connect Endpoint during creation." + }, + "AWS::EC2::InstanceConnectEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::InternetGateway": { "Tags": "Any tags to assign to the internet gateway." }, + "AWS::EC2::InternetGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::KeyPair": { "KeyFormat": "The format of the key pair.\n\nDefault: `pem`", "KeyName": "A unique name for the key pair.\n\nConstraints: Up to 255 ASCII characters", @@ -8782,10 +9808,14 @@ "PublicKeyMaterial": "The public key material. The `PublicKeyMaterial` property is used to import a key pair. If this property is not specified, then a new key pair will be created.", "Tags": "The tags to apply to the key pair." }, + "AWS::EC2::KeyPair Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LaunchTemplate": { "LaunchTemplateData": "The information for the launch template.", "LaunchTemplateName": "A name for the launch template.", - "TagSpecifications": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "TagSpecifications": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "VersionDescription": "A description for the first version of the launch template." }, "AWS::EC2::LaunchTemplate AcceleratorCount": { @@ -8892,7 +9922,7 @@ "DisableApiTermination": "If you set this parameter to `true` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use [ModifyInstanceAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html) . Alternatively, if you set `InstanceInitiatedShutdownBehavior` to `terminate` , you can terminate the instance by running the shutdown command from the instance.", "EbsOptimized": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.", "ElasticGpuSpecifications": "An elastic GPU to associate with the instance.", - "ElasticInferenceAccelerators": "The elastic inference accelerator for the instance.", + "ElasticInferenceAccelerators": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "EnclaveOptions": "Indicates whether the instance is enabled for AWS Nitro Enclaves. For more information, see [What is AWS Nitro Enclaves?](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) in the *AWS Nitro Enclaves User Guide* .\n\nYou can't enable AWS Nitro Enclaves and hibernation on the same instance.", "HibernationOptions": "Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the [hibernation prerequisites](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html) . For more information, see [Hibernate your instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) in the *Amazon Elastic Compute Cloud User Guide* .", "IamInstanceProfile": "The name or Amazon Resource Name (ARN) of an IAM instance profile.", @@ -8913,7 +9943,7 @@ "RamDiskId": "The ID of the RAM disk.\n\n> We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see [User provided kernels](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html) in the *Amazon Elastic Compute Cloud User Guide* .", "SecurityGroupIds": "The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template.", "SecurityGroups": "One or more security group names. For a nondefault VPC, you must use security group IDs instead. You cannot specify both a security group ID and security name in the same request.", - "TagSpecifications": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "TagSpecifications": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "UserData": "The user data to make available to the instance. You must provide base64-encoded text. User data is limited to 16 KB. For more information, see [Run commands on your Linux instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) (Linux) or [Work with instance user data](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instancedata-add-user-data.html) (Windows) in the *Amazon Elastic Compute Cloud User Guide* .\n\nIf you are creating the launch template for use with AWS Batch , the user data must be provided in the [MIME multi-part archive format](https://docs.aws.amazon.com/https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive) . For more information, see [Amazon EC2 user data in launch templates](https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html) in the *AWS Batch User Guide* ." }, "AWS::EC2::LaunchTemplate LaunchTemplateElasticInferenceAccelerator": { @@ -8953,7 +9983,7 @@ "Min": "The minimum amount of network bandwidth, in Gbps. If this parameter is not specified, there is no minimum limit." }, "AWS::EC2::LaunchTemplate NetworkInterface": { - "AssociateCarrierIpAddress": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "AssociateCarrierIpAddress": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "AssociatePublicIpAddress": "Associates a public IPv4 address with eth0 for a new network interface.", "DeleteOnTermination": "Indicates whether the network interface is deleted when the instance is terminated.", "Description": "A description for the network interface.", @@ -8968,6 +9998,7 @@ "Ipv6Prefixes": "One or more IPv6 prefixes to be assigned to the network interface. You cannot use this option if you use the `Ipv6PrefixCount` option.", "NetworkCardIndex": "The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.", "NetworkInterfaceId": "The ID of the network interface.", + "PrimaryIpv6": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", "PrivateIpAddress": "The primary private IPv4 address of the network interface.", "PrivateIpAddresses": "One or more private IPv4 addresses.", "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface.", @@ -9004,8 +10035,12 @@ "SpotInstanceType": "The Spot Instance request type.\n\nIf you are using Spot Instances with an Auto Scaling group, use `one-time` requests, as the Amazon EC2 Auto Scaling service handles requesting new Spot Instances whenever the group is below its desired capacity.", "ValidUntil": "The end date of the request, in UTC format ( *YYYY-MM-DD* T *HH:MM:SS* Z). Supported only for persistent requests.\n\n- For a persistent request, the request remains active until the `ValidUntil` date and time is reached. Otherwise, the request remains active until you cancel it.\n- For a one-time request, `ValidUntil` is not supported. The request remains active until all instances launch or you cancel the request.\n\nDefault: 7 days from the current date" }, + "AWS::EC2::LaunchTemplate Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LaunchTemplate TagSpecification": { - "ResourceType": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "ResourceType": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "Tags": "The tags to apply to the resource." }, "AWS::EC2::LaunchTemplate TotalLocalStorageGB": { @@ -9027,31 +10062,51 @@ "Mode": "The mode of the local gateway route table.", "Tags": "The tags assigned to the local gateway route table." }, + "AWS::EC2::LocalGatewayRouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LocalGatewayRouteTableVPCAssociation": { "LocalGatewayRouteTableId": "The ID of the local gateway route table.", "Tags": "The tags assigned to the association.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::LocalGatewayRouteTableVPCAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::LocalGatewayRouteTableVirtualInterfaceGroupAssociation": { "LocalGatewayRouteTableId": "The ID of the local gateway route table.", "LocalGatewayVirtualInterfaceGroupId": "The ID of the virtual interface group.", "Tags": "The tags assigned to the association." }, + "AWS::EC2::LocalGatewayRouteTableVirtualInterfaceGroupAssociation Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NatGateway": { "AllocationId": "[Public NAT gateway only] The allocation ID of the Elastic IP address that's associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.", "ConnectivityType": "Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.", "MaxDrainDurationSeconds": "The maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds.", "PrivateIpAddress": "The private IPv4 address to assign to the NAT gateway. If you don't provide an address, a private IPv4 address will be automatically assigned.", "SecondaryAllocationIds": "Secondary EIP allocation IDs. For more information, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon VPC User Guide* .", - "SecondaryPrivateIpAddressCount": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", - "SecondaryPrivateIpAddresses": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "SecondaryPrivateIpAddressCount": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "SecondaryPrivateIpAddresses": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "SubnetId": "The ID of the subnet in which the NAT gateway is located.", "Tags": "The tags for the NAT gateway." }, + "AWS::EC2::NatGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkAcl": { "Tags": "The tags for the network ACL.", "VpcId": "The ID of the VPC for the network ACL." }, + "AWS::EC2::NetworkAcl Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkAclEntry": { "CidrBlock": "The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the `CidrBlock` or `Ipv6CidrBlock` property.", "Egress": "Whether this rule applies to egress traffic from the subnet ( `true` ) or ingress traffic to the subnet ( `false` ). By default, AWS CloudFormation specifies `false` .", @@ -9098,6 +10153,10 @@ "ResourceTypes": "The resource types.", "Resources": "The resources." }, + "AWS::EC2::NetworkInsightsAccessScope Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAccessScope ThroughResourcesStatementRequest": { "ResourceStatement": "The resource statement." }, @@ -9105,6 +10164,10 @@ "NetworkInsightsAccessScopeId": "The ID of the Network Access Scope.", "Tags": "The tags." }, + "AWS::EC2::NetworkInsightsAccessScopeAnalysis Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAnalysis": { "AdditionalAccounts": "The member accounts that contain resources that the path can traverse.", "FilterInArns": "The Amazon Resource Names (ARN) of the resources that the path must traverse.", @@ -9247,6 +10310,10 @@ "From": "The first port in the range.", "To": "The last port in the range." }, + "AWS::EC2::NetworkInsightsAnalysis Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInsightsAnalysis TransitGatewayRouteTableRoute": { "AttachmentId": "The ID of the route attachment.", "DestinationCidr": "The CIDR block used for destination matches.", @@ -9277,15 +10344,23 @@ "SourceAddress": "The source IPv4 address.", "SourcePortRange": "The source port range." }, + "AWS::EC2::NetworkInsightsPath Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInterface": { "Description": "A description for the network interface.", "GroupSet": "The security group IDs associated with this network interface.", "InterfaceType": "The type of network interface. The default is `interface` . The supported values are `efa` and `trunk` .", - "Ipv6AddressCount": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", - "Ipv6Addresses": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "Ipv4PrefixCount": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "Ipv4Prefixes": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "Ipv6AddressCount": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", + "Ipv6Addresses": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", + "Ipv6PrefixCount": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "Ipv6Prefixes": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", "PrivateIpAddress": "Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the `PrivateIpAddresses` property.", - "PrivateIpAddresses": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", - "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "PrivateIpAddresses": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "SourceDestCheck": "Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is `true` , source/destination checks are enabled; otherwise, they are disabled. The default value is `true` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.", "SubnetId": "The ID of the subnet to associate with the network interface.", "Tags": "An arbitrary set of tags (key-value pairs) for this network interface." @@ -9293,10 +10368,20 @@ "AWS::EC2::NetworkInterface InstanceIpv6Address": { "Ipv6Address": "An IPv6 address to associate with the network interface." }, + "AWS::EC2::NetworkInterface Ipv4PrefixSpecification": { + "Ipv4Prefix": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* ." + }, + "AWS::EC2::NetworkInterface Ipv6PrefixSpecification": { + "Ipv6Prefix": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* ." + }, "AWS::EC2::NetworkInterface PrivateIpAddressSpecification": { "Primary": "Sets the private IP address as the primary private address. You can set only one primary private IP address. If you don't specify a primary private IP address, Amazon EC2 automatically assigns a primary private IP address.", "PrivateIpAddress": "The private IP address of the network interface." }, + "AWS::EC2::NetworkInterface Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::NetworkInterfaceAttachment": { "DeleteOnTermination": "Whether to delete the network interface when the instance terminates. By default, this value is set to `true` .", "DeviceIndex": "The network interface's position in the attachment order. For example, the first attached network interface has a `DeviceIndex` of 0.", @@ -9320,6 +10405,10 @@ "Strategy": "The placement strategy.", "Tags": "The tags to apply to the new placement group." }, + "AWS::EC2::PlacementGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::PrefixList": { "AddressFamily": "The IP address type.\n\nValid Values: `IPv4` | `IPv6`", "Entries": "One or more entries for the prefix list.", @@ -9331,10 +10420,15 @@ "Cidr": "The CIDR block.", "Description": "A description for the entry.\n\nConstraints: Up to 255 characters in length." }, + "AWS::EC2::PrefixList Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Route": { "CarrierGatewayId": "The ID of the carrier gateway.\n\nYou can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.", "DestinationCidrBlock": "The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .", "DestinationIpv6CidrBlock": "The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.", + "DestinationPrefixListId": "The ID of a prefix list used for the destination match.", "EgressOnlyInternetGatewayId": "[IPv6 traffic only] The ID of an egress-only internet gateway.", "GatewayId": "The ID of an internet gateway or virtual private gateway attached to your VPC.", "InstanceId": "The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.", @@ -9350,6 +10444,10 @@ "Tags": "Any tags assigned to the route table.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::RouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SecurityGroup": { "GroupDescription": "A description for the security group.\n\nConstraints: Up to 255 characters in length\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*", "GroupName": "The name of the security group.\n\nConstraints: Up to 255 characters in length. Cannot start with `sg-` .\n\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*", @@ -9380,6 +10478,10 @@ "SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.\n\nIf you specify `SourceSecurityGroupName` or `SourceSecurityGroupId` and that security group is owned by a different account than the account creating the stack, you must specify the `SourceSecurityGroupOwnerId` ; otherwise, this property is optional.", "ToPort": "If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes." }, + "AWS::EC2::SecurityGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SecurityGroupEgress": { "CidrIp": "The IPv4 address range, in CIDR format.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", "CidrIpv6": "The IPv6 address range, in CIDR format.\n\nYou must specify a destination security group ( `DestinationPrefixListId` or `DestinationSecurityGroupId` ) or a CIDR range ( `CidrIp` or `CidrIpv6` ).\n\nFor examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .", @@ -9567,13 +10669,13 @@ "LaunchTemplateConfigs": "The launch template and overrides. If you specify `LaunchTemplateConfigs` , you can't specify `LaunchSpecifications` .", "LoadBalancersConfig": "One or more Classic Load Balancers and target groups to attach to the Spot Fleet request. Spot Fleet registers the running Spot Instances with the specified Classic Load Balancers and target groups.\n\nWith Network Load Balancers, Spot Fleet cannot register instances that have the following instance types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, and T1.", "OnDemandAllocationStrategy": "The order of the launch template overrides to use in fulfilling On-Demand capacity. If you specify `lowestPrice` , Spot Fleet uses price to determine the order, launching the lowest price first. If you specify `prioritized` , Spot Fleet uses the priority that you assign to each Spot Fleet launch template override, launching the highest priority first. If you do not specify a value, Spot Fleet defaults to `lowestPrice` .", - "OnDemandMaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "OnDemandMaxTotalPrice": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "OnDemandTargetCapacity": "The number of On-Demand units to request. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is `maintain` , you can specify a target capacity of 0 and add capacity later.", "ReplaceUnhealthyInstances": "Indicates whether Spot Fleet should replace unhealthy instances.", "SpotMaintenanceStrategies": "The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.", - "SpotMaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "SpotMaxTotalPrice": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "SpotPrice": "The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.", - "TagSpecifications": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "TagSpecifications": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "TargetCapacity": "The number of units to request for the Spot Fleet. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is `maintain` , you can specify a target capacity of 0 and add capacity later.", "TargetCapacityUnitType": "The unit for the target capacity. `TargetCapacityUnitType` can only be specified when `InstanceRequirements` is specified.\n\nDefault: `units` (translates to number of instances)", "TerminateInstancesWithExpiration": "Indicates whether running Spot Instances are terminated when the Spot Fleet request expires.", @@ -9593,6 +10695,10 @@ "GroupName": "The name of the placement group.", "Tenancy": "The tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of `dedicated` runs on single-tenant hardware. The `host` tenancy is not supported for Spot Instances." }, + "AWS::EC2::SpotFleet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SpotFleet TargetGroup": { "Arn": "The Amazon Resource Name (ARN) of the target group." }, @@ -9626,6 +10732,10 @@ "EnableResourceNameDnsARecord": "Indicates whether to respond to DNS queries for instance hostnames with DNS A records.", "HostnameType": "The type of hostname for EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 only subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID." }, + "AWS::EC2::Subnet Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::SubnetCidrBlock": { "Ipv6CidrBlock": "The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length.\n\nThis parameter is required for an IPv6 only subnet.", "SubnetId": "The ID of the subnet." @@ -9643,6 +10753,10 @@ "NetworkServices": "The network service traffic that is associated with the Traffic Mirror filter.\n\nValid values are `amazon-dns` .", "Tags": "The tags to assign to a Traffic Mirror filter." }, + "AWS::EC2::TrafficMirrorFilter Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TrafficMirrorFilterRule": { "Description": "The description of the Traffic Mirror rule.", "DestinationCidrBlock": "The destination CIDR block to assign to the Traffic Mirror rule.", @@ -9662,13 +10776,17 @@ "AWS::EC2::TrafficMirrorSession": { "Description": "The description of the Traffic Mirror session.", "NetworkInterfaceId": "The ID of the source network interface.", - "PacketLength": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "PacketLength": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "SessionNumber": "The session number determines the order in which sessions are evaluated when an interface is used by multiple sessions. The first session with a matching filter is the one that mirrors the packets.\n\nValid values are 1-32766.", "Tags": "The tags to assign to a Traffic Mirror session.", "TrafficMirrorFilterId": "The ID of the Traffic Mirror filter.", "TrafficMirrorTargetId": "The ID of the Traffic Mirror target.", "VirtualNetworkId": "The VXLAN ID for the Traffic Mirror session. For more information about the VXLAN protocol, see [RFC 7348](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc7348) . If you do not specify a `VirtualNetworkId` , an account-wide unique id is chosen at random." }, + "AWS::EC2::TrafficMirrorSession Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TrafficMirrorTarget": { "Description": "The description of the Traffic Mirror target.", "GatewayLoadBalancerEndpointId": "The ID of the Gateway Load Balancer endpoint.", @@ -9676,6 +10794,10 @@ "NetworkLoadBalancerArn": "The Amazon Resource Name (ARN) of the Network Load Balancer that is associated with the target.", "Tags": "The tags to assign to the Traffic Mirror target." }, + "AWS::EC2::TrafficMirrorTarget Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGateway": { "AmazonSideAsn": "A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs. The default is 64512.", "AssociationDefaultRouteTableId": "The ID of the default association route table.", @@ -9690,6 +10812,10 @@ "TransitGatewayCidrBlocks": "The transit gateway CIDR blocks.", "VpnEcmpSupport": "Enable or disable Equal Cost Multipath Protocol support. Enabled by default." }, + "AWS::EC2::TransitGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayAttachment": { "Options": "The VPC attachment options.", "SubnetIds": "The IDs of one or more subnets. You can specify only one subnet per Availability Zone. You must specify at least one subnet, but we recommend that you specify two subnets for better availability. The transit gateway uses one IP address from each specified subnet.", @@ -9702,11 +10828,19 @@ "DnsSupport": "Enable or disable DNS support. The default is `disable` .", "Ipv6Support": "Enable or disable IPv6 support. The default is `disable` ." }, + "AWS::EC2::TransitGatewayAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayConnect": { "Options": "The Connect attachment options.\n\n- protocol (gre)", "Tags": "The tags for the attachment.", "TransportTransitGatewayAttachmentId": "The ID of the attachment from which the Connect attachment was created." }, + "AWS::EC2::TransitGatewayConnect Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayConnect TransitGatewayConnectOptions": { "Protocol": "The tunnel protocol." }, @@ -9720,6 +10854,10 @@ "Igmpv2Support": "Specify whether to enable Internet Group Management Protocol (IGMP) version 2 for the transit gateway multicast domain.", "StaticSourcesSupport": "Specify whether to enable support for statically configuring multicast group sources for a domain." }, + "AWS::EC2::TransitGatewayMulticastDomain Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayMulticastDomainAssociation": { "SubnetId": "The IDs of the subnets to associate with the transit gateway multicast domain.", "TransitGatewayAttachmentId": "The ID of the transit gateway attachment.", @@ -9746,6 +10884,10 @@ "Code": "The status code.", "Message": "The status message, if applicable." }, + "AWS::EC2::TransitGatewayPeeringAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayRoute": { "Blackhole": "Indicates whether to drop traffic that matches this route.", "DestinationCidrBlock": "The CIDR block used for destination matches.", @@ -9756,6 +10898,10 @@ "Tags": "Any tags assigned to the route table.", "TransitGatewayId": "The ID of the transit gateway." }, + "AWS::EC2::TransitGatewayRouteTable Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::TransitGatewayRouteTableAssociation": { "TransitGatewayAttachmentId": "The ID of the attachment.", "TransitGatewayRouteTableId": "The ID of the route table for the transit gateway." @@ -9778,6 +10924,10 @@ "DnsSupport": "Enable or disable DNS support. The default is `disable` .", "Ipv6Support": "Enable or disable IPv6 support. The default is `disable` ." }, + "AWS::EC2::TransitGatewayVpcAttachment Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPC": { "CidrBlock": "The IPv4 network range for the VPC, in CIDR notation. For example, `10.0.0.0/16` . We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .\n\nYou must specify either `CidrBlock` or `Ipv4IpamPoolId` .", "EnableDnsHostnames": "Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) .\n\nYou can only enable DNS hostnames if you've enabled DNS support.", @@ -9787,6 +10937,10 @@ "Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .", "Tags": "The tags for the VPC." }, + "AWS::EC2::VPC Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPCCidrBlock": { "AmazonProvidedIpv6CidrBlock": "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses, or the size of the CIDR block.", "CidrBlock": "An IPv4 CIDR block to associate with the VPC.", @@ -9842,6 +10996,10 @@ "Tags": "Any tags assigned to the resource.", "VpcId": "The ID of the VPC." }, + "AWS::EC2::VPCPeeringConnection Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNConnection": { "CustomerGatewayId": "The ID of the customer gateway at your end of the VPN connection.", "StaticRoutesOnly": "Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.\n\nIf you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify `true` .", @@ -9851,6 +11009,10 @@ "VpnGatewayId": "The ID of the virtual private gateway at the AWS side of the VPN connection.\n\nYou must specify either `TransitGatewayId` or `VpnGatewayId` , but not both.", "VpnTunnelOptionsSpecifications": "The tunnel options for the VPN connection." }, + "AWS::EC2::VPNConnection Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNConnection VpnTunnelOptionsSpecification": { "PreSharedKey": "The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.\n\nConstraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).", "TunnelInsideCidr": "The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.\n\nConstraints: A size /30 CIDR block from the `169.254.0.0/16` range. The following CIDR blocks are reserved and cannot be used:\n\n- `169.254.0.0/30`\n- `169.254.1.0/30`\n- `169.254.2.0/30`\n- `169.254.3.0/30`\n- `169.254.4.0/30`\n- `169.254.5.0/30`\n- `169.254.169.252/30`" @@ -9864,6 +11026,10 @@ "Tags": "Any tags assigned to the virtual private gateway.", "Type": "The type of VPN connection the virtual private gateway supports." }, + "AWS::EC2::VPNGateway Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VPNGatewayRoutePropagation": { "RouteTableIds": "The ID of the route table. The routing table must be associated with the same VPC that the virtual private gateway is attached to.", "VpnGatewayId": "The ID of the virtual private gateway that is attached to a VPC. The virtual private gateway must be attached to the same VPC that the routing tables are associated with." @@ -9880,6 +11046,7 @@ "PolicyDocument": "The Verified Access policy document.", "PolicyEnabled": "The status of the Verified Access policy.", "SecurityGroupIds": "The IDs of the security groups for the endpoint.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "VerifiedAccessGroupId": "The ID of the AWS Verified Access group." }, @@ -9894,16 +11061,34 @@ "Port": "The IP port number.", "Protocol": "The IP protocol." }, + "AWS::EC2::VerifiedAccessEndpoint SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessEndpoint Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessGroup": { "Description": "A description for the AWS Verified Access group.", "PolicyDocument": "The Verified Access policy document.", "PolicyEnabled": "The status of the Verified Access policy.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "VerifiedAccessInstanceId": "The ID of the AWS Verified Access instance." }, + "AWS::EC2::VerifiedAccessGroup SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessGroup Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessInstance": { "Description": "A description for the AWS Verified Access instance.", - "LoggingConfigurations": "The current logging configuration for the Verified Access instances.", + "FipsEnabled": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "LoggingConfigurations": "The logging configuration for the Verified Access instances.", "Tags": "The tags.", "VerifiedAccessTrustProviderIds": "The IDs of the AWS Verified Access trust providers.", "VerifiedAccessTrustProviders": "The IDs of the AWS Verified Access trust providers." @@ -9922,11 +11107,15 @@ "Enabled": "Indicates whether logging is enabled.", "Prefix": "The bucket prefix." }, + "AWS::EC2::VerifiedAccessInstance Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VerifiedAccessInstance VerifiedAccessLogs": { "CloudWatchLogs": "CloudWatch Logs logging destination.", - "IncludeTrustContext": "Include trust data sent by trust providers into the logs.", + "IncludeTrustContext": "Indicates whether to include trust data sent by trust providers in the logs.", "KinesisDataFirehose": "Kinesis logging destination.", - "LogVersion": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "LogVersion": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "S3": "Amazon S3 logging options." }, "AWS::EC2::VerifiedAccessInstance VerifiedAccessTrustProvider": { @@ -9942,6 +11131,7 @@ "DeviceTrustProviderType": "The type of device-based trust provider.", "OidcOptions": "The options for an OpenID Connect-compatible user-identity trust provider.", "PolicyReferenceName": "The identifier to be used when working with policy rules.", + "SseSpecification": "The options for additional server side encryption.", "Tags": "The tags.", "TrustProviderType": "The type of Verified Access trust provider.", "UserTrustProviderType": "The type of user-based trust provider." @@ -9958,6 +11148,14 @@ "TokenEndpoint": "The OIDC token endpoint.", "UserInfoEndpoint": "The OIDC user info endpoint." }, + "AWS::EC2::VerifiedAccessTrustProvider SseSpecification": { + "CustomerManagedKeyEnabled": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "KmsKeyArn": "The ARN of the KMS key." + }, + "AWS::EC2::VerifiedAccessTrustProvider Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::Volume": { "AutoEnableIO": "Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.", "AvailabilityZone": "The ID of the Availability Zone in which to create the volume. For example, `us-east-1a` .", @@ -9972,13 +11170,17 @@ "Throughput": "The throughput to provision for a volume, with a maximum of 1,000 MiB/s.\n\nThis parameter is valid only for `gp3` volumes. The default value is 125.\n\nValid Range: Minimum value of 125. Maximum value of 1000.", "VolumeType": "The volume type. This parameter can be one of the following values:\n\n- General Purpose SSD: `gp2` | `gp3`\n- Provisioned IOPS SSD: `io1` | `io2`\n- Throughput Optimized HDD: `st1`\n- Cold HDD: `sc1`\n- Magnetic: `standard`\n\nFor more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the *Amazon Elastic Compute Cloud User Guide* .\n\nDefault: `gp2`" }, + "AWS::EC2::Volume Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::EC2::VolumeAttachment": { "Device": "The device name (for example, `/dev/sdh` or `xvdh` ).", "InstanceId": "The ID of the instance to which the volume attaches. This value can be a reference to an [`AWS::EC2::Instance`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource, or it can be the physical ID of an existing EC2 instance.", "VolumeId": "The ID of the Amazon EBS volume. The volume and instance must be within the same Availability Zone. This value can be a reference to an [`AWS::EC2::Volume`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html) resource, or it can be the volume ID of an existing Amazon EBS volume." }, "AWS::ECR::PublicRepository": { - "RepositoryCatalogData": "", + "RepositoryCatalogData": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "RepositoryName": "The name to use for the public repository. The repository name may be specified on its own (such as `nginx-web-app` ) or it can be prepended with a namespace to group the repository into a category (such as `project-a/nginx-web-app` ). If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "RepositoryPolicyText": "The JSON repository policy text to apply to the public repository. For more information, see [Amazon ECR Public repository policies](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html) in the *Amazon ECR Public User Guide* .", "Tags": "An array of key-value pairs to apply to this resource." @@ -9990,6 +11192,10 @@ "RepositoryDescription": "The short description of the repository.", "UsageText": "The longform usage details of the contents of the repository. The usage text provides context for users of the repository." }, + "AWS::ECR::PublicRepository Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECR::PullThroughCacheRule": { "EcrRepositoryPrefix": "The Amazon ECR repository prefix associated with the pull through cache rule.", "UpstreamRegistryUrl": "The upstream registry URL associated with the pull through cache rule." @@ -10016,6 +11222,7 @@ "FilterType": "The repository filter type. The only supported value is `PREFIX_MATCH` , which is a repository name prefix specified with the `filter` parameter." }, "AWS::ECR::Repository": { + "EmptyOnDelete": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", "EncryptionConfiguration": "The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.", "ImageScanningConfiguration": "The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository.", "ImageTagMutability": "The tag mutability setting for the repository. If this parameter is omitted, the default setting of `MUTABLE` will be used which will allow image tags to be overwritten. If `IMMUTABLE` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.", @@ -10035,23 +11242,31 @@ "LifecyclePolicyText": "The JSON repository policy text to apply to the repository.", "RegistryId": "The AWS account ID associated with the registry that contains the repository. If you do not specify a registry, the default registry is assumed." }, + "AWS::ECR::Repository Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::CapacityProvider": { "AutoScalingGroupProvider": "The Auto Scaling group settings for the capacity provider.", "Name": "The name of the capacity provider. If a name is specified, it cannot start with `aws` , `ecs` , or `fargate` . If no name is specified, a default name in the `CFNStackName-CFNResourceName-RandomString` format is used.", "Tags": "The metadata that you apply to the capacity provider to help you categorize and organize it. Each tag consists of a key and an optional value. You define both.\n\nThe following basic restrictions apply to tags:\n\n- Maximum number of tags per resource - 50\n- For each resource, each tag key must be unique, and each tag key can have only one value.\n- Maximum key length - 128 Unicode characters in UTF-8\n- Maximum value length - 256 Unicode characters in UTF-8\n- If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.\n- Tag keys and values are case-sensitive.\n- Do not use `aws:` , `AWS:` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit." }, "AWS::ECS::CapacityProvider AutoScalingGroupProvider": { - "AutoScalingGroupArn": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "AutoScalingGroupArn": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", "ManagedScaling": "The managed scaling settings for the Auto Scaling group capacity provider.", "ManagedTerminationProtection": "The managed termination protection setting to use for the Auto Scaling group capacity provider. This determines whether the Auto Scaling group has managed termination protection. The default is off.\n\n> When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work. \n\nWhen managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions on as well. For more information, see [Instance Protection](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection) in the *AWS Auto Scaling User Guide* .\n\nWhen managed termination protection is off, your Amazon EC2 instances aren't protected from termination when the Auto Scaling group scales in." }, "AWS::ECS::CapacityProvider ManagedScaling": { "InstanceWarmupPeriod": "The period of time, in seconds, after a newly launched Amazon EC2 instance can contribute to CloudWatch metrics for Auto Scaling group. If this parameter is omitted, the default value of `300` seconds is used.", - "MaximumScalingStepSize": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "MaximumScalingStepSize": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "MinimumScalingStepSize": "The minimum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter If this parameter is omitted, the default value of `1` is used.\n\nWhen additional capacity is required, Amazon ECS will scale up the minimum scaling step size even if the actual demand is less than the minimum scaling step size.\n\nIf you use a capacity provider with an Auto Scaling group configured with more than one Amazon EC2 instance type or Availability Zone, Amazon ECS will scale up by the exact minimum scaling step size value and will ignore both the maximum scaling step size as well as the capacity demand.", "Status": "Determines whether to use managed scaling for the capacity provider.", "TargetCapacity": "The target capacity utilization as a percentage for the capacity provider. The specified value must be greater than `0` and less than or equal to `100` . For example, if you want the capacity provider to maintain 10% spare capacity, then that means the utilization is 90%, so use a `targetCapacity` of `90` . The default value of `100` percent results in the Amazon EC2 instances in your Auto Scaling group being completely used." }, + "AWS::ECS::CapacityProvider Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::Cluster": { "CapacityProviders": "The short name of one or more capacity providers to associate with the cluster. A capacity provider must be associated with a cluster before it can be included as part of the default capacity provider strategy of the cluster or used in a capacity provider strategy when calling the [CreateService](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateService.html) or [RunTask](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) actions.\n\nIf specifying a capacity provider that uses an Auto Scaling group, the capacity provider must be created but not associated with another cluster. New Auto Scaling group capacity providers can be created with the [CreateCapacityProvider](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateCapacityProvider.html) API operation.\n\nTo use a AWS Fargate capacity provider, specify either the `FARGATE` or `FARGATE_SPOT` capacity providers. The AWS Fargate capacity providers are available to all accounts and only need to be associated with a cluster to be used.\n\nThe [PutCapacityProvider](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutCapacityProvider.html) API operation is used to update the list of available capacity providers for a cluster after the cluster is created.", "ClusterName": "A user-generated string that you use to identify your cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID for the name.", @@ -10086,7 +11301,11 @@ "S3KeyPrefix": "An optional folder in the S3 bucket to place logs in." }, "AWS::ECS::Cluster ServiceConnectDefaults": { - "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* ." + "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* ." + }, + "AWS::ECS::Cluster Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::ECS::ClusterCapacityProviderAssociations": { "CapacityProviders": "The capacity providers to associate with the cluster.", @@ -10158,8 +11377,8 @@ "AWS::ECS::Service LoadBalancer": { "ContainerName": "The name of the container (as it appears in a container definition) to associate with the load balancer.", "ContainerPort": "The port on the container to associate with the load balancer. This port must correspond to a `containerPort` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the `hostPort` of the port mapping.", - "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", - "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." + "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." }, "AWS::ECS::Service LogConfiguration": { "LogDriver": "The log driver to use for the container.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n\nFor more information about using the `awslogs` log driver, see [Using the awslogs log driver](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor more information about using the `awsfirelens` log driver, see [Custom log routing](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If you have a custom driver that isn't listed, you can fork the Amazon ECS container agent project that's [available on GitHub](https://docs.aws.amazon.com/https://github.com/aws/amazon-ecs-agent) and customize it to work with that driver. We encourage you to submit pull requests for changes that you would like to have included. However, we don't currently provide support for running modified copies of this software.", @@ -10187,7 +11406,7 @@ }, "AWS::ECS::Service ServiceConnectConfiguration": { "Enabled": "Specifies whether to use Service Connect with this service.", - "LogConfiguration": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "LogConfiguration": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "Namespace": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace for use with Service Connect. The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "Services": "The list of Service Connect service objects. These are names and aliases (also known as endpoints) that are used by other Amazon ECS services to connect to this service.\n\nThis field is not required for a \"client\" Amazon ECS service that's a member of a namespace only to connect to other services within the namespace. An example of this would be a frontend application that accepts incoming requests from either a load balancer that's attached to the service or by other means.\n\nAn object selects a port from the task definition, assigns a name for the AWS Cloud Map service, and a list of aliases (endpoints) and ports for client applications to refer to this service." }, @@ -10203,6 +11422,10 @@ "Port": "The port value used if your service discovery service specified an SRV record. This field might be used if both the `awsvpc` network mode and SRV records are used.", "RegistryArn": "The Amazon Resource Name (ARN) of the service registry. The currently supported service registry is AWS Cloud Map . For more information, see [CreateService](https://docs.aws.amazon.com/cloud-map/latest/api/API_CreateService.html) ." }, + "AWS::ECS::Service Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::ECS::TaskDefinition": { "ContainerDefinitions": "A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see [Amazon ECS Task Definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html) in the *Amazon Elastic Container Service Developer Guide* .", "Cpu": "The number of `cpu` units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the `memory` parameter.\n\nThe CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.\n\n- 256 (.25 vCPU) - Available `memory` values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)\n- 512 (.5 vCPU) - Available `memory` values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)\n- 1024 (1 vCPU) - Available `memory` values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)\n- 2048 (2 vCPU) - Available `memory` values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)\n- 4096 (4 vCPU) - Available `memory` values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)\n- 8192 (8 vCPU) - Available `memory` values: 16 GB and 60 GB in 4 GB increments\n\nThis option requires Linux platform `1.4.0` or later.\n- 16384 (16vCPU) - Available `memory` values: 32GB and 120 GB in 8 GB increments\n\nThis option requires Linux platform `1.4.0` or later.", @@ -10213,7 +11436,7 @@ "IpcMode": "The IPC resource namespace to use for the containers in the task. The valid values are `host` , `task` , or `none` . If `host` is specified, then all containers within the tasks that specified the `host` IPC mode on the same container instance share the same IPC resources with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same IPC resources. If `none` is specified, then IPC resources within the containers of a task are private and not shared with other containers in a task or on the container instance. If no value is specified, then the IPC resource namespace sharing depends on the Docker daemon setting on the container instance. For more information, see [IPC settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#ipc-settings---ipc) in the *Docker run reference* .\n\nIf the `host` IPC mode is used, be aware that there is a heightened risk of undesired IPC namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\nIf you are setting namespaced kernel parameters using `systemControls` for the containers in the task, the following will apply to your IPC resource namespace. For more information, see [System Controls](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n- For tasks that use the `host` IPC mode, IPC namespace related `systemControls` are not supported.\n- For tasks that use the `task` IPC mode, IPC namespace related `systemControls` will apply to all containers within a task.\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", "Memory": "The amount (in MiB) of memory used by the task.\n\nIf your tasks runs on Amazon EC2 instances, you must specify either a task-level memory value or a container-level memory value. This field is optional and any value can be used. If a task-level memory value is specified, the container-level memory value is optional. For more information regarding container-level memory and memory reservation, see [ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html) .\n\nIf your tasks runs on AWS Fargate , this field is required. You must use one of the following values. The value you choose determines your range of valid values for the `cpu` parameter.\n\n- 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - Available `cpu` values: 256 (.25 vCPU)\n- 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - Available `cpu` values: 512 (.5 vCPU)\n- 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) - Available `cpu` values: 1024 (1 vCPU)\n- Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - Available `cpu` values: 2048 (2 vCPU)\n- Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - Available `cpu` values: 4096 (4 vCPU)\n- Between 16 GB and 60 GB in 4 GB increments - Available `cpu` values: 8192 (8 vCPU)\n\nThis option requires Linux platform `1.4.0` or later.\n- Between 32GB and 120 GB in 8 GB increments - Available `cpu` values: 16384 (16 vCPU)\n\nThis option requires Linux platform `1.4.0` or later.", "NetworkMode": "The Docker networking mode to use for the containers in the task. The valid values are `none` , `bridge` , `awsvpc` , and `host` . If no network mode is specified, the default is `bridge` .\n\nFor Amazon ECS tasks on Fargate, the `awsvpc` network mode is required. For Amazon ECS tasks on Amazon EC2 Linux instances, any network mode can be used. For Amazon ECS tasks on Amazon EC2 Windows instances, `` or `awsvpc` can be used. If the network mode is set to `none` , you cannot specify port mappings in your container definitions, and the tasks containers do not have external connectivity. The `host` and `awsvpc` network modes offer the highest networking performance for containers because they use the EC2 network stack instead of the virtualized network stack provided by the `bridge` mode.\n\nWith the `host` and `awsvpc` network modes, exposed container ports are mapped directly to the corresponding host port (for the `host` network mode) or the attached elastic network interface port (for the `awsvpc` network mode), so you cannot take advantage of dynamic host port mappings.\n\n> When using the `host` network mode, you should not run containers using the root user (UID 0). It is considered best practice to use a non-root user. \n\nIf the network mode is `awsvpc` , the task is allocated an elastic network interface, and you must specify a `NetworkConfiguration` value when you create a service or run a task with the task definition. For more information, see [Task Networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nIf the network mode is `host` , you cannot run multiple instantiations of the same task on a single container instance when port mappings are used.\n\nFor more information, see [Network settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#network-settings) in the *Docker run reference* .", - "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "PidMode": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "PlacementConstraints": "An array of placement constraint objects to use for tasks.\n\n> This parameter isn't supported for tasks run on AWS Fargate .", "ProxyConfiguration": "The configuration details for the App Mesh proxy.\n\nYour Amazon ECS container instances require at least version 1.26.0 of the container agent and at least version 1.26.0-1 of the `ecs-init` package to use a proxy configuration. If your container instances are launched from the Amazon ECS optimized AMI version `20190301` or later, they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .", "RequiresCompatibilities": "The task launch types the task definition was validated against. The valid values are `EC2` , `FARGATE` , and `EXTERNAL` . For more information, see [Amazon ECS launch types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html) in the *Amazon Elastic Container Service Developer Guide* .", @@ -10261,7 +11484,7 @@ "Secrets": "The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide* .", "StartTimeout": "Time duration (in seconds) to wait before giving up on resolving dependencies for a container. For example, you specify two containers in a task definition with containerA having a dependency on containerB reaching a `COMPLETE` , `SUCCESS` , or `HEALTHY` status. If a `startTimeout` value is specified for containerB and it doesn't reach the desired status within that time then containerA gives up and not start. This results in the task transitioning to a `STOPPED` state.\n\n> When the `ECS_CONTAINER_START_TIMEOUT` container agent configuration variable is used, it's enforced independently from this start timeout value. \n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nFor tasks using the EC2 launch type, your container instances require at least version `1.26.0` of the container agent to use a container start timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version `1.26.0-1` of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe valid values are 2-120 seconds.", "StopTimeout": "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own.\n\nFor tasks using the Fargate launch type, the task or service requires the following platforms:\n\n- Linux platform version `1.3.0` or later.\n- Windows platform version `1.0.0` or later.\n\nThe max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used.\n\nFor tasks that use the EC2 launch type, if the `stopTimeout` parameter isn't specified, the value set for the Amazon ECS container agent configuration variable `ECS_CONTAINER_STOP_TIMEOUT` is used. If neither the `stopTimeout` parameter or the `ECS_CONTAINER_STOP_TIMEOUT` agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see [Updating the Amazon ECS Container Agent](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html) in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the `ecs-init` package. If your container instances are launched from version `20190301` or later, then they contain the required versions of the container agent and `ecs-init` . For more information, see [Amazon ECS-optimized Linux AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nThe valid values are 2-120 seconds.", - "SystemControls": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "SystemControls": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "Ulimits": "A list of `ulimits` to set in the container. This parameter maps to `Ulimits` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--ulimit` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) . Valid naming values are displayed in the [Ulimit](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_Ulimit.html) data type. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: `sudo docker version --format '{{.Server.APIVersion}}'`\n\n> This parameter is not supported for Windows containers.", "User": "The user to use inside the container. This parameter maps to `User` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--user` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> When running tasks using the `host` network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security. \n\nYou can specify the `user` using the following formats. If specifying a UID or GID, you must specify it as a positive integer.\n\n- `user`\n- `user:group`\n- `uid`\n- `uid:gid`\n- `user:gid`\n- `uid:group`\n\n> This parameter is not supported for Windows containers.", "VolumesFrom": "Data volumes to mount from another container. This parameter maps to `VolumesFrom` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--volumes-from` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .", @@ -10347,12 +11570,12 @@ "SourceVolume": "The name of the volume to mount. Must be a volume name referenced in the `name` parameter of task definition `volume` ." }, "AWS::ECS::TaskDefinition PortMapping": { - "AppProtocol": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "AppProtocol": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "ContainerPort": "The port number on the container that's bound to the user-specified or automatically assigned host port.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, specify the exposed ports using `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode and you specify a container port and not a host port, your container automatically receives a host port in the ephemeral port range. For more information, see `hostPort` . Port mappings that are automatically assigned in this way do not count toward the 100 reserved ports limit of a container instance.", - "ContainerPortRange": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", - "HostPort": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "ContainerPortRange": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "HostPort": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "Name": "The name that's used for the port mapping. This parameter only applies to Service Connect. This parameter is the name that you use in the `serviceConnectConfiguration` of a service. The name can include up to 64 characters. The characters can include lowercase letters, numbers, underscores (_), and hyphens (-). The name can't start with a hyphen.\n\nFor more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", - "Protocol": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` ." + "Protocol": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment." }, "AWS::ECS::TaskDefinition ProxyConfiguration": { "ContainerName": "The name of the container that will serve as the App Mesh proxy.", @@ -10376,7 +11599,11 @@ }, "AWS::ECS::TaskDefinition SystemControl": { "Namespace": "The namespaced kernel parameter to set a `value` for.", - "Value": "The value for the namespaced kernel parameter that's specified in `namespace` ." + "Value": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate." + }, + "AWS::ECS::TaskDefinition Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::ECS::TaskDefinition TaskDefinitionPlacementConstraint": { "Expression": "A cluster query language expression to apply to the constraint. For more information, see [Cluster query language](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-query-language.html) in the *Amazon Elastic Container Service Developer Guide* .", @@ -10396,7 +11623,7 @@ "DockerVolumeConfiguration": "This parameter is specified when you use Docker volumes.\n\nWindows containers only support the use of the `local` driver. To use bind mounts, specify the `host` parameter instead.\n\n> Docker volumes aren't supported by tasks run on AWS Fargate .", "EFSVolumeConfiguration": "This parameter is specified when you use an Amazon Elastic File System file system for task storage.", "Host": "This parameter is specified when you use bind mount host volumes. The contents of the `host` parameter determine whether your bind mount host volume persists on the host container instance and where it's stored. If the `host` parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.\n\nWindows containers can mount whole directories on the same drive as `$env:ProgramData` . Windows containers can't mount directories on a different drive, and mount point can't be across drives. For example, you can mount `C:\\my\\path:C:\\my\\path` and `D:\\:D:\\` , but not `D:\\my\\path:C:\\my\\path` or `D:\\:C:\\my\\path` .", - "Name": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` ." + "Name": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume." }, "AWS::ECS::TaskDefinition VolumeFrom": { "ReadOnly": "If this value is `true` , the container has read-only access to the volume. If this value is `false` , then the container can write to the volume. The default value is `false` .", @@ -10422,8 +11649,7 @@ "AWS::ECS::TaskSet LoadBalancer": { "ContainerName": "The name of the container (as it appears in a container definition) to associate with the load balancer.", "ContainerPort": "The port on the container to associate with the load balancer. This port must correspond to a `containerPort` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the `hostPort` of the port mapping.", - "LoadBalancerName": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", - "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." + "TargetGroupArn": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type." }, "AWS::ECS::TaskSet NetworkConfiguration": { "AwsVpcConfiguration": "The VPC subnets and security groups that are associated with a task.\n\n> All specified subnets and security groups must be from the same VPC." @@ -10472,9 +11698,10 @@ "FileSystemTags": "Use to create one or more tags associated with the file system. Each tag is a user-defined key-value pair. Name your file system on creation by including a `\"Key\":\"Name\",\"Value\":\"{value}\"` key-value pair. Each key must be unique. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide* .", "KmsKeyId": "The ID of the AWS KMS key to be used to protect the encrypted file system. This parameter is only required if you want to use a nondefault KMS key . If this parameter is not specified, the default KMS key for Amazon EFS is used. This ID can be in one of the following formats:\n\n- Key ID - A unique identifier of the key, for example `1234abcd-12ab-34cd-56ef-1234567890ab` .\n- ARN - An Amazon Resource Name (ARN) for the key, for example `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` .\n- Key alias - A previously created display name for a key, for example `alias/projectKey1` .\n- Key alias ARN - An ARN for a key alias, for example `arn:aws:kms:us-west-2:444455556666:alias/projectKey1` .\n\nIf `KmsKeyId` is specified, the `Encrypted` parameter must be set to true.", "LifecyclePolicies": "An array of `LifecyclePolicy` objects that define the file system's `LifecycleConfiguration` object. A `LifecycleConfiguration` object informs EFS lifecycle management and intelligent tiering of the following:\n\n- When to move files in the file system from primary storage to the IA storage class.\n- When to move files that are in IA storage to primary storage.\n\n> Amazon EFS requires that each `LifecyclePolicy` object have only a single transition. This means that in a request body, `LifecyclePolicies` needs to be structured as an array of `LifecyclePolicy` objects, one object for each transition, `TransitionToIA` , `TransitionToPrimaryStorageClass` . See the example requests in the following section for more information.", - "PerformanceMode": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "PerformanceMode": "The performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on file systems using One Zone storage classes.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "ProvisionedThroughputInMibps": "The throughput, measured in mebibytes per second (MiBps), that you want to provision for a file system that you're creating. Required if `ThroughputMode` is set to `provisioned` . Valid values are 1-3414 MiBps, with the upper limit depending on Region. To increase this limit, contact AWS Support . For more information, see [Amazon EFS quotas that you can increase](https://docs.aws.amazon.com/efs/latest/ug/limits.html#soft-limits) in the *Amazon EFS User Guide* .", - "ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` ." + "ReplicationConfiguration": "Describes the replication configuration for a specific file system.", + "ThroughputMode": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` ." }, "AWS::EFS::FileSystem BackupPolicy": { "Status": "Set the backup policy status for the file system.\n\n- *`ENABLED`* - Turns automatic backups on for the file system.\n- *`DISABLED`* - Turns automatic backups off for the file system." @@ -10487,6 +11714,15 @@ "TransitionToIA": "Describes the period of time that a file is not accessed, after which it transitions to IA storage. Metadata operations such as listing the contents of a directory don't count as file access events.", "TransitionToPrimaryStorageClass": "Describes when to transition a file from IA storage to primary storage. Metadata operations such as listing the contents of a directory don't count as file access events." }, + "AWS::EFS::FileSystem ReplicationConfiguration": { + "Destinations": "An array of destination objects. Only one destination object is supported." + }, + "AWS::EFS::FileSystem ReplicationDestination": { + "AvailabilityZoneName": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "FileSystemId": "The ID of the destination Amazon EFS file system.", + "KmsKeyId": "The ID of an AWS KMS key used to protect the encrypted file system.", + "Region": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located." + }, "AWS::EFS::MountTarget": { "FileSystemId": "The ID of the file system for which to create the mount target.", "IpAddress": "Valid IPv4 address within the address range of the specified subnet.", @@ -10503,13 +11739,17 @@ "ServiceAccountRoleArn": "The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's service account. The role must be assigned the IAM permissions required by the add-on. If you don't specify an existing IAM role, then the add-on uses the permissions assigned to the node IAM role. For more information, see [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) in the *Amazon EKS User Guide* .\n\n> To specify an existing IAM role, you must have an IAM OpenID Connect (OIDC) provider created for your cluster. For more information, see [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) in the *Amazon EKS User Guide* .", "Tags": "The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Add-on tags do not propagate to any other resources associated with the cluster." }, + "AWS::EKS::Addon Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::Cluster": { "EncryptionConfig": "The encryption configuration for the cluster.", "KubernetesNetworkConfig": "The Kubernetes network configuration for the cluster.", "Logging": "The logging configuration for your cluster.", "Name": "The unique name to give to your cluster.", "OutpostConfig": "An object representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This object isn't available for clusters on the AWS cloud.", - "ResourcesVpcConfig": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "ResourcesVpcConfig": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets.", "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. For more information, see [Amazon EKS Service IAM Role](https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html) in the **Amazon EKS User Guide** .", "Tags": "The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags don't propagate to any other resources associated with the cluster.\n\n> You must have the `eks:TagResource` and `eks:UntagResource` permissions for your [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) to manage the AWS CloudFormation stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.", "Version": "The desired Kubernetes version for your cluster. If you don't specify a value here, the default version available in Amazon EKS is used.\n\n> The default version might not be the latest version available." @@ -10548,7 +11788,11 @@ "EndpointPublicAccess": "Set this value to `false` to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is `true` , which enables public access for your Kubernetes API server. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "PublicAccessCidrs": "The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is `0.0.0.0/0` . If you've disabled private endpoint access and you have nodes or AWS Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks. For more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) in the **Amazon EKS User Guide** .", "SecurityGroupIds": "Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don't specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes. For more information, see [Amazon EKS security group considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the **Amazon EKS User Guide** .", - "SubnetIds": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane." + "SubnetIds": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets." + }, + "AWS::EKS::Cluster Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::EKS::FargateProfile": { "ClusterName": "The name of the Amazon EKS cluster to apply the Fargate profile to.", @@ -10566,6 +11810,10 @@ "Labels": "The Kubernetes labels that the selector should match. A pod must contain all of the labels that are specified in the selector for it to be considered a match.", "Namespace": "The Kubernetes namespace that the selector should match." }, + "AWS::EKS::FargateProfile Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::IdentityProviderConfig": { "ClusterName": "The cluster that the configuration is associated to.", "IdentityProviderConfigName": "The name of the configuration.", @@ -10586,6 +11834,10 @@ "Key": "The key to match from the token.", "Value": "The value for the key from the token." }, + "AWS::EKS::IdentityProviderConfig Tag": { + "Key": "One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that make up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::EKS::Nodegroup": { "AmiType": "The AMI type for your node group. If you specify `launchTemplate` , and your launch template uses a custom AMI, then don't specify `amiType` , or the node group deployment will fail. If your launch template uses a Windows custom AMI, then add `eks:kube-proxy-windows` to your Windows nodes `rolearn` in the `aws-auth` `ConfigMap` . For more information about using launch templates with Amazon EKS, see [Launch template support](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) in the *Amazon EKS User Guide* .", "CapacityType": "The capacity type of your managed node group.", @@ -10633,7 +11885,7 @@ "AdditionalInfo": "A JSON string for selecting additional features.", "Applications": "The applications to install on this cluster, for example, Spark, Flink, Oozie, Zeppelin, and so on.", "AutoScalingRole": "An IAM role for automatic scaling policies. The default role is `EMR_AutoScaling_DefaultRole` . The IAM role provides permissions that the automatic scaling feature requires to launch and terminate Amazon EC2 instances in an instance group.", - "AutoTerminationPolicy": "", + "AutoTerminationPolicy": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "BootstrapActions": "A list of bootstrap actions to run before Hadoop starts on the cluster nodes.", "Configurations": "Applies only to Amazon EMR releases 4.x and later. The list of configurations that are supplied to the Amazon EMR cluster.", "CustomAmiId": "Available only in Amazon EMR releases 5.7.0 and later. The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI.", @@ -10645,7 +11897,7 @@ "LogUri": "The path to the Amazon S3 location where logs for this cluster are stored.", "ManagedScalingPolicy": "Creates or updates a managed scaling policy for an Amazon EMR cluster. The managed scaling policy defines the limits for resources, such as Amazon EC2 instances that can be added or terminated from a cluster. The policy only applies to the core and task nodes. The master node cannot be scaled after initial configuration.", "Name": "The name of the cluster.", - "OSReleaseLabel": "", + "OSReleaseLabel": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "ReleaseLabel": "The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. Release labels are in the form `emr-x.x.x` , where x.x.x is an Amazon EMR release version such as `emr-5.14.0` . For more information about Amazon EMR release versions and included application versions and features, see [](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/) . The release label applies only to Amazon EMR releases version 4.0 and later. Earlier versions use `AmiVersion` .", "ScaleDownBehavior": "The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. `TERMINATE_AT_INSTANCE_HOUR` indicates that Amazon EMR terminates nodes at the instance-hour boundary, regardless of when the request to terminate the instance was submitted. This option is only available with Amazon EMR 5.1.0 and later and is the default for clusters created using that version. `TERMINATE_AT_TASK_COMPLETION` indicates that Amazon EMR adds nodes to a deny list and drains tasks from nodes before terminating the Amazon EC2 instances, regardless of the instance-hour boundary. With either behavior, Amazon EMR removes the least active nodes first and blocks instance termination if it could lead to HDFS corruption. `TERMINATE_AT_TASK_COMPLETION` is available only in Amazon EMR releases 4.1.0 and later, and is the default for versions of Amazon EMR earlier than 5.1.0.", "SecurityConfiguration": "The name of the security configuration applied to the cluster.", @@ -10666,7 +11918,7 @@ "Rules": "The scale-in and scale-out rules that comprise the automatic scaling policy." }, "AWS::EMR::Cluster AutoTerminationPolicy": { - "IdleTimeout": "" + "IdleTimeout": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days)." }, "AWS::EMR::Cluster BootstrapActionConfig": { "Name": "The name of the bootstrap action.", @@ -10821,9 +12073,14 @@ "HadoopJarStep": "The JAR file used for the step.", "Name": "The name of the step." }, + "AWS::EMR::Cluster Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMR::Cluster VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::InstanceFleetConfig": { @@ -10873,6 +12130,7 @@ "AWS::EMR::InstanceFleetConfig VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::InstanceGroupConfig": { @@ -10945,6 +12203,7 @@ "AWS::EMR::InstanceGroupConfig VolumeSpecification": { "Iops": "The number of I/O operations per second (IOPS) that the volume supports.", "SizeInGB": "The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-optimized, the minimum value is 10.", + "Throughput": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", "VolumeType": "The volume type. Volume types supported are gp3, gp2, io1, st1, sc1, and standard." }, "AWS::EMR::SecurityConfiguration": { @@ -10982,12 +12241,24 @@ "VpcId": "The ID of the Amazon Virtual Private Cloud (Amazon VPC) to associate with the Studio.", "WorkspaceSecurityGroupId": "The ID of the Workspace security group associated with the Amazon EMR Studio. The Workspace security group allows outbound network traffic to resources in the Engine security group and to the internet." }, + "AWS::EMR::Studio Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMR::StudioSessionMapping": { "IdentityName": "The name of the user or group. For more information, see [UserName](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html#singlesignon-Type-User-UserName) and [DisplayName](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html#singlesignon-Type-Group-DisplayName) in the *IAM Identity Center Identity Store API Reference* .", "IdentityType": "Specifies whether the identity to map to the Amazon EMR Studio is a user or a group.", "SessionPolicyArn": "The Amazon Resource Name (ARN) for the session policy that will be applied to the user or group. Session policies refine Studio user permissions without the need to use multiple IAM user roles. For more information, see [Create an EMR Studio user role with session policies](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio-user-role.html) in the *Amazon EMR Management Guide* .", "StudioId": "The ID of the Amazon EMR Studio to which the user or group will be mapped." }, + "AWS::EMR::WALWorkspace": { + "Tags": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "WALWorkspaceName": "The name of the WAL workspace." + }, + "AWS::EMR::WALWorkspace Tag": { + "Key": "A user-defined key, which is the minimum required information for a valid tag. For more information, see [Tag](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) .", + "Value": "A user-defined value, which is optional in a tag. For more information, see [Tag Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags.html) ." + }, "AWS::EMRContainers::VirtualCluster": { "ContainerProvider": "The container provider of the virtual cluster.", "Name": "The name of the virtual cluster.", @@ -11004,54 +12275,62 @@ "AWS::EMRContainers::VirtualCluster EksInfo": { "Namespace": "The namespaces of the EKS cluster.\n\n*Minimum* : 1\n\n*Maximum* : 63\n\n*Pattern* : `[a-z0-9]([-a-z0-9]*[a-z0-9])?`" }, + "AWS::EMRContainers::VirtualCluster Tag": { + "Key": "", + "Value": "" + }, "AWS::EMRServerless::Application": { - "Architecture": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "Architecture": "The CPU architecture of an application.", "AutoStartConfiguration": "The configuration for an application to automatically start on job submission.", "AutoStopConfiguration": "The configuration for an application to automatically stop after a certain amount of time being idle.", - "ImageConfiguration": "", + "ImageConfiguration": "The image configuration applied to all worker types.", "InitialCapacity": "The initial capacity of the application.", "MaximumCapacity": "The maximum capacity of the application. This is cumulative across all workers at any given point in time during the lifespan of the application is created. No new resources will be created once any one of the defined limits is hit.", - "Name": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "Name": "The name of the application.", "NetworkConfiguration": "The network configuration for customer VPC connectivity for the application.", - "ReleaseLabel": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "ReleaseLabel": "The Amazon EMR release associated with the application.", "Tags": "The tags assigned to the application.", "Type": "The type of application, such as Spark or Hive.", - "WorkerTypeSpecifications": "" + "WorkerTypeSpecifications": "The specification applied to each worker type." }, "AWS::EMRServerless::Application AutoStartConfiguration": { - "Enabled": "Enables the application to automatically start on job submission. Defaults to true." + "Enabled": "" }, "AWS::EMRServerless::Application AutoStopConfiguration": { - "Enabled": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", - "IdleTimeoutMinutes": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080" + "Enabled": "", + "IdleTimeoutMinutes": "" }, "AWS::EMRServerless::Application ImageConfigurationInput": { - "ImageUri": "" + "ImageUri": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration." }, "AWS::EMRServerless::Application InitialCapacityConfig": { "WorkerConfiguration": "The resource configuration of the initial capacity configuration.", - "WorkerCount": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000" + "WorkerCount": "The number of workers in the initial capacity configuration." }, "AWS::EMRServerless::Application InitialCapacityConfigKeyValuePair": { - "Key": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", - "Value": "The value for the initial capacity configuration per worker." + "Key": "", + "Value": "" }, "AWS::EMRServerless::Application MaximumAllowedResources": { - "Cpu": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", - "Disk": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", - "Memory": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + "Cpu": "The maximum allowed CPU for an application.", + "Disk": "The maximum allowed disk for an application.", + "Memory": "The maximum allowed resources for an application." }, "AWS::EMRServerless::Application NetworkConfiguration": { - "SecurityGroupIds": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", - "SubnetIds": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`" + "SecurityGroupIds": "The array of security group Ids for customer VPC connectivity.", + "SubnetIds": "The array of subnet Ids for customer VPC connectivity." + }, + "AWS::EMRServerless::Application Tag": { + "Key": "", + "Value": "" }, "AWS::EMRServerless::Application WorkerConfiguration": { - "Cpu": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", - "Disk": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", - "Memory": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + "Cpu": "", + "Disk": "", + "Memory": "" }, "AWS::EMRServerless::Application WorkerTypeSpecificationInput": { - "ImageConfiguration": "" + "ImageConfiguration": "The image configuration for a worker type." }, "AWS::ElastiCache::CacheCluster": { "AZMode": "Specifies whether the nodes in this Memcached cluster are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region.\n\nThis parameter is only supported for Memcached clusters.\n\nIf the `AZMode` and `PreferredAvailabilityZones` are not specified, ElastiCache assumes `single-az` mode.", @@ -11059,8 +12338,8 @@ "CacheNodeType": "The compute and memory capacity of the nodes in the node group (shard).\n\nThe following node types are supported by ElastiCache. Generally speaking, the current generation types provide more memory and computational power at lower cost when compared to their equivalent previous generation counterparts. Changing the CacheNodeType of a Memcached instance is currently not supported. If you need to scale using Memcached, we recommend forcing a replacement update by changing the `LogicalResourceId` of the resource.\n\n- General purpose:\n\n- Current generation:\n\n*M6g node types:* `cache.m6g.large` , `cache.m6g.xlarge` , `cache.m6g.2xlarge` , `cache.m6g.4xlarge` , `cache.m6g.8xlarge` , `cache.m6g.12xlarge` , `cache.m6g.16xlarge` , `cache.m6g.24xlarge`\n\n*M5 node types:* `cache.m5.large` , `cache.m5.xlarge` , `cache.m5.2xlarge` , `cache.m5.4xlarge` , `cache.m5.12xlarge` , `cache.m5.24xlarge`\n\n*M4 node types:* `cache.m4.large` , `cache.m4.xlarge` , `cache.m4.2xlarge` , `cache.m4.4xlarge` , `cache.m4.10xlarge`\n\n*T4g node types:* `cache.t4g.micro` , `cache.t4g.small` , `cache.t4g.medium`\n\n*T3 node types:* `cache.t3.micro` , `cache.t3.small` , `cache.t3.medium`\n\n*T2 node types:* `cache.t2.micro` , `cache.t2.small` , `cache.t2.medium`\n- Previous generation: (not recommended)\n\n*T1 node types:* `cache.t1.micro`\n\n*M1 node types:* `cache.m1.small` , `cache.m1.medium` , `cache.m1.large` , `cache.m1.xlarge`\n\n*M3 node types:* `cache.m3.medium` , `cache.m3.large` , `cache.m3.xlarge` , `cache.m3.2xlarge`\n- Compute optimized:\n\n- Previous generation: (not recommended)\n\n*C1 node types:* `cache.c1.xlarge`\n- Memory optimized:\n\n- Current generation:\n\n*R6gd node types:* `cache.r6gd.xlarge` , `cache.r6gd.2xlarge` , `cache.r6gd.4xlarge` , `cache.r6gd.8xlarge` , `cache.r6gd.12xlarge` , `cache.r6gd.16xlarge`\n\n> The `r6gd` family is available in the following regions: `us-east-2` , `us-east-1` , `us-west-2` , `us-west-1` , `eu-west-1` , `eu-central-1` , `ap-northeast-1` , `ap-southeast-1` , `ap-southeast-2` . \n\n*R6g node types:* `cache.r6g.large` , `cache.r6g.xlarge` , `cache.r6g.2xlarge` , `cache.r6g.4xlarge` , `cache.r6g.8xlarge` , `cache.r6g.12xlarge` , `cache.r6g.16xlarge` , `cache.r6g.24xlarge`\n\n*R5 node types:* `cache.r5.large` , `cache.r5.xlarge` , `cache.r5.2xlarge` , `cache.r5.4xlarge` , `cache.r5.12xlarge` , `cache.r5.24xlarge`\n\n*R4 node types:* `cache.r4.large` , `cache.r4.xlarge` , `cache.r4.2xlarge` , `cache.r4.4xlarge` , `cache.r4.8xlarge` , `cache.r4.16xlarge`\n- Previous generation: (not recommended)\n\n*M2 node types:* `cache.m2.xlarge` , `cache.m2.2xlarge` , `cache.m2.4xlarge`\n\n*R3 node types:* `cache.r3.large` , `cache.r3.xlarge` , `cache.r3.2xlarge` , `cache.r3.4xlarge` , `cache.r3.8xlarge`\n\nFor region availability, see [Supported Node Types by Region](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)\n\n*Additional node type info*\n\n- All current generation instance types are created in Amazon VPC by default.\n- Redis append-only files (AOF) are not supported for T1 or T2 instances.\n- Redis Multi-AZ with automatic failover is not supported on T1 instances.\n- Redis configuration variables `appendonly` and `appendfsync` are not supported on Redis version 2.8.22 and later.", "CacheParameterGroupName": "The name of the parameter group to associate with this cluster. If this argument is omitted, the default parameter group for the specified engine is used. You cannot use any parameter group which has `cluster-enabled='yes'` when creating a cluster.", "CacheSecurityGroupNames": "A list of security group names to associate with this cluster.\n\nUse this parameter only when you are creating a cluster outside of an Amazon Virtual Private Cloud (Amazon VPC).", - "CacheSubnetGroupName": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", - "ClusterName": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "CacheSubnetGroupName": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", + "ClusterName": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "Engine": "The name of the cache engine to be used for this cluster.\n\nValid values for this parameter are: `memcached` | `redis`", "EngineVersion": "The version number of the cache engine to be used for this cluster. To view the supported cache engine versions, use the DescribeCacheEngineVersions operation.\n\n*Important:* You can upgrade to a newer engine version (see [Selecting a Cache Engine and Version](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/SelectEngine.html#VersionManagement) ), but you cannot downgrade to an earlier engine version. If you want to use an earlier engine version, you must delete the existing cluster or replication group and create it anew with the earlier engine version.", "IpDiscovery": "The network type you choose when modifying a cluster, either `ipv4` | `ipv6` . IPv6 is supported for workloads using Redis engine version 6.2 onward or Memcached engine version 1.6.6 on all instances built on the [Nitro system](https://docs.aws.amazon.com/ec2/nitro/) .", @@ -11096,6 +12375,10 @@ "LogFormat": "Valid values are either `json` or `text` .", "LogType": "Valid value is either `slow-log` , which refers to [slow-log](https://docs.aws.amazon.com/https://redis.io/commands/slowlog) or `engine-log` ." }, + "AWS::ElastiCache::CacheCluster Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::GlobalReplicationGroup": { "AutomaticFailoverEnabled": "Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails.\n\n`AutomaticFailoverEnabled` must be enabled for Redis (cluster mode enabled) replication groups.", "CacheNodeType": "The cache node type of the Global datastore", @@ -11127,6 +12410,10 @@ "Properties": "A comma-delimited list of parameter name/value pairs.\n\nFor example:\n\n```\n\"Properties\" : { \"cas_disabled\" : \"1\", \"chunk_size_growth_factor\" : \"1.02\"\n}\n```", "Tags": "A tag that can be added to an ElastiCache parameter group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your parameter groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::ParameterGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::ReplicationGroup": { "AtRestEncryptionEnabled": "A flag that enables encryption at rest when set to `true` .\n\nYou cannot modify the value of `AtRestEncryptionEnabled` after the replication group is created. To enable encryption at rest on a replication group you must set `AtRestEncryptionEnabled` to `true` when you create the replication group.\n\n*Required:* Only available when creating a replication group in an Amazon VPC using redis version `3.2.6` or `4.x` onward.\n\nDefault: `false`", "AuthToken": "*Reserved parameter.* The password used to access a password protected server.\n\n`AuthToken` can be specified only on replication groups where `TransitEncryptionEnabled` is `true` . For more information, see [Authenticating Users with the Redis AUTH Command](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html) .\n\n> For HIPAA compliance, you must specify `TransitEncryptionEnabled` as `true` , an `AuthToken` , and a `CacheSubnetGroup` . \n\nPassword constraints:\n\n- Must be only printable ASCII characters.\n- Must be at least 16 characters and no more than 128 characters in length.\n- Nonalphanumeric characters are restricted to (!, &, #, $, ^, <, >, -, ).\n\nFor more information, see [AUTH password](https://docs.aws.amazon.com/http://redis.io/commands/AUTH) at http://redis.io/commands/AUTH.\n\n> If ADDING the AuthToken, update requires [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) .", @@ -11156,7 +12443,6 @@ "PrimaryClusterId": "The identifier of the cluster that serves as the primary for this replication group. This cluster must already exist and have a status of `available` .\n\nThis parameter is not required if `NumCacheClusters` , `NumNodeGroups` , or `ReplicasPerNodeGroup` is specified.", "ReplicasPerNodeGroup": "An optional parameter that specifies the number of replica nodes in each node group (shard). Valid values are 0 to 5.", "ReplicationGroupDescription": "A user-created description for the replication group.", - "ReplicationGroupId": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", "SecurityGroupIds": "One or more Amazon VPC security groups associated with this replication group.\n\nUse this parameter only when you are creating a replication group in an Amazon Virtual Private Cloud (Amazon VPC).", "SnapshotArns": "A list of Amazon Resource Names (ARN) that uniquely identify the Redis RDB snapshot files stored in Amazon S3. The snapshot files are used to populate the new replication group. The Amazon S3 object name in the ARN cannot contain any commas. The new replication group will have the number of node groups (console: shards) specified by the parameter *NumNodeGroups* or the number of node groups configured by *NodeGroupConfiguration* regardless of the number of ARNs specified here.\n\nExample of an Amazon S3 ARN: `arn:aws:s3:::my_bucket/snapshot1.rdb`", "SnapshotName": "The name of a snapshot from which to restore data into the new replication group. The snapshot status changes to `restoring` while the new replication group is being created.", @@ -11191,10 +12477,18 @@ "ReplicaCount": "The number of read replica nodes in this node group (shard).", "Slots": "A string of comma-separated values where the first set of values are the slot numbers (zero based), and the second set of values are the keyspaces for each slot. The following example specifies three slots (numbered 0, 1, and 2): `0,1,2,0-4999,5000-9999,10000-16,383` .\n\nIf you don't specify a value, ElastiCache allocates keys equally among each slot.\n\nWhen you use an `UseOnlineResharding` update policy to update the number of node groups without interruption, ElastiCache evenly distributes the keyspaces between the specified number of slots. This cannot be updated later. Therefore, after updating the number of node groups in this way, you should remove the value specified for the `Slots` property of each `NodeGroupConfiguration` from the stack template, as it no longer reflects the actual values in each node group. For more information, see [UseOnlineResharding Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatepolicy.html#cfn-attributes-updatepolicy-useonlineresharding) ." }, + "AWS::ElastiCache::ReplicationGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::SecurityGroup": { "Description": "A description for the cache security group.", "Tags": "A tag that can be added to an ElastiCache security group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your security groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::SecurityGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::SecurityGroupIngress": { "CacheSecurityGroupName": "The name of the Cache Security Group to authorize.", "EC2SecurityGroupName": "Name of the EC2 Security Group to include in the authorization.", @@ -11206,6 +12500,10 @@ "SubnetIds": "The EC2 subnet IDs for the cache subnet group.", "Tags": "A tag that can be added to an ElastiCache subnet group. Tags are composed of a Key/Value pair. You can use tags to categorize and track all your subnet groups. A tag with a null Value is permitted." }, + "AWS::ElastiCache::SubnetGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::User": { "AccessString": "Access permissions string used for this user.", "AuthenticationMode": "Specifies the authentication mode to use. Below is an example of the possible JSON values:\n\n```\n{ Type: Passwords: [\"*****\", \"******\"] // If Type is password.\n}\n```", @@ -11220,12 +12518,20 @@ "Passwords": "Specifies the passwords to use for authentication if `Type` is set to `password` .", "Type": "Specifies the authentication type. Possible options are IAM authentication, password and no password." }, + "AWS::ElastiCache::User Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElastiCache::UserGroup": { "Engine": "The current supported value is redis.", "Tags": "", "UserGroupId": "The ID of the user group.", "UserIds": "The list of user IDs that belong to the user group. A user named `default` must be included." }, + "AWS::ElastiCache::UserGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::ElasticBeanstalk::Application": { "ApplicationName": "A name for the Elastic Beanstalk application. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the application name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "Description": "Your description of the application.", @@ -11297,6 +12603,10 @@ "ResourceName": "A unique resource name for the option setting. Use it for a time\u2013based scaling configuration option.", "Value": "The current value for the configuration option." }, + "AWS::ElasticBeanstalk::Environment Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticBeanstalk::Environment Tier": { "Name": "The name of this environment tier.\n\nValid values:\n\n- For *Web server tier* \u2013 `WebServer`\n- For *Worker tier* \u2013 `Worker`", "Type": "The type of this environment tier.\n\nValid values:\n\n- For *Web server tier* \u2013 `Standard`\n- For *Worker tier* \u2013 `SQS/HTTP`", @@ -11306,9 +12616,9 @@ "AccessLoggingPolicy": "Information about where and how access logs are stored for the load balancer.", "AppCookieStickinessPolicy": "Information about a policy for application-controlled session stickiness.", "AvailabilityZones": "The Availability Zones for the load balancer. For load balancers in a VPC, specify `Subnets` instead.\n\nUpdate requires replacement if you did not previously specify an Availability Zone or if you are removing all Availability Zones. Otherwise, update requires no interruption.", - "ConnectionDrainingPolicy": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", - "ConnectionSettings": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", - "CrossZone": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "ConnectionDrainingPolicy": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", + "ConnectionSettings": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", + "CrossZone": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "HealthCheck": "The health check settings to use when evaluating the health of your EC2 instances.\n\nUpdate requires replacement if you did not previously specify health check settings or if you are removing the health check settings. Otherwise, update requires no interruption.", "Instances": "The IDs of the instances for the load balancer.", "LBCookieStickinessPolicy": "Information about a policy for duration-based session stickiness.", @@ -11363,6 +12673,10 @@ "PolicyName": "The name of the policy.", "PolicyType": "The name of the policy type." }, + "AWS::ElasticLoadBalancing::LoadBalancer Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::Listener": { "AlpnPolicy": "[TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy.", "Certificates": "The default SSL server certificate for a secure listener. You must provide exactly one certificate if the listener protocol is HTTPS or TLS.\n\nTo create a certificate list for a secure listener, use [AWS::ElasticLoadBalancingV2::ListenerCertificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listenercertificate.html) .", @@ -11544,14 +12858,14 @@ "LoadBalancerAttributes": "The load balancer attributes.", "Name": "The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with \"internal-\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.", "Scheme": "The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet.\n\nThe nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer.\n\nThe default is an Internet-facing load balancer.\n\nYou cannot specify a scheme for a Gateway Load Balancer.", - "SecurityGroups": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "SecurityGroups": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "SubnetMappings": "The IDs of the public subnets. You can specify only one subnet per Availability Zone. You must specify either subnets or subnet mappings, but not both.\n\n[Application Load Balancers] You must specify subnets from at least two Availability Zones. You cannot specify Elastic IP addresses for your subnets.\n\n[Application Load Balancers on Outposts] You must specify one Outpost subnet.\n\n[Application Load Balancers on Local Zones] You can specify subnets from one or more Local Zones.\n\n[Network Load Balancers] You can specify subnets from one or more Availability Zones. You can specify one Elastic IP address per subnet if you need static IP addresses for your internet-facing load balancer. For internal load balancers, you can specify one private IP address per subnet from the IPv4 range of the subnet. For internet-facing load balancer, you can specify one IPv6 address per subnet.\n\n[Gateway Load Balancers] You can specify subnets from one or more Availability Zones. You cannot specify Elastic IP addresses for your subnets.", "Subnets": "The IDs of the public subnets. You can specify only one subnet per Availability Zone. You must specify either subnets or subnet mappings, but not both. To specify an Elastic IP address, specify subnet mappings instead of subnets.\n\n[Application Load Balancers] You must specify subnets from at least two Availability Zones.\n\n[Application Load Balancers on Outposts] You must specify one Outpost subnet.\n\n[Application Load Balancers on Local Zones] You can specify subnets from one or more Local Zones.\n\n[Network Load Balancers] You can specify subnets from one or more Availability Zones.\n\n[Gateway Load Balancers] You can specify subnets from one or more Availability Zones.", "Tags": "The tags to assign to the load balancer.", "Type": "The type of load balancer. The default is `application` ." }, "AWS::ElasticLoadBalancingV2::LoadBalancer LoadBalancerAttribute": { - "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "Value": "The value of the attribute." }, "AWS::ElasticLoadBalancingV2::LoadBalancer SubnetMapping": { @@ -11560,6 +12874,10 @@ "PrivateIPv4Address": "[Network Load Balancers] The private IPv4 address for an internal load balancer.", "SubnetId": "The ID of the subnet." }, + "AWS::ElasticLoadBalancingV2::LoadBalancer Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::TargetGroup": { "HealthCheckEnabled": "Indicates whether health checks are enabled. If the target type is `lambda` , health checks are disabled by default but can be enabled. If the target type is `instance` , `ip` , or `alb` , health checks are always enabled and cannot be disabled.", "HealthCheckIntervalSeconds": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds. If the target type is `lambda` , the default is 35 seconds.", @@ -11585,13 +12903,17 @@ "GrpcCode": "You can specify values between 0 and 99. You can specify multiple values (for example, \"0,1\") or a range of values (for example, \"0-5\"). The default value is 12.", "HttpCode": "For Application Load Balancers, you can specify values between 200 and 499, with the default value being 200. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\").\n\nFor Network Load Balancers, you can specify values between 200 and 599, with the default value being 200-399. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\").\n\nFor Gateway Load Balancers, this must be \"200\u2013399\".\n\nNote that when using shorthand syntax, some values such as commas need to be escaped." }, + "AWS::ElasticLoadBalancingV2::TargetGroup Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::ElasticLoadBalancingV2::TargetGroup TargetDescription": { "AvailabilityZone": "An Availability Zone or `all` . This determines whether the target receives traffic from the load balancer nodes in the specified Availability Zone or from all enabled Availability Zones for the load balancer.\n\nFor Application Load Balancer target groups, the specified Availability Zone value is only applicable when cross-zone load balancing is off. Otherwise the parameter is ignored and treated as `all` .\n\nThis parameter is not supported if the target type of the target group is `instance` or `alb` .\n\nIf the target type is `ip` and the IP address is in a subnet of the VPC for the target group, the Availability Zone is automatically detected and this parameter is optional. If the IP address is outside the VPC, this parameter is required.\n\nFor Application Load Balancer target groups with cross-zone load balancing off, if the target type is `ip` and the IP address is outside of the VPC for the target group, this should be an Availability Zone inside the VPC for the target group.\n\nIf the target type is `lambda` , this parameter is optional and the only supported value is `all` .", "Id": "The ID of the target. If the target type of the target group is `instance` , specify an instance ID. If the target type is `ip` , specify an IP address. If the target type is `lambda` , specify the ARN of the Lambda function. If the target type is `alb` , specify the ARN of the Application Load Balancer target.", "Port": "The port on which the target is listening. If the target group protocol is GENEVE, the supported port is 6081. If the target type is `alb` , the targeted Application Load Balancer must have at least one listener whose port matches the target group port. This parameter is not used if the target is a Lambda function." }, "AWS::ElasticLoadBalancingV2::TargetGroup TargetGroupAttribute": { - "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "Key": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "Value": "The value of the attribute." }, "AWS::Elasticsearch::Domain": { @@ -11671,6 +12993,10 @@ "AWS::Elasticsearch::Domain SnapshotOptions": { "AutomatedSnapshotStartHour": "The hour in UTC during which the service takes an automated daily snapshot of the indices in the OpenSearch Service domain. For example, if you specify 0, OpenSearch Service takes an automated snapshot everyday between midnight and 1 am. You can specify a value between 0 and 23." }, + "AWS::Elasticsearch::Domain Tag": { + "Key": "", + "Value": "" + }, "AWS::Elasticsearch::Domain VPCOptions": { "SecurityGroupIds": "The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't provide a security group ID, OpenSearch Service uses the default security group for the VPC. To learn more, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "SubnetIds": "Provide one subnet ID for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three Availability Zone domain. To learn more, see [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon VPC User Guide* .\n\nRequired if you're creating your domain inside a VPC." @@ -11678,6 +13004,105 @@ "AWS::Elasticsearch::Domain ZoneAwarenessConfig": { "AvailabilityZoneCount": "If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.\n\nValid values are `2` and `3` . Default is 2." }, + "AWS::EntityResolution::IdMappingWorkflow": { + "Description": "A description of the workflow.", + "IdMappingTechniques": "An object which defines the `idMappingType` and the `providerProperties` .", + "InputSourceConfig": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "OutputSourceConfig": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "Tags": "The tags used to organize, track, or control access for this resource.", + "WorkflowName": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingTechniques": { + "IdMappingType": "The type of ID mapping.", + "ProviderProperties": "An object which defines any additional configurations required by the provider service." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingWorkflowInputSource": { + "InputSourceARN": "An AWS Glue table ARN for the input source table.", + "SchemaArn": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` ." + }, + "AWS::EntityResolution::IdMappingWorkflow IdMappingWorkflowOutputSource": { + "KMSArn": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "OutputS3Path": "The S3 path to which AWS Entity Resolution will write the output table." + }, + "AWS::EntityResolution::IdMappingWorkflow IntermediateSourceConfiguration": { + "IntermediateS3Path": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`" + }, + "AWS::EntityResolution::IdMappingWorkflow ProviderProperties": { + "IntermediateSourceConfiguration": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "ProviderConfiguration": "The required configuration fields to use with the provider service.", + "ProviderServiceArn": "The ARN of the provider service." + }, + "AWS::EntityResolution::IdMappingWorkflow Tag": { + "Key": "", + "Value": "" + }, + "AWS::EntityResolution::MatchingWorkflow": { + "Description": "A description of the workflow.", + "InputSourceConfig": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "OutputSourceConfig": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "ResolutionTechniques": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "RoleArn": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "Tags": "The tags used to organize, track, or control access for this resource.", + "WorkflowName": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name." + }, + "AWS::EntityResolution::MatchingWorkflow InputSource": { + "ApplyNormalization": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "InputSourceARN": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "SchemaArn": "The name of the schema." + }, + "AWS::EntityResolution::MatchingWorkflow IntermediateSourceConfiguration": { + "IntermediateS3Path": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`" + }, + "AWS::EntityResolution::MatchingWorkflow OutputAttribute": { + "Hashed": "Enables the ability to hash the column values in the output.", + "Name": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping." + }, + "AWS::EntityResolution::MatchingWorkflow OutputSource": { + "ApplyNormalization": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "KMSArn": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "Output": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "OutputS3Path": "The S3 path to which AWS Entity Resolution will write the output table." + }, + "AWS::EntityResolution::MatchingWorkflow ProviderProperties": { + "IntermediateSourceConfiguration": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "ProviderConfiguration": "The required configuration fields to use with the provider service.", + "ProviderServiceArn": "The ARN of the provider service." + }, + "AWS::EntityResolution::MatchingWorkflow ResolutionTechniques": { + "ProviderProperties": "The properties of the provider service.", + "ResolutionType": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "RuleBasedProperties": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects." + }, + "AWS::EntityResolution::MatchingWorkflow Rule": { + "MatchingKeys": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "RuleName": "A name for the matching rule." + }, + "AWS::EntityResolution::MatchingWorkflow RuleBasedProperties": { + "AttributeMatchingModel": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "Rules": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` ." + }, + "AWS::EntityResolution::MatchingWorkflow Tag": { + "Key": "", + "Value": "" + }, + "AWS::EntityResolution::SchemaMapping": { + "Description": "A description of the schema.", + "MappedInputFields": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "SchemaName": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "Tags": "The tags used to organize, track, or control access for this resource." + }, + "AWS::EntityResolution::SchemaMapping SchemaInputAttribute": { + "FieldName": "A string containing the field name.", + "GroupName": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "MatchKey": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "SubType": "The subtype of the attribute, selected from a list of values.", + "Type": "The type of the attribute, selected from a list of values." + }, + "AWS::EntityResolution::SchemaMapping Tag": { + "Key": "", + "Value": "" + }, "AWS::EventSchemas::Discoverer": { "CrossAccount": "Allows for the discovery of the event schemas that are sent to the event bus from another account.", "Description": "A description for the discoverer.", @@ -11685,8 +13110,8 @@ "Tags": "Tags associated with the resource." }, "AWS::EventSchemas::Discoverer TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::EventSchemas::Registry": { "Description": "A description of the registry to be created.", @@ -11694,8 +13119,8 @@ "Tags": "Tags to associate with the registry." }, "AWS::EventSchemas::Registry TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::EventSchemas::RegistryPolicy": { "Policy": "A resource-based policy.", @@ -11711,8 +13136,8 @@ "Type": "The type of schema.\n\nValid types include `OpenApi3` and `JSONSchemaDraft4` ." }, "AWS::EventSchemas::Schema TagsEntry": { - "Key": "They key of a key-value pair.", - "Value": "They value of a key-value pair." + "Key": "The key of a key-value pair.", + "Value": "The value of a key-value pair." }, "AWS::Events::ApiDestination": { "ConnectionArn": "The ARN of the connection to use for the API destination. The destination endpoint must support the authorization type specified for the connection.", @@ -11799,9 +13224,10 @@ "AWS::Events::EventBus": { "EventSourceName": "If you are creating a partner event bus, this specifies the partner event source that the new event bus will be matched with.", "Name": "The name of the new event bus.\n\nCustom event bus names can't contain the `/` character, but you can use the `/` character in partner event bus names. In addition, for partner event buses, the name must exactly match the name of the partner event source that this event bus is matched to.\n\nYou can't use the name `default` for a custom event bus, as this name is already used for your account's default event bus.", + "Policy": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", "Tags": "Tags to associate with the event bus." }, - "AWS::Events::EventBus TagEntry": { + "AWS::Events::EventBus Tag": { "Key": "A string you can use to assign a value. The combination of tag keys and values can help you organize and categorize your resources.", "Value": "The value for the specified tag key." }, @@ -11897,6 +13323,7 @@ "DbUser": "The database user name. Required when authenticating using temporary credentials.", "SecretManagerArn": "The name or ARN of the secret that enables access to the database. Required when authenticating using AWS Secrets Manager.", "Sql": "The SQL statement text to run.", + "Sqls": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", "StatementName": "The name of the SQL statement. You can name the SQL statement when you create it to identify the query.", "WithEvent": "Indicates whether to send an event back to EventBridge after the SQL statement runs." }, @@ -11953,7 +13380,7 @@ "RemoveSegment": "Set this to `true` to remove the segment that is associated with this experiment. You can't use this parameter if the experiment is currently running.", "RunningStatus": "A structure that you can use to start and stop the experiment.", "SamplingRate": "The portion of the available audience that you want to allocate to this experiment, in thousandths of a percent. The available audience is the total audience minus the audience that you have allocated to overrides or current launches of this feature.\n\nThis is represented in thousandths of a percent. For example, specify 10,000 to allocate 10% of the available audience.", - "Segment": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "Segment": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "Tags": "Assigns one or more tags (key-value pairs) to the experiment.\n\nTags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.\n\nTags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters.\n\nYou can associate as many as 50 tags with an experiment.\n\nFor more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", "Treatments": "An array of structures that describe the configuration of each feature variation used in the experiment." }, @@ -11975,6 +13402,10 @@ "Reason": "If you are using AWS CloudFormation to stop this experiment, this is an optional field that you can use to record why the experiment is being stopped or cancelled.", "Status": "To start the experiment now, specify `START` for this parameter. If this experiment is currently running and you want to stop it now, specify `STOP` ." }, + "AWS::Evidently::Experiment Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Experiment TreatmentObject": { "Description": "The description of the treatment.", "Feature": "The name of the feature for this experiment.", @@ -11999,6 +13430,10 @@ "EntityId": "The entity ID to be served the variation specified in `Variation` .", "Variation": "The name of the variation to serve to the user session that matches the `EntityId` ." }, + "AWS::Evidently::Feature Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Feature VariationObject": { "BooleanValue": "The value assigned to this variation, if the variation type is boolean.", "DoubleValue": "The value assigned to this variation, if the variation type is a double.", @@ -12049,6 +13484,10 @@ "SegmentOverrides": "An array of structures that you can use to specify different traffic splits for one or more audience *segments* . A segment is a portion of your audience that share one or more characteristics. Examples could be Chrome browser users, users in Europe, or Firefox browser users in Europe who also fit other criteria that your application collects, such as age.\n\nFor more information, see [Use segments to focus your audience](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html) .", "StartTime": "The date and time to start this step of the launch. Use UTC format, `yyyy-MM-ddTHH:mm:ssZ` . For example, `2025-11-25T23:59:59Z`" }, + "AWS::Evidently::Launch Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Project": { "AppConfigResource": "Use this parameter if the project will use *client-side evaluation powered by AWS AppConfig* . Client-side evaluation allows your application to assign variations to user sessions locally instead of by calling the [EvaluateFeature](https://docs.aws.amazon.com/cloudwatchevidently/latest/APIReference/API_EvaluateFeature.html) operation. This mitigates the latency and availability risks that come with an API call. For more information, see [Use client-side evaluation - powered by AWS AppConfig .](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-client-side-evaluation.html)\n\nThis parameter is a structure that contains information about the AWS AppConfig application that will be used as for client-side evaluation.\n\nTo create a project that uses client-side evaluation, you must have the `evidently:ExportProjectAsConfiguration` permission.", "DataDelivery": "A structure that contains information about where Evidently is to store evaluation events for longer term storage, if you choose to do so. If you choose not to store these events, Evidently deletes them after using them to produce metrics and other experiment results that you can view.\n\nYou can't specify both `CloudWatchLogs` and `S3Destination` in the same operation.", @@ -12068,30 +13507,38 @@ "BucketName": "The name of the bucket in which Evidently stores evaluation events.", "Prefix": "The bucket prefix in which Evidently stores evaluation events." }, + "AWS::Evidently::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::Evidently::Segment": { "Description": "An optional description for this segment.", "Name": "A name for the segment.", - "Pattern": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "Pattern": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "Tags": "Assigns one or more tags (key-value pairs) to the feature.\n\nTags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values.\n\nTags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters.\n\nYou can associate as many as 50 tags with a feature.\n\nFor more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) ." }, + "AWS::Evidently::Segment Tag": { + "Key": "", + "Value": "" + }, "AWS::FIS::ExperimentTemplate": { "Actions": "The actions for the experiment.", - "Description": "A description for the experiment template.", + "Description": "The description for the experiment template.", "LogConfiguration": "The configuration for experiment logging.", - "RoleArn": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", - "StopConditions": "The stop conditions.", - "Tags": "The tags to apply to the experiment template.", + "RoleArn": "The Amazon Resource Name (ARN) of an IAM role.", + "StopConditions": "The stop conditions for the experiment.", + "Tags": "The tags for the experiment template.", "Targets": "The targets for the experiment." }, "AWS::FIS::ExperimentTemplate CloudWatchLogsConfiguration": { "LogGroupArn": "The Amazon Resource Name (ARN) of the destination Amazon CloudWatch Logs log group." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateAction": { - "ActionId": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "ActionId": "The ID of the action.", "Description": "A description for the action.", - "Parameters": "The parameters for the action, if applicable.", - "StartAfter": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", - "Targets": "The targets for the action." + "ExperimentTemplateActionItemParameter": "The parameters for the action.", + "ExperimentTemplateActionItemTarget": "The targets for the action.", + "StartAfter": "The name of the action that must be completed before the current action starts." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateLogConfiguration": { "CloudWatchLogsConfiguration": "The configuration for experiment logging to CloudWatch Logs .", @@ -12099,16 +13546,16 @@ "S3Configuration": "The configuration for experiment logging to Amazon S3 ." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateStopCondition": { - "Source": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", - "Value": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm." + "Source": "The source for the stop condition.", + "Value": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateTarget": { "Filters": "The filters to apply to identify target resources using specific attributes.", "Parameters": "The parameters for the resource type.", - "ResourceArns": "The Amazon Resource Names (ARNs) of the resources.", + "ResourceArns": "The Amazon Resource Names (ARNs) of the targets.", "ResourceTags": "The tags for the target resources.", - "ResourceType": "The resource type. The resource type must be supported for the specified action.", - "SelectionMode": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets." + "ResourceType": "The resource type.", + "SelectionMode": "Scopes the identified resources to a specific count or percentage." }, "AWS::FIS::ExperimentTemplate ExperimentTemplateTargetFilter": { "Path": "The attribute path for the filter.", @@ -12132,10 +13579,10 @@ "RemediationEnabled": "Indicates if the policy should be automatically applied to new resources.", "ResourceSetIds": "The unique identifiers of the resource sets used by the policy.", "ResourceTags": "An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .", - "ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "ResourceTypeList": "An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .", "ResourcesCleanUp": "Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.\n\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.\n\nThis option is not available for Shield Advanced or AWS WAF Classic policies.", - "SecurityServicePolicyData": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "SecurityServicePolicyData": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "Tags": "A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." }, "AWS::FMS::Policy IEMap": { @@ -12158,7 +13605,7 @@ "Value": "The resource tag value." }, "AWS::FMS::Policy SecurityServicePolicyData": { - "ManagedServiceData": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "ManagedServiceData": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "PolicyOption": "Contains the Network Firewall firewall policy options to configure a centralized deployment model.", "Type": "The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support ." }, @@ -12169,8 +13616,12 @@ "Description": "A description of the resource set.", "Name": "The descriptive name of the resource set. You can't change the name of a resource set after you create it.", "ResourceTypeList": "Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.", - "Resources": "The resources included in the resource set.", - "Tags": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." + "Resources": "", + "Tags": "" + }, + "AWS::FMS::ResourceSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." }, "AWS::FSx::DataRepositoryAssociation": { "BatchImportMetaDataOnCreate": "A boolean flag indicating whether an import data repository task to import metadata should run after the data repository association is created. The task runs if this flag is set to `true` .", @@ -12191,10 +13642,14 @@ "AutoExportPolicy": "Describes a data repository association's automatic export policy. The `AutoExportPolicy` defines the types of updated objects on the file system that will be automatically exported to the data repository. As you create, modify, or delete files, Amazon FSx for Lustre automatically exports the defined changes asynchronously once your application finishes modifying the file.\n\nThe `AutoExportPolicy` is only supported on Amazon FSx for Lustre file systems with a data repository association.", "AutoImportPolicy": "Describes the data repository association's automatic import policy. The AutoImportPolicy defines how Amazon FSx keeps your file metadata and directory listings up to date by importing changes to your Amazon FSx for Lustre file system as you modify objects in a linked S3 bucket.\n\nThe `AutoImportPolicy` is only supported on Amazon FSx for Lustre file systems with a data repository association." }, + "AWS::FSx::DataRepositoryAssociation Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::FileSystem": { "BackupId": "The ID of the file system backup that you are using to create a file system. For more information, see [CreateFileSystemFromBackup](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystemFromBackup.html) .", "FileSystemType": "The type of Amazon FSx file system, which can be `LUSTRE` , `WINDOWS` , `ONTAP` , or `OPENZFS` .", - "FileSystemTypeVersion": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "FileSystemTypeVersion": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "KmsKeyId": "The ID of the AWS Key Management Service ( AWS KMS ) key used to encrypt Amazon FSx file system data. Used as follows with Amazon FSx file system types:\n\n- Amazon FSx for Lustre `PERSISTENT_1` and `PERSISTENT_2` deployment types only.\n\n`SCRATCH_1` and `SCRATCH_2` types are encrypted using the Amazon FSx service AWS KMS key for your account.\n- Amazon FSx for NetApp ONTAP\n- Amazon FSx for OpenZFS\n- Amazon FSx for Windows File Server", "LustreConfiguration": "The Lustre configuration for the file system being created.\n\n> The following parameters are not supported for file systems with a data repository association.\n> \n> - `AutoImportPolicy`\n> - `ExportPath`\n> - `ImportedChunkSize`\n> - `ImportPath`", "OntapConfiguration": "The ONTAP configuration properties of the FSx for ONTAP file system that you are creating.", @@ -12244,7 +13699,7 @@ "EndpointIpAddressRange": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API, Amazon FSx selects an unused IP address range for you from the 198.19.* range. By default in the Amazon FSx console, Amazon FSx chooses the last 64 IP addresses from the VPC\u2019s primary CIDR range to use as the endpoint IP address range for the file system. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables, as long as they don't overlap with any subnet.", "FsxAdminPassword": "The ONTAP administrative password for the `fsxadmin` user with which you administer your file system using the NetApp ONTAP CLI and REST API.", "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", - "RouteTableIds": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "RouteTableIds": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", "ThroughputCapacity": "Sets the throughput capacity for the file system that you're creating. Valid values are 128, 256, 512, 1024, 2048, and 4096 MBps.", "WeeklyMaintenanceStartTime": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, @@ -12253,11 +13708,14 @@ "CopyTagsToBackups": "A Boolean value indicating whether tags for the file system should be copied to backups. This value defaults to `false` . If it's set to `true` , all tags for the file system are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is `true` , and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the file system, regardless of this value.", "CopyTagsToVolumes": "A Boolean value indicating whether tags for the file system should be copied to volumes. This value defaults to `false` . If it's set to `true` , all tags for the file system are copied to volumes where the user doesn't specify tags. If this value is `true` , and you specify one or more tags, only the specified tags are copied to volumes. If you specify one or more tags when creating the volume, no tags are copied from the file system, regardless of this value.", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", - "DeploymentType": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", - "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "DeploymentType": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "EndpointIpAddressRange": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", "Options": "To delete a file system if there are child volumes present below the root volume, use the string `DELETE_CHILD_VOLUMES_AND_SNAPSHOTS` . If your file system has child volumes and you don't use this option, the delete request will fail.", + "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", "RootVolumeConfiguration": "The configuration Amazon FSx uses when creating the root value of the Amazon FSx for OpenZFS file system. All volumes are children of the root volume.", - "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "RouteTableIds": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "ThroughputCapacity": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "WeeklyMaintenanceStartTime": "A recurring weekly time, in the format `D:HH:MM` .\n\n`D` is the day of the week, for which 1 represents Monday and 7 represents Sunday. For further details, see [the ISO-8601 spec as described on Wikipedia](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_week_date) .\n\n`HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour.\n\nFor example, `1:05:00` specifies maintenance at 5 AM Monday." }, "AWS::FSx::FileSystem RootVolumeConfiguration": { @@ -12276,6 +13734,10 @@ "Password": "The password for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.", "UserName": "The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain. This account must have the permission to join computers to the domain in the organizational unit provided in `OrganizationalUnitDistinguishedName` , or in the default location of your AD domain." }, + "AWS::FSx::FileSystem Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::FileSystem UserAndGroupQuotas": { "Id": "The ID of the user or group.", "StorageCapacityQuotaGiB": "The amount of storage that the user or group can use in gibibytes (GiB).", @@ -12289,6 +13751,7 @@ "CopyTagsToBackups": "A boolean flag indicating whether tags for the file system should be copied to backups. This value defaults to false. If it's set to true, all tags for the file system are copied to all automatic and user-initiated backups where the user doesn't specify tags. If this value is true, and you specify one or more tags, only the specified tags are copied to backups. If you specify one or more tags when creating a user-initiated backup, no tags are copied from the file system, regardless of this value.", "DailyAutomaticBackupStartTime": "A recurring daily time, in the format `HH:MM` . `HH` is the zero-padded hour of the day (0-23), and `MM` is the zero-padded minute of the hour. For example, `05:00` specifies 5 AM daily.", "DeploymentType": "Specifies the file system deployment type, valid values are the following:\n\n- `MULTI_AZ_1` - Deploys a high availability file system that is configured for Multi-AZ redundancy to tolerate temporary Availability Zone (AZ) unavailability. You can only deploy a Multi-AZ file system in AWS Regions that have a minimum of three Availability Zones. Also supports HDD storage type\n- `SINGLE_AZ_1` - (Default) Choose to deploy a file system that is configured for single AZ redundancy.\n- `SINGLE_AZ_2` - The latest generation Single AZ file system. Specifies a file system that is configured for single AZ redundancy and supports HDD storage type.\n\nFor more information, see [Availability and Durability: Single-AZ and Multi-AZ File Systems](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html) .", + "DiskIopsConfiguration": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", "PreferredSubnetId": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", "SelfManagedActiveDirectoryConfiguration": "The configuration that Amazon FSx uses to join a FSx for Windows File Server file system or an FSx for ONTAP storage virtual machine (SVM) to a self-managed (including on-premises) Microsoft Active Directory (AD) directory. For more information, see [Using Amazon FSx for Windows with your self-managed Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD.html) or [Managing FSx for ONTAP SVMs](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-svms.html) .", "ThroughputCapacity": "Sets the throughput capacity of an Amazon FSx file system, measured in megabytes per second (MB/s), in 2 to the *n* th increments, between 2^3 (8) and 2^11 (2048).\n\n> To increase storage capacity, a file system must have a minimum throughput capacity of 16 MB/s.", @@ -12299,6 +13762,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VolumeId": "The ID of the volume that the snapshot is of." }, + "AWS::FSx::Snapshot Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::StorageVirtualMachine": { "ActiveDirectoryConfiguration": "Describes the Microsoft Active Directory configuration to which the SVM is joined, if applicable.", "FileSystemId": "Specifies the FSx for ONTAP file system on which to create the SVM.", @@ -12319,6 +13786,10 @@ "Password": "The password for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.", "UserName": "The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain. This account must have the permission to join computers to the domain in the organizational unit provided in `OrganizationalUnitDistinguishedName` , or in the default location of your AD domain." }, + "AWS::FSx::StorageVirtualMachine Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::Volume": { "BackupId": "Specifies the ID of the volume backup to use to create a new volume.", "Name": "The name of the volume.", @@ -12327,6 +13798,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VolumeType": "The type of the volume." }, + "AWS::FSx::Volume AutocommitPeriod": { + "Type": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "Value": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10" + }, "AWS::FSx::Volume ClientConfigurations": { "Clients": "A value that specifies who can mount the file system. You can provide a wildcard character ( `*` ), an IP address ( `0.0.0.0` ), or a CIDR address ( `192.0.2.0/24` ). By default, Amazon FSx uses the wildcard character when specifying the client.", "Options": "The options to use when mounting the file system. For a list of options that you can use with Network File System (NFS), see the [exports(5) - Linux man page](https://docs.aws.amazon.com/https://linux.die.net/man/5/exports) . When choosing your options, consider the following:\n\n- `crossmnt` is used by default. If you don't specify `crossmnt` when changing the client configuration, you won't be able to see or access snapshots in your file system's snapshot directory.\n- `sync` is used by default. If you instead specify `async` , the system acknowledges writes before writing to disk. If the system crashes before the writes are finished, you lose the unwritten data." @@ -12340,6 +13815,7 @@ "OntapVolumeType": "Specifies the type of volume you are creating. Valid values are the following:\n\n- `RW` specifies a read/write volume. `RW` is the default.\n- `DP` specifies a data-protection volume. A `DP` volume is read-only and can be used as the destination of a NetApp SnapMirror relationship.\n\nFor more information, see [Volume types](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/volume-types) in the *Amazon FSx for NetApp ONTAP User Guide* .", "SecurityStyle": "Specifies the security style for the volume. If a volume's security style is not specified, it is automatically set to the root volume's security style. The security style determines the type of permissions that FSx for ONTAP uses to control data access. For more information, see [Volume security style](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-volumes.html#volume-security-style) in the *Amazon FSx for NetApp ONTAP User Guide* . Specify one of the following values:\n\n- `UNIX` if the file system is managed by a UNIX administrator, the majority of users are NFS clients, and an application accessing the data uses a UNIX user as the service account.\n- `NTFS` if the file system is managed by a Windows administrator, the majority of users are SMB clients, and an application accessing the data uses a Windows user as the service account.\n- `MIXED` if the file system is managed by both UNIX and Windows administrators and users consist of both NFS and SMB clients.", "SizeInMegabytes": "Specifies the size of the volume, in megabytes (MB), that you are creating.", + "SnaplockConfiguration": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", "SnapshotPolicy": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", "StorageEfficiencyEnabled": "Set to true to enable deduplication, compression, and compaction storage efficiency features on the volume, or set to false to disable them. This parameter is required.", "StorageVirtualMachineId": "Specifies the ONTAP SVM in which to create the volume.", @@ -12362,6 +13838,27 @@ "CopyStrategy": "The strategy used when copying data from the snapshot to the new volume.\n\n- `CLONE` - The new volume references the data in the origin snapshot. Cloning a snapshot is faster than copying data from the snapshot to a new volume and doesn't consume disk throughput. However, the origin snapshot can't be deleted if there is a volume using its copied data.\n- `FULL_COPY` - Copies all data from the snapshot to the new volume.", "SnapshotARN": "Specifies the snapshot to use when creating an OpenZFS volume from a snapshot." }, + "AWS::FSx::Volume RetentionPeriod": { + "Type": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "Value": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100" + }, + "AWS::FSx::Volume SnaplockConfiguration": { + "AuditLogVolume": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "AutocommitPeriod": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "PrivilegedDelete": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "RetentionPeriod": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "SnaplockType": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "VolumeAppendModeEnabled": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) ." + }, + "AWS::FSx::Volume SnaplockRetentionPeriod": { + "DefaultRetention": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "MaximumRetention": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "MinimumRetention": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume." + }, + "AWS::FSx::Volume Tag": { + "Key": "A value that specifies the `TagKey` , the name of the tag. Tag keys must be unique for the resource to which they are attached.", + "Value": "A value that specifies the `TagValue` , the value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key-value pair in a tag set of `finances : April` and also of `payroll : April` ." + }, "AWS::FSx::Volume TieringPolicy": { "CoolingPeriod": "Specifies the number of days that user data in a volume must remain inactive before it is considered \"cold\" and moved to the capacity pool. Used with the `AUTO` and `SNAPSHOT_ONLY` tiering policies. Enter a whole number between 2 and 183. Default values are 31 days for `AUTO` and 2 days for `SNAPSHOT_ONLY` .", "Name": "Specifies the tiering policy used to transition data. Default value is `SNAPSHOT_ONLY` .\n\n- `SNAPSHOT_ONLY` - moves cold snapshots to the capacity pool storage tier.\n- `AUTO` - moves cold user data and snapshots to the capacity pool storage tier based on your access patterns.\n- `ALL` - moves all user data blocks in both the active file system and Snapshot copies to the storage pool tier.\n- `NONE` - keeps a volume's data in the primary storage tier, preventing it from being moved to the capacity pool tier." @@ -12397,6 +13894,10 @@ "FirstName": "The first name of the superuser.", "LastName": "The last name of the superuser." }, + "AWS::FinSpace::Environment Tag": { + "Key": "", + "Value": "" + }, "AWS::Forecast::Dataset": { "DataFrequency": "The frequency of data collection. This parameter is required for RELATED_TIME_SERIES datasets.\n\nValid intervals are an integer followed by Y (Year), M (Month), W (Week), D (Day), H (Hour), and min (Minute). For example, \"1D\" indicates every day and \"15min\" indicates every 15 minutes. You cannot specify a value that would overlap with the next larger frequency. That means, for example, you cannot specify a frequency of 60 minutes, because that is equivalent to 1 hour. The valid values for each frequency are the following:\n\n- Minute - 1-59\n- Hour - 1-23\n- Day - 1-6\n- Week - 1-4\n- Month - 1-11\n- Year - 1\n\nThus, if you want every other week forecasts, specify \"2W\". Or, if you want quarterly forecasts, you specify \"3M\".", "DatasetName": "The name of the dataset.", @@ -12427,6 +13928,10 @@ "Domain": "The domain associated with the dataset group. When you add a dataset to a dataset group, this value and the value specified for the `Domain` parameter of the [CreateDataset](https://docs.aws.amazon.com/forecast/latest/dg/API_CreateDataset.html) operation must match.\n\nThe `Domain` and `DatasetType` that you choose determine the fields that must be present in training data that you import to a dataset. For example, if you choose the `RETAIL` domain and `TARGET_TIME_SERIES` as the `DatasetType` , Amazon Forecast requires that `item_id` , `timestamp` , and `demand` fields are present in your data. For more information, see [Dataset groups](https://docs.aws.amazon.com/forecast/latest/dg/howitworks-datasets-groups.html) .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Forecast::DatasetGroup Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::FraudDetector::Detector": { "AssociatedModels": "The models to associate with this detector. You must provide the ARNs of all the models you want to associate.", "Description": "The detector description.", @@ -12481,7 +13986,7 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::FraudDetector::Detector Model": { - "Arn": "" + "Arn": "The ARN of the model." }, "AWS::FraudDetector::Detector Outcome": { "Arn": "The outcome ARN.", @@ -12498,18 +14003,26 @@ "Description": "The rule description.", "DetectorId": "The detector for which the rule is associated.", "Expression": "The rule expression. A rule expression captures the business logic. For more information, see [Rule language reference](https://docs.aws.amazon.com/frauddetector/latest/ug/rule-language-reference.html) .", - "Language": "The rule language.", + "Language": "The rule language.\n\nValid Value: DETECTORPL", "LastUpdatedTime": "Timestamp for when the rule was last updated.", "Outcomes": "The rule outcome.", "RuleId": "The rule ID.", "RuleVersion": "The rule version.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Detector Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::EntityType": { "Description": "The entity type description.", "Name": "The entity type name.\n\nPattern: `^[0-9a-z_-]+$`", "Tags": "A key and value pair." }, + "AWS::FraudDetector::EntityType Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::EventType": { "Description": "The event type description.", "EntityTypes": "The event type entity types.", @@ -12549,11 +14062,19 @@ "Name": "The label name.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::EventType Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Label": { "Description": "The label description.", "Name": "The label name.\n\nPattern: `^[0-9a-z_-]+$`", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Label Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::List": { "Description": "The description of the list.", "Elements": "The elements in the list.", @@ -12561,11 +14082,19 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VariableType": "The variable type of the list. For more information, see [Variable types](https://docs.aws.amazon.com/frauddetector/latest/ug/variables.html#variable-types)" }, + "AWS::FraudDetector::List Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Outcome": { "Description": "The outcome description.", "Name": "The outcome name.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::FraudDetector::Outcome Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::FraudDetector::Variable": { "DataSource": "The data source of the variable.\n\nValid values: `EVENT | EXTERNAL_MODEL_SCORE`\n\nWhen defining a variable within a detector, you can only use the `EVENT` value for DataSource when the *Inline* property is set to true. If the *Inline* property is set false, you can use either `EVENT` or `MODEL_SCORE` for DataSource.", "DataType": "The data type of the variable.\n\nValid data types: `STRING | INTEGER | BOOLEAN | FLOAT`", @@ -12575,6 +14104,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "VariableType": "The type of the variable. For more information see [Variable types](https://docs.aws.amazon.com/frauddetector/latest/ug/create-a-variable.html#variable-types) .\n\nValid Values: `AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT`" }, + "AWS::FraudDetector::Variable Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::GameLift::Alias": { "Description": "A human-readable description of the alias.", "Name": "A descriptive label that is associated with an alias. Alias names do not need to be unique.", @@ -12587,19 +14120,19 @@ }, "AWS::GameLift::Build": { "Name": "A descriptive label that is associated with a build. Build names do not need to be unique.", - "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", - "ServerSdkVersion": "The Amazon GameLift Server SDK version used to develop your game server.", + "OperatingSystem": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", + "ServerSdkVersion": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "StorageLocation": "Information indicating where your game build files are stored. Use this parameter only when creating a build with files stored in an Amazon S3 bucket that you own. The storage location must specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build must be in the same Region.\n\nIf a `StorageLocation` is specified, the size of your file can be found in your Amazon S3 bucket. Amazon GameLift will report a `SizeOnDisk` of 0.", "Version": "Version information that is associated with this build. Version strings do not need to be unique." }, "AWS::GameLift::Build StorageLocation": { - "Bucket": "", - "Key": "", - "ObjectVersion": "", - "RoleArn": "" + "Bucket": "An Amazon S3 bucket identifier. Thename of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", + "Key": "The name of the zip file that contains the build files or script files.", + "ObjectVersion": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from your S3 bucket. To retrieve a specific version of the file, provide an object version. To retrieve the latest version of the file, do not set this parameter.", + "RoleArn": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket." }, "AWS::GameLift::Fleet": { - "AnywhereConfiguration": "", + "AnywhereConfiguration": "Amazon GameLift Anywhere configuration options for your Anywhere fleets.", "BuildId": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", "CertificateConfiguration": "Prompts Amazon GameLift to generate a TLS/SSL certificate for the fleet. Amazon GameLift uses the certificates to encrypt traffic between game clients and the game servers running on Amazon GameLift. By default, the `CertificateConfiguration` is `DISABLED` . You can't change this property after you create the fleet.\n\nAWS Certificate Manager (ACM) certificates expire after 13 months. Certificate expiration can cause fleets to fail, preventing players from connecting to instances in the fleet. We recommend you replace fleets before 13 months, consider using fleet aliases for a smooth transition.\n\n> ACM isn't available in all AWS regions. A fleet creation request with certificate generation enabled in an unsupported Region, fails with a 4xx error. For more information about the supported Regions, see [Supported Regions](https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) in the *AWS Certificate Manager User Guide* .", "ComputeType": "The type of compute resource used to host your game servers. You can use your own compute resources with Amazon GameLift Anywhere or use Amazon EC2 instances with managed Amazon GameLift.", @@ -12607,8 +14140,9 @@ "DesiredEC2Instances": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", "EC2InboundPermissions": "The allowed IP address ranges and port settings that allow inbound traffic to access game sessions on this fleet. If the fleet is hosting a custom game build, this property must be set before players can connect to game sessions. For Realtime Servers fleets, Amazon GameLift automatically sets TCP and UDP ranges.", "EC2InstanceType": "The Amazon GameLift-supported Amazon EC2 instance type to use for all fleet instances. Instance type determines the computing resources that will be used to host your game servers, including CPU, memory, storage, and networking capacity. See [Amazon Elastic Compute Cloud Instance Types](https://docs.aws.amazon.com/ec2/instance-types/) for detailed descriptions of Amazon EC2 instance types.", - "FleetType": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", - "InstanceRoleARN": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "FleetType": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", + "InstanceRoleARN": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "InstanceRoleCredentialsProvider": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "Locations": "A set of remote locations to deploy additional instances to and manage as part of the fleet. This parameter can only be used when creating fleets in AWS Regions that support multiple locations. You can add any Amazon GameLift-supported AWS Region as a remote location, in the form of an AWS Region code such as `us-west-2` . To create a fleet with instances in the home Region only, don't use this parameter.\n\nTo use this parameter, Amazon GameLift requires you to use your home location in the request.", "MaxSize": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", "MetricGroups": "The name of an AWS CloudWatch metric group to add this fleet to. A metric group is used to aggregate the metrics for multiple fleets. You can specify an existing metric group name or set a new name to create a new metric group. A fleet can be included in only one metric group at a time.", @@ -12634,7 +14168,7 @@ "ToPort": "An ending value for a range of allowed port numbers. Port numbers are end-inclusive. This value must be equal to or greater than `FromPort` .\n\nFor fleets using Linux builds, only ports `22` and `1026-60000` are valid.\n\nFor fleets using Windows builds, only ports `1026-60000` are valid." }, "AWS::GameLift::Fleet LocationCapacity": { - "DesiredEC2Instances": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "DesiredEC2Instances": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "MaxSize": "The maximum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 1.", "MinSize": "The minimum number of instances that are allowed in the specified fleet location. If this parameter is not set, the default is 0." }, @@ -12653,7 +14187,7 @@ }, "AWS::GameLift::Fleet ServerProcess": { "ConcurrentExecutions": "The number of server processes using this configuration that run concurrently on each instance.", - "LaunchPath": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", + "LaunchPath": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "Parameters": "An optional list of parameters to pass to the server executable or Realtime script on launch." }, "AWS::GameLift::GameServerGroup": { @@ -12683,6 +14217,10 @@ "LaunchTemplateName": "A readable identifier for an existing Amazon EC2 launch template.", "Version": "The version of the Amazon EC2 launch template to use. If no version is specified, the default version will be used. With Amazon EC2, you can specify a default version for a launch template. If none is set, the default is the first version created." }, + "AWS::GameLift::GameServerGroup Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::GameServerGroup TargetTrackingConfiguration": { "TargetValue": "Desired value to use with a game server group target-based scaling policy." }, @@ -12711,10 +14249,18 @@ "LocationOrder": "The prioritization order to use for fleet locations, when the `PriorityOrder` property includes `LOCATION` . Locations are identified by AWS Region codes such as `us-west-2` . Each location can only be listed once.", "PriorityOrder": "The recommended sequence to use when prioritizing where to place new game sessions. Each type can only be listed once.\n\n- `LATENCY` -- FleetIQ prioritizes locations where the average player latency (provided in each game session request) is lowest.\n- `COST` -- FleetIQ prioritizes destinations with the lowest current hosting costs. Cost is evaluated based on the location, instance type, and fleet type (Spot or On-Demand) for each destination in the queue.\n- `DESTINATION` -- FleetIQ prioritizes based on the order that destinations are listed in the queue configuration.\n- `LOCATION` -- FleetIQ prioritizes based on the provided order of locations, as defined in `LocationOrder` ." }, + "AWS::GameLift::GameSessionQueue Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::Location": { "LocationName": "The location's name.", "Tags": "" }, + "AWS::GameLift::Location Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::MatchmakingConfiguration": { "AcceptanceRequired": "A flag that determines whether a match that was created with this configuration must be accepted by the matched players. To require acceptance, set to `TRUE` . With this option enabled, matchmaking tickets use the status `REQUIRES_ACCEPTANCE` to indicate when a completed potential match is waiting for player acceptance.", "AcceptanceTimeoutSeconds": "The length of time (in seconds) to wait for players to accept a proposed match, if acceptance is required.", @@ -12736,11 +14282,19 @@ "Key": "The game property identifier.", "Value": "The game property value." }, + "AWS::GameLift::MatchmakingConfiguration Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::MatchmakingRuleSet": { "Name": "A unique identifier for the matchmaking rule set. A matchmaking configuration identifies the rule set it uses by this name value. Note that the rule set name is different from the optional `name` field in the rule set body.", "RuleSetBody": "A collection of matchmaking rules, formatted as a JSON string. Comments are not allowed in JSON, but most elements support a description field.", "Tags": "A list of labels to assign to the new matchmaking rule set resource. Tags are developer-defined key-value pairs. Tagging AWS resources are useful for resource management, access management and cost allocation. For more information, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference* . Once the resource is created, you can use TagResource, UntagResource, and ListTagsForResource to add, remove, and view tags. The maximum tag limit may be lower than stated. See the AWS General Reference for actual tagging limits." }, + "AWS::GameLift::MatchmakingRuleSet Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GameLift::Script": { "Name": "A descriptive label that is associated with a script. Script names do not need to be unique.", "StorageLocation": "The location of the Amazon S3 bucket where a zipped file containing your Realtime scripts is stored. The storage location must specify the Amazon S3 bucket name, the zip file name (the \"key\"), and a role ARN that allows Amazon GameLift to access the Amazon S3 storage location. The S3 bucket must be in the same Region where you want to create a new script. By default, Amazon GameLift uploads the latest version of the zip file; if you have S3 object versioning turned on, you can use the `ObjectVersion` parameter to specify an earlier version.", @@ -12753,6 +14307,10 @@ "ObjectVersion": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from an S3 bucket that you own. Use this parameter to specify a specific version of the file. If not set, the latest version of the file is retrieved.", "RoleArn": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket." }, + "AWS::GameLift::Script Tag": { + "Key": "The key for a developer-defined key value pair for tagging an AWS resource.", + "Value": "The value for a developer-defined key value pair for tagging an AWS resource." + }, "AWS::GlobalAccelerator::Accelerator": { "Enabled": "Indicates whether the accelerator is enabled. The value is true or false. The default value is true.\n\nIf the value is set to true, the accelerator cannot be deleted. If set to false, accelerator can be deleted.", "IpAddressType": "The IP address type that an accelerator supports. For a standard accelerator, the value can be IPV4 or DUAL_STACK.", @@ -12760,6 +14318,10 @@ "Name": "The name of the accelerator. The name must contain only alphanumeric characters or hyphens (-), and must not begin or end with a hyphen.", "Tags": "Create tags for an accelerator.\n\nFor more information, see [Tagging](https://docs.aws.amazon.com/global-accelerator/latest/dg/tagging-in-global-accelerator.html) in the *AWS Global Accelerator Developer Guide* ." }, + "AWS::GlobalAccelerator::Accelerator Tag": { + "Key": "A string that contains a `Tag` key.", + "Value": "A string that contains a `Tag` value." + }, "AWS::GlobalAccelerator::EndpointGroup": { "EndpointConfigurations": "The list of endpoint objects.", "EndpointGroupRegion": "The AWS Regions where the endpoint group is located.", @@ -12774,7 +14336,7 @@ }, "AWS::GlobalAccelerator::EndpointGroup EndpointConfiguration": { "ClientIPPreservationEnabled": "Indicates whether client IP address preservation is enabled for an Application Load Balancer endpoint. The value is true or false. The default value is true for new accelerators.\n\nIf the value is set to true, the client's IP address is preserved in the `X-Forwarded-For` request header as traffic travels to applications on the Application Load Balancer endpoint fronted by the accelerator.\n\nFor more information, see [Preserve Client IP Addresses](https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html) in the *AWS Global Accelerator Developer Guide* .", - "EndpointId": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "EndpointId": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "Weight": "The weight associated with the endpoint. When you add weights to endpoints, you configure Global Accelerator to route traffic based on proportions that you specify. For example, you might specify endpoint weights of 4, 5, 5, and 6 (sum=20). The result is that 4/20 of your traffic, on average, is routed to the first endpoint, 5/20 is routed both to the second and third endpoints, and 6/20 is routed to the last endpoint. For more information, see [Endpoint Weights](https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints-endpoint-weights.html) in the *AWS Global Accelerator Developer Guide* ." }, "AWS::GlobalAccelerator::EndpointGroup PortOverride": { @@ -12799,7 +14361,9 @@ }, "AWS::Glue::Classifier CsvClassifier": { "AllowSingleColumn": "Enables the processing of files that contain only one column.", + "ContainsCustomDatatype": "", "ContainsHeader": "Indicates whether the CSV file contains a header.\n\nA value of `UNKNOWN` specifies that the classifier will detect whether the CSV file contains headings.\n\nA value of `PRESENT` specifies that the CSV file contains headings.\n\nA value of `ABSENT` specifies that the CSV file does not contain headings.", + "CustomDatatypeConfigured": "Enables the custom datatype to be configured.", "Delimiter": "A custom symbol to denote what separates each column entry in the row.", "DisableValueTrimming": "Specifies not to trim values before identifying the type of column values. The default value is `true` .", "Header": "A list of strings representing column names.", @@ -12869,6 +14433,12 @@ "AWS::Glue::Crawler DynamoDBTarget": { "Path": "The name of the DynamoDB table to crawl." }, + "AWS::Glue::Crawler IcebergTarget": { + "ConnectionName": "The name of the connection to use to connect to the Iceberg target.", + "Exclusions": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "MaximumTraversalDepth": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "Paths": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` ." + }, "AWS::Glue::Crawler JdbcTarget": { "ConnectionName": "The name of the connection to use to connect to the JDBC target.", "Exclusions": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", @@ -12900,6 +14470,7 @@ "CatalogTargets": "Specifies AWS Glue Data Catalog targets.", "DeltaTargets": "Specifies an array of Delta data store targets.", "DynamoDBTargets": "Specifies Amazon DynamoDB targets.", + "IcebergTargets": "", "JdbcTargets": "Specifies JDBC targets.", "MongoDBTargets": "A list of Mongo DB targets.", "S3Targets": "Specifies Amazon Simple Storage Service (Amazon S3) targets." @@ -12941,7 +14512,8 @@ }, "AWS::Glue::Database DatabaseIdentifier": { "CatalogId": "The ID of the Data Catalog in which the database resides.", - "DatabaseName": "The name of the catalog database." + "DatabaseName": "The name of the catalog database.", + "Region": "Region of the target database." }, "AWS::Glue::Database DatabaseInput": { "CreateTableDefaultPermissions": "Creates a set of default permissions on the table for principals. Used by AWS Lake Formation . Not used in the normal course of AWS Glue operations.", @@ -13116,6 +14688,10 @@ "Name": "The name of the registry.", "Tags": "AWS tags that contain a key value pair and may be searched by console, command line, or API." }, + "AWS::Glue::Registry Tag": { + "Key": "The tag key. The key is required when you create a tag on an object. The key is case-sensitive, and must not contain the prefix aws.", + "Value": "The tag value. The value is optional when you create a tag on an object. The value is case-sensitive, and must not contain the prefix aws." + }, "AWS::Glue::Schema": { "CheckpointVersion": "Specify the `VersionNumber` or the `IsLatest` for setting the checkpoint for the schema. This is only required for updating a checkpoint.", "Compatibility": "The compatibility mode of the schema.", @@ -13134,6 +14710,10 @@ "IsLatest": "Indicates if this version is the latest version of the schema.", "VersionNumber": "The version number of the schema." }, + "AWS::Glue::Schema Tag": { + "Key": "The tag key. The key is required when you create a tag on an object. The key is case-sensitive, and must not contain the prefix aws.", + "Value": "The tag value. The value is optional when you create a tag on an object. The value is case-sensitive, and must not contain the prefix aws." + }, "AWS::Glue::SchemaVersion": { "Schema": "The schema that includes the schema version.", "SchemaDefinition": "The schema definition for the schema version." @@ -13169,10 +14749,10 @@ "KmsKeyArn": "The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.", "S3EncryptionMode": "The encryption mode to use for Amazon S3 data." }, - "AWS::Glue::SecurityConfiguration S3Encryptions": {}, "AWS::Glue::Table": { "CatalogId": "The ID of the Data Catalog in which to create the `Table` .", "DatabaseName": "The name of the database where the table metadata resides. For Hive compatibility, this must be all lowercase.", + "OpenTableFormatInput": "A structure representing an open format table.", "TableInput": "A structure used to define a table." }, "AWS::Glue::Table Column": { @@ -13180,6 +14760,13 @@ "Name": "The name of the `Column` .", "Type": "The data type of the `Column` ." }, + "AWS::Glue::Table IcebergInput": { + "MetadataOperation": "A required metadata operation. Can only be set to `CREATE` .", + "Version": "The table version for the Iceberg table. Defaults to 2." + }, + "AWS::Glue::Table OpenTableFormatInput": { + "IcebergInput": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table." + }, "AWS::Glue::Table Order": { "Column": "The name of the column.", "SortOrder": "Indicates that the column is sorted in ascending order ( `== 1` ), or in descending order ( `==0` )." @@ -13222,7 +14809,8 @@ "AWS::Glue::Table TableIdentifier": { "CatalogId": "The ID of the Data Catalog in which the table resides.", "DatabaseName": "The name of the catalog database that contains the target table.", - "Name": "The name of the target table." + "Name": "The name of the target table.", + "Region": "Region of the target table." }, "AWS::Glue::Table TableInput": { "Description": "A description of the table.", @@ -13284,11 +14872,11 @@ }, "AWS::Grafana::Workspace": { "AccountAccessType": "Specifies whether the workspace can access AWS resources in this AWS account only, or whether it can also access AWS resources in other accounts in the same organization. If this is `ORGANIZATION` , the `OrganizationalUnits` parameter specifies which organizational units the workspace can access.", - "AuthenticationProviders": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "AuthenticationProviders": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "ClientToken": "A unique, case-sensitive, user-provided identifier to ensure the idempotency of the request.", "DataSources": "Specifies the AWS data sources that have been configured to have IAM roles and permissions created to allow Amazon Managed Grafana to read data from these sources.\n\nThis list is only used when the workspace was created through the AWS console, and the `permissionType` is `SERVICE_MANAGED` .", "Description": "The user-defined description of the workspace.", - "GrafanaVersion": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "GrafanaVersion": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "Name": "The name of the workspace.", "NetworkAccessControl": "The configuration settings for network access to your workspace.", "NotificationDestinations": "The AWS notification channels that Amazon Managed Grafana can automatically create IAM roles and permissions for, to allow Amazon Managed Grafana to use these channels.", @@ -13818,10 +15406,10 @@ "DataflowEndpointRegion": "The region of the dataflow endpoint to use during contacts. When omitted, Ground Station will use the region of the contact." }, "AWS::GroundStation::Config DecodeConfig": { - "UnvalidatedJSON": "The decoding settings are in JSON format and define a set of steps to perform to decode the data." + "UnvalidatedJSON": "" }, "AWS::GroundStation::Config DemodulationConfig": { - "UnvalidatedJSON": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use." + "UnvalidatedJSON": "" }, "AWS::GroundStation::Config Eirp": { "Units": "The units of the EIRP.", @@ -13845,6 +15433,10 @@ "CenterFrequency": "The center frequency of the spectrum. Valid values are between 2200 to 2300 MHz and 7750 to 8400 MHz for downlink and 2025 to 2120 MHz for uplink.", "Polarization": "The polarization of the spectrum. Valid values are `\"RIGHT_HAND\"` and `\"LEFT_HAND\"` . Capturing both `\"RIGHT_HAND\"` and `\"LEFT_HAND\"` polarization requires two separate configs." }, + "AWS::GroundStation::Config Tag": { + "Key": "", + "Value": "" + }, "AWS::GroundStation::Config TrackingConfig": { "Autotrack": "Specifies whether or not to use autotrack. `REMOVED` specifies that program track should only be used during the contact. `PREFERRED` specifies that autotracking is preferred during the contact but fallback to program track if the signal is lost. `REQUIRED` specifies that autotracking is required during the contact and not to use program track if the signal is lost." }, @@ -13875,7 +15467,7 @@ }, "AWS::GroundStation::DataflowEndpointGroup DataflowEndpoint": { "Address": "The address and port of an endpoint.", - "Mtu": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "Mtu": "", "Name": "The endpoint name.\n\nWhen listing available contacts for a satellite, Ground Station searches for a dataflow endpoint whose name matches the value specified by the dataflow endpoint config of the selected mission profile. If no matching dataflow endpoints are found then Ground Station will not display any available contacts for the satellite." }, "AWS::GroundStation::DataflowEndpointGroup EndpointDetails": { @@ -13904,6 +15496,10 @@ "Name": "The name of the endpoint, such as `Endpoint 1` .", "Port": "The port of the endpoint, such as `55888` ." }, + "AWS::GroundStation::DataflowEndpointGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::GroundStation::MissionProfile": { "ContactPostPassDurationSeconds": "Amount of time in seconds after a contact ends that you\u2019d like to receive a CloudWatch Event indicating the pass has finished. For more information on CloudWatch Events, see the [What Is CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)", "ContactPrePassDurationSeconds": "Amount of time in seconds prior to contact start that you'd like to receive a CloudWatch Event indicating an upcoming pass. For more information on CloudWatch Events, see the [What Is CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)", @@ -13923,6 +15519,10 @@ "KmsAliasArn": "", "KmsKeyArn": "" }, + "AWS::GroundStation::MissionProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::GuardDuty::Detector": { "DataSources": "Describes which data sources will be enabled for the detector.", "Enable": "Specifies whether the detector is to be enabled on creation.", @@ -13935,6 +15535,15 @@ "MalwareProtection": "Describes whether Malware Protection will be enabled as a data source.", "S3Logs": "Describes whether S3 data event logs are enabled as a data source." }, + "AWS::GuardDuty::Detector CFNFeatureAdditionalConfiguration": { + "Name": "Name of the additional configuration.", + "Status": "Status of the additional configuration." + }, + "AWS::GuardDuty::Detector CFNFeatureConfiguration": { + "AdditionalConfiguration": "Information about the additional configuration of a feature in your account.", + "Name": "Name of the feature.", + "Status": "Status of the feature configuration." + }, "AWS::GuardDuty::Detector CFNKubernetesAuditLogsConfiguration": { "Enable": "Describes whether Kubernetes audit logs are enabled as a data source for the detector." }, @@ -13950,14 +15559,9 @@ "AWS::GuardDuty::Detector CFNScanEc2InstanceWithFindingsConfiguration": { "EbsVolumes": "Describes the configuration for scanning EBS volumes as data source." }, - "AWS::GuardDuty::Detector FeatureAdditionalConfiguration": { - "Name": "Name of the additional configuration of a feature.", - "Status": "Status of the additional configuration of a feature." - }, - "AWS::GuardDuty::Detector FeatureConfigurations": { - "AdditionalConfiguration": "Additional configuration of the feature.", - "Name": "Name of the feature.", - "Status": "Status of the feature." + "AWS::GuardDuty::Detector TagItem": { + "Key": "", + "Value": "" }, "AWS::GuardDuty::Filter": { "Action": "Specifies the action that is to be applied to the findings that match the filter.", @@ -13983,9 +15587,13 @@ "NotEquals": "Represents a *not equal* ** condition to be applied to a single field when querying for findings." }, "AWS::GuardDuty::Filter FindingCriteria": { - "Criterion": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "Criterion": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "ItemType": "Specifies the condition to be applied to a single field when filtering through findings." }, + "AWS::GuardDuty::Filter Tag": { + "Key": "The EC2 instance tag key.", + "Value": "The EC2 instance tag value." + }, "AWS::GuardDuty::IPSet": { "Activate": "Indicates whether or not GuardDuty uses the `IPSet` .", "DetectorId": "The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.", @@ -13994,16 +15602,18 @@ "Name": "The user-friendly name to identify the IPSet.\n\nAllowed characters are alphanumeric, whitespace, dash (-), and underscores (_).", "Tags": "The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::GuardDuty::IPSet Tag": { + "Key": "The EC2 instance tag key.", + "Value": "The EC2 instance tag value." + }, "AWS::GuardDuty::Master": { "DetectorId": "The unique ID of the detector of the GuardDuty member account.", - "InvitationId": "The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by using the ListInvitation action of the GuardDuty API.", - "MasterId": "The AWS account ID of the account designated as the GuardDuty administrator account." + "InvitationId": "The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by using the ListInvitation action of the GuardDuty API." }, "AWS::GuardDuty::Member": { "DetectorId": "The ID of the detector associated with the GuardDuty service to add the member to.", "DisableEmailNotification": "Specifies whether or not to disable email notification for the member account that you invite.", "Email": "The email address associated with the member account.", - "MemberId": "The AWS account ID of the account to designate as a member.", "Message": "The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.", "Status": "You can use the `Status` property to update the status of the relationship between the member account and its administrator account. Valid values are `Created` and `Invited` when using an `AWS::GuardDuty::Member` resource. If the value for this property is not provided or set to `Created` , a member account is created but not invited. If the value of this property is set to `Invited` , a member account is created and invited." }, @@ -14015,12 +15625,21 @@ "Name": "A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.", "Tags": "The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::GuardDuty::ThreatIntelSet Tag": { + "Key": "The EC2 instance tag key.", + "Value": "The EC2 instance tag value." + }, + "AWS::HealthImaging::Datastore": { + "DatastoreName": "The data store name.", + "KmsKeyArn": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "Tags": "The tags provided when creating a data store." + }, "AWS::HealthLake::FHIRDatastore": { - "DatastoreName": "The user generated name for the Data Store.", - "DatastoreTypeVersion": "The FHIR version of the Data Store. The only supported version is R4.", - "IdentityProviderConfiguration": "", - "PreloadDataConfig": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", - "SseConfiguration": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", + "DatastoreName": "The user generated name for the data store.", + "DatastoreTypeVersion": "The FHIR version of the data store. The only supported version is R4.", + "IdentityProviderConfiguration": "The identity provider configuration that you gave when the data store was created.", + "PreloadDataConfig": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", + "SseConfiguration": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::HealthLake::FHIRDatastore CreatedAt": { @@ -14028,14 +15647,14 @@ "Seconds": "" }, "AWS::HealthLake::FHIRDatastore IdentityProviderConfiguration": { - "AuthorizationStrategy": "", - "FineGrainedAuthorizationEnabled": "", - "IdpLambdaArn": "", - "Metadata": "" + "AuthorizationStrategy": "The authorization strategy that you selected when you created the data store.", + "FineGrainedAuthorizationEnabled": "If you enabled fine-grained authorization when you created the data store.", + "IdpLambdaArn": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", + "Metadata": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods." }, "AWS::HealthLake::FHIRDatastore KmsEncryptionConfig": { "CmkType": "The type of customer-managed-key(CMK) used for encryption. The two types of supported CMKs are customer owned CMKs and Amazon owned CMKs. For more information on CMK types, see [KmsEncryptionConfig](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_KmsEncryptionConfig.html#HealthLake-Type-KmsEncryptionConfig-CmkType) .", - "KmsKeyId": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest." + "KmsKeyId": "The KMS encryption key id/alias used to encrypt the data store contents at rest." }, "AWS::HealthLake::FHIRDatastore PreloadDataConfig": { "PreloadDataType": "The type of preloaded data. Only Synthea preloaded data is supported." @@ -14043,6 +15662,10 @@ "AWS::HealthLake::FHIRDatastore SseConfiguration": { "KmsEncryptionConfig": "The server-side encryption key configuration for a customer provided encryption key (CMK)." }, + "AWS::HealthLake::FHIRDatastore Tag": { + "Key": "The key portion of a tag. Tag keys are case sensitive.", + "Value": "The value portion of a tag. Tag values are case sensitive." + }, "AWS::IAM::AccessKey": { "Serial": "This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.", "Status": "The status of the access key. `Active` means that the key is valid for API calls, while `Inactive` means it is not.", @@ -14058,6 +15681,11 @@ "PolicyDocument": "The policy document.", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::GroupPolicy": { + "GroupName": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::InstanceProfile": { "InstanceProfileName": "The name of the instance profile to create.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Path": "The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\u0021` ) through the DEL character ( `\\u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", @@ -14078,6 +15706,10 @@ "ThumbprintList": "A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "Url": "The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) ." }, + "AWS::IAM::OIDCProvider Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::Policy": { "Groups": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", @@ -14100,11 +15732,24 @@ "PolicyDocument": "The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::Role Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, + "AWS::IAM::RolePolicy": { + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "RoleName": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::SAMLProvider": { "Name": "The name of the provider to create.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "SamlMetadataDocument": "An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.\n\nFor more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*", "Tags": "A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created." }, + "AWS::IAM::SAMLProvider Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::ServerCertificate": { "CertificateBody": "The contents of the public key certificate.", "CertificateChain": "The contents of the public key certificate chain.", @@ -14113,6 +15758,10 @@ "ServerCertificateName": "The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Tags": "A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* ." }, + "AWS::IAM::ServerCertificate Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IAM::ServiceLinkedRole": { "AWSServiceName": "The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` .\n\nService principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.", "CustomSuffix": "A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix.\n\nSome services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.", @@ -14136,6 +15785,15 @@ "PolicyDocument": "The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .", "PolicyName": "The friendly name (not ARN) identifying the policy." }, + "AWS::IAM::User Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, + "AWS::IAM::UserPolicy": { + "PolicyDocument": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "PolicyName": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "UserName": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" + }, "AWS::IAM::UserToGroupAddition": { "GroupName": "The name of the group to update.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "Users": "A list of the names of the users that you want to add to the group." @@ -14146,6 +15804,10 @@ "Users": "The IAM user associated with this virtual MFA device.", "VirtualMfaDeviceName": "The name of the virtual MFA device, which must be unique. Use with path to uniquely identify a virtual MFA device.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-" }, + "AWS::IAM::VirtualMFADevice Tag": { + "Key": "The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.", + "Value": "The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources` , `Accounting` , and `Support` . Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.\n\n> AWS always interprets the tag `Value` as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code." + }, "AWS::IVS::Channel": { "Authorized": "Whether the channel is authorized.\n\n*Default* : `false`", "InsecureIngest": "Whether the channel allows insecure RTMP ingest.\n\n*Default* : `false`", @@ -14153,39 +15815,62 @@ "Name": "Channel name.", "Preset": "An optional transcode preset for the channel. This is selectable only for `ADVANCED_HD` and `ADVANCED_SD` channel types. For those channel types, the default preset is `HIGHER_BANDWIDTH_DELIVERY` . For other channel types ( `BASIC` and `STANDARD` ), `preset` is the empty string (\"\").", "RecordingConfigurationArn": "The ARN of a RecordingConfiguration resource. An empty string indicates that recording is disabled for the channel. A RecordingConfiguration ARN indicates that recording is enabled using the specified recording configuration. See the [RecordingConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ivs-recordingconfiguration.html) resource for more information and an example.\n\n*Default* : \"\" (empty string, recording is disabled)", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "Type": "The channel type, which determines the allowable resolution and bitrate. *If you exceed the allowable resolution or bitrate, the stream probably will disconnect immediately.* Valid values:\n\n- `STANDARD` : Video is transcoded: multiple qualities are generated from the original input to automatically give viewers the best experience for their devices and network conditions. Transcoding allows higher playback quality across a range of download speeds. Resolution can be up to 1080p and bitrate can be up to 8.5 Mbps. Audio is transcoded only for renditions 360p and below; above that, audio is passed through.\n- `BASIC` : Video is transmuxed: Amazon IVS delivers the original input to viewers. The viewer\u2019s video-quality choice is limited to the original input. Resolution can be up to 1080p and bitrate can be up to 1.5 Mbps for 480p and up to 3.5 Mbps for resolutions between 480p and 1080p.\n- `ADVANCED_SD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at SD quality (480p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n- `ADVANCED_HD` : Video is transcoded; multiple qualities are generated from the original input, to automatically give viewers the best experience for their devices and network conditions. Input resolution can be up to 1080p and bitrate can be up to 8.5 Mbps; output is capped at HD quality (720p). You can select an optional transcode preset (see below). Audio for all renditions is transcoded, and an audio-only rendition is available.\n\nOptional *transcode presets* (available for the `ADVANCED` types) allow you to trade off available download bandwidth and video quality, to optimize the viewing experience. There are two presets:\n\n- *Constrained bandwidth delivery* uses a lower bitrate for each quality level. Use it if you have low download bandwidth and/or simple video content (e.g., talking heads)\n- *Higher bandwidth delivery* uses a higher bitrate for each quality level. Use it if you have high download bandwidth and/or complex video content (e.g., flashes and quick scene changes).\n\n*Default* : `STANDARD`" }, + "AWS::IVS::Channel Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVS::PlaybackKeyPair": { "Name": "Playback-key-pair name. The value does not need to be unique.", "PublicKeyMaterial": "The public portion of a customer-generated key pair.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) ." + }, + "AWS::IVS::PlaybackKeyPair Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::IVS::RecordingConfiguration": { - "DestinationConfiguration": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "DestinationConfiguration": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "Name": "Recording-configuration name. The value does not need to be unique.", "RecordingReconnectWindowSeconds": "If a broadcast disconnects and then reconnects within the specified interval, the multiple streams will be considered a single broadcast and merged together.\n\n*Default* : `0`", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "ThumbnailConfiguration": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information." + "RenditionConfiguration": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", + "ThumbnailConfiguration": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information." }, "AWS::IVS::RecordingConfiguration DestinationConfiguration": { "S3": "An S3 destination configuration where recorded videos will be stored. See the [S3DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-s3destinationconfiguration.html) property type for more information." }, + "AWS::IVS::RecordingConfiguration RenditionConfiguration": { + "RenditionSelection": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "Renditions": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) ." + }, "AWS::IVS::RecordingConfiguration S3DestinationConfiguration": { "BucketName": "Location (S3 bucket name) where recorded videos will be stored." }, + "AWS::IVS::RecordingConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVS::RecordingConfiguration ThumbnailConfiguration": { "RecordingMode": "Thumbnail recording mode. Valid values:\n\n- `DISABLED` : Use DISABLED to disable the generation of thumbnails for recorded video.\n- `INTERVAL` : Use INTERVAL to enable the generation of thumbnails for recorded video at a time interval controlled by the [TargetIntervalSeconds](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-targetintervalseconds) property.\n\n*Default* : `INTERVAL`", - "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60." + "Resolution": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "Storage": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "TargetIntervalSeconds": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60." }, "AWS::IVS::StreamKey": { "ChannelArn": "Channel ARN for the stream.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) ." + }, + "AWS::IVS::StreamKey Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." }, "AWS::IVSChat::LoggingConfiguration": { "DestinationConfiguration": "The DestinationConfiguration is a complex type that contains information about where chat content will be logged.", "Name": "Logging-configuration name. The value does not need to be unique.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) ." }, "AWS::IVSChat::LoggingConfiguration CloudWatchLogsDestinationConfiguration": { "LogGroupName": "Name of the Amazon Cloudwatch Logs destination where chat activity will be logged." @@ -14201,18 +15886,26 @@ "AWS::IVSChat::LoggingConfiguration S3DestinationConfiguration": { "BucketName": "Name of the Amazon S3 bucket where chat activity will be logged." }, + "AWS::IVSChat::LoggingConfiguration Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IVSChat::Room": { "LoggingConfigurationIdentifiers": "List of logging-configuration identifiers attached to the room.", "MaximumMessageLength": "Maximum number of characters in a single message. Messages are expected to be UTF-8 encoded and this limit applies specifically to rune/code-point count, not number of bytes.", "MaximumMessageRatePerSecond": "Maximum number of messages per second that can be sent to the room (by all clients).", "MessageReviewHandler": "Configuration information for optional review of messages.", "Name": "Room name. The value does not need to be unique.", - "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) ." }, "AWS::IVSChat::Room MessageReviewHandler": { "FallbackResult": "Specifies the fallback behavior (whether the message is allowed or denied) if the handler does not return a valid response, encounters an error, or times out. (For the timeout period, see [Service Quotas](https://docs.aws.amazon.com/ivs/latest/userguide/service-quotas.html) .) If allowed, the message is delivered with returned content to all users connected to the room. If denied, the message is not delivered to any user.\n\n*Default* : `ALLOW`", "Uri": "Identifier of the message review handler. Currently this must be an ARN of a lambda function." }, + "AWS::IVSChat::Room Tag": { + "Key": "One part of a key-value pair that makes up a tag. A `key` is a general label that acts like a category for more specific tag values.", + "Value": "The optional part of a key-value pair that makes up a tag. A `value` acts as a descriptor within a tag category (key)." + }, "AWS::IdentityStore::Group": { "Description": "A string containing the description of the group.", "DisplayName": "", @@ -14257,11 +15950,11 @@ }, "AWS::ImageBuilder::ContainerRecipe ComponentConfiguration": { "ComponentArn": "The Amazon Resource Name (ARN) of the component.", - "Parameters": "" + "Parameters": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe." }, "AWS::ImageBuilder::ContainerRecipe ComponentParameter": { - "Name": "", - "Value": "" + "Name": "The name of the component parameter to set.", + "Value": "Sets the value for the named component parameter." }, "AWS::ImageBuilder::ContainerRecipe EbsInstanceBlockDeviceSpecification": { "DeleteOnTermination": "Use to configure delete on termination of the associated device.", @@ -14309,25 +16002,25 @@ "AWS::ImageBuilder::DistributionConfiguration Distribution": { "AmiDistributionConfiguration": "The specific AMI settings, such as launch permissions and AMI tags. For details, see example schema below.", "ContainerDistributionConfiguration": "Container distribution settings for encryption, licensing, and sharing in a specific Region. For details, see example schema below.", - "FastLaunchConfigurations": "", + "FastLaunchConfigurations": "The Windows faster-launching configurations to use for AMI distribution.", "LaunchTemplateConfigurations": "A group of launchTemplateConfiguration settings that apply to image distribution for specified accounts.", "LicenseConfigurationArns": "The License Manager Configuration to associate with the AMI in the specified Region. For more information, see the [LicenseConfiguration API](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_LicenseConfiguration.html) .", "Region": "The target Region for the Distribution Configuration. For example, `eu-west-1` ." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchConfiguration": { - "AccountId": "", - "Enabled": "", - "LaunchTemplate": "", - "MaxParallelLaunches": "", - "SnapshotConfiguration": "" + "AccountId": "The owner account ID for the fast-launch enabled Windows AMI.", + "Enabled": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", + "LaunchTemplate": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", + "MaxParallelLaunches": "The maximum number of parallel instances that are launched for creating resources.", + "SnapshotConfiguration": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchLaunchTemplateSpecification": { - "LaunchTemplateId": "", - "LaunchTemplateName": "", - "LaunchTemplateVersion": "" + "LaunchTemplateId": "The ID of the launch template to use for faster launching for a Windows AMI.", + "LaunchTemplateName": "The name of the launch template to use for faster launching for a Windows AMI.", + "LaunchTemplateVersion": "The version of the launch template to use for faster launching for a Windows AMI." }, "AWS::ImageBuilder::DistributionConfiguration FastLaunchSnapshotConfiguration": { - "TargetResourceCount": "" + "TargetResourceCount": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI." }, "AWS::ImageBuilder::DistributionConfiguration LaunchPermissionConfiguration": { "OrganizationArns": "The ARN for an AWS Organization that you want to share your AMI with. For more information, see [What is AWS Organizations ?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) .", @@ -14349,18 +16042,18 @@ "DistributionConfigurationArn": "The Amazon Resource Name (ARN) of the distribution configuration.", "EnhancedImageMetadataEnabled": "Indicates whether Image Builder collects additional information about the image, such as the operating system (OS) version and package list.", "ImageRecipeArn": "The Amazon Resource Name (ARN) of the image recipe.", - "ImageScanningConfiguration": "", + "ImageScanningConfiguration": "Contains settings for vulnerability scans.", "ImageTestsConfiguration": "The configuration settings for your image test components, which includes a toggle that allows you to turn off tests, and a timeout setting.", "InfrastructureConfigurationArn": "The Amazon Resource Name (ARN) of the infrastructure configuration associated with this image pipeline.", "Tags": "The tags of the image." }, "AWS::ImageBuilder::Image EcrConfiguration": { - "ContainerTags": "", - "RepositoryName": "" + "ContainerTags": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", + "RepositoryName": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images." }, "AWS::ImageBuilder::Image ImageScanningConfiguration": { - "EcrConfiguration": "", - "ImageScanningEnabled": "" + "EcrConfiguration": "Contains Amazon ECR settings for vulnerability scans.", + "ImageScanningEnabled": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image." }, "AWS::ImageBuilder::Image ImageTestsConfiguration": { "ImageTestsEnabled": "Determines if tests should run after building the image. Image Builder defaults to enable tests to run following the image build, before image distribution.", @@ -14372,7 +16065,7 @@ "DistributionConfigurationArn": "The Amazon Resource Name (ARN) of the distribution configuration associated with this image pipeline.", "EnhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.", "ImageRecipeArn": "The Amazon Resource Name (ARN) of the image recipe associated with this image pipeline.", - "ImageScanningConfiguration": "", + "ImageScanningConfiguration": "Contains settings for vulnerability scans.", "ImageTestsConfiguration": "The configuration of the image tests that run after image creation to ensure the quality of the image that was created.", "InfrastructureConfigurationArn": "The Amazon Resource Name (ARN) of the infrastructure configuration associated with this image pipeline.", "Name": "The name of the image pipeline.", @@ -14381,12 +16074,12 @@ "Tags": "The tags of this image pipeline." }, "AWS::ImageBuilder::ImagePipeline EcrConfiguration": { - "ContainerTags": "", - "RepositoryName": "" + "ContainerTags": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", + "RepositoryName": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images." }, "AWS::ImageBuilder::ImagePipeline ImageScanningConfiguration": { - "EcrConfiguration": "", - "ImageScanningEnabled": "" + "EcrConfiguration": "Contains Amazon ECR settings for vulnerability scans.", + "ImageScanningEnabled": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image." }, "AWS::ImageBuilder::ImagePipeline ImageTestsConfiguration": { "ImageTestsEnabled": "Defines if tests should be executed when building this image. For example, `true` or `false` .", @@ -14475,9 +16168,17 @@ "RulesPackageArns": "The ARNs of the rules packages that you want to use in the assessment template.", "UserAttributesForFindings": "The user-defined attributes that are assigned to every finding that is generated by the assessment run that uses this assessment template. Within an assessment template, each key must be unique." }, + "AWS::Inspector::AssessmentTemplate Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::Inspector::ResourceGroup": { "ResourceGroupTags": "The tags (key and value pairs) that will be associated with the resource group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Inspector::ResourceGroup Tag": { + "Key": "A tag key.", + "Value": "A value assigned to a tag key." + }, "AWS::InspectorV2::Filter": { "Description": "A description of the filter.", "FilterAction": "The action that is to be applied to the findings that match the filter.", @@ -14547,29 +16248,40 @@ "Value": "The value to filter on." }, "AWS::InternetMonitor::Monitor": { - "HealthEventsConfig": "", + "HealthEventsConfig": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "InternetMeasurementsLogDelivery": "Publish internet measurements for a monitor for all city-networks (up to the 500,000 service limit) to another location, such as an Amazon S3 bucket. Measurements are also published to Amazon CloudWatch Logs for the first 500 (by traffic volume) city-networks (client locations and ASNs, typically internet service providers or ISPs).", "MaxCityNetworksToMonitor": "The maximum number of city-networks to monitor for your resources. A city-network is the location (city) where clients access your application resources from and the network, such as an internet service provider, that clients access the resources through.\n\nFor more information, see [Choosing a city-network maximum value](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/IMCityNetworksMaximum.html) in *Using Amazon CloudWatch Internet Monitor* .", "MonitorName": "The name of the monitor. A monitor name can contain only alphanumeric characters, dashes (-), periods (.), and underscores (_).", - "Resources": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", - "ResourcesToAdd": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", - "ResourcesToRemove": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "Resources": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", + "ResourcesToAdd": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", + "ResourcesToRemove": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "Status": "The status of a monitor. The accepted values that you can specify for `Status` are `ACTIVE` and `INACTIVE` .", "Tags": "The tags for a monitor, listed as a set of *key:value* pairs.", "TrafficPercentageToMonitor": "The percentage of the internet-facing traffic for your application that you want to monitor. You can also, optionally, set a limit for the number of city-networks (client locations and ASNs, typically internet service providers) that Internet Monitor will monitor traffic for. The city-networks maximum limit caps the number of city-networks that Internet Monitor monitors for your application, regardless of the percentage of traffic that you choose to monitor." }, "AWS::InternetMonitor::Monitor HealthEventsConfig": { - "AvailabilityScoreThreshold": "", - "PerformanceScoreThreshold": "" + "AvailabilityLocalHealthEventsConfig": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "AvailabilityScoreThreshold": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", + "PerformanceLocalHealthEventsConfig": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "PerformanceScoreThreshold": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event." }, "AWS::InternetMonitor::Monitor InternetMeasurementsLogDelivery": { - "S3Config": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise." + "S3Config": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3." + }, + "AWS::InternetMonitor::Monitor LocalHealthEventsConfig": { + "HealthScoreThreshold": "The health event threshold percentage set for a local health score.", + "MinTrafficImpact": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "Status": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` ." }, "AWS::InternetMonitor::Monitor S3Config": { "BucketName": "The Amazon S3 bucket name for internet measurements publishing.", "BucketPrefix": "An optional Amazon S3 bucket prefix for internet measurements publishing.", "LogDeliveryStatus": "The status of publishing Internet Monitor internet measurements to an Amazon S3 bucket. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise." }, + "AWS::InternetMonitor::Monitor Tag": { + "Key": "", + "Value": "" + }, "AWS::IoT1Click::Device": { "DeviceId": "The ID of the device, such as `G030PX0312744DWM` .", "Enabled": "A Boolean value indicating whether the device is enabled ( `true` ) or not ( `false` )." @@ -14610,8 +16322,8 @@ "DeviceCertificateExpiringCheck": "Checks if a device certificate is expiring. This check applies to device certificates expiring within 30 days or that have expired.", "DeviceCertificateKeyQualityCheck": "Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.", "DeviceCertificateSharedCheck": "Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .", - "IntermediateCaRevokedForActiveDeviceCertificatesCheck": "", - "IoTPolicyPotentialMisConfigurationCheck": "", + "IntermediateCaRevokedForActiveDeviceCertificatesCheck": "Checks if device certificates are still active despite being revoked by an intermediate CA.", + "IoTPolicyPotentialMisConfigurationCheck": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "IotPolicyOverlyPermissiveCheck": "Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.", "IotRoleAliasAllowsAccessToUnusedServicesCheck": "Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.", "IotRoleAliasOverlyPermissiveCheck": "Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.", @@ -14638,6 +16350,10 @@ "TokenKeyName": "The key used to extract the token from the HTTP headers.", "TokenSigningPublicKeys": "The public keys used to validate the token signature returned by your custom authentication service." }, + "AWS::IoT::Authorizer Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::BillingGroup": { "BillingGroupName": "The name of the billing group.", "BillingGroupProperties": "The properties of the billing group.", @@ -14646,6 +16362,10 @@ "AWS::IoT::BillingGroup BillingGroupProperties": { "BillingGroupDescription": "The description of the billing group." }, + "AWS::IoT::BillingGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::CACertificate": { "AutoRegistrationStatus": "Whether the CA certificate is configured for auto registration of device certificates. Valid values are \"ENABLE\" and \"DISABLE\".", "CACertificatePem": "The certificate data in PEM format.", @@ -14661,6 +16381,10 @@ "TemplateBody": "The template body.", "TemplateName": "The name of the provisioning template." }, + "AWS::IoT::CACertificate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Certificate": { "CACertificatePem": "The CA certificate used to sign the device certificate being registered, not available when CertificateMode is SNI_ONLY.", "CertificateMode": "Specifies which mode of certificate registration to use with this resource. Valid options are DEFAULT with CaCertificatePem and CertificatePem, SNI_ONLY with CertificatePem, and Default with CertificateSigningRequest.\n\n`DEFAULT` : A certificate in `DEFAULT` mode is either generated by AWS IoT Core or registered with an issuer certificate authority (CA). Devices with certificates in `DEFAULT` mode aren't required to send the Server Name Indication (SNI) extension when connecting to AWS IoT Core . However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to AWS IoT Core .\n\n`SNI_ONLY` : A certificate in `SNI_ONLY` mode is registered without an issuer CA. Devices with certificates in `SNI_ONLY` mode must send the SNI extension when connecting to AWS IoT Core .", @@ -14674,12 +16398,20 @@ "MetricType": "The type of the custom metric. Types include `string-list` , `ip-address-list` , `number-list` , and `number` .\n\n> The type `number` only takes a single metric value as an input, but when you submit the metrics value in the DeviceMetrics report, you must pass it as an array with a single value.", "Tags": "Metadata that can be used to manage the custom metric." }, + "AWS::IoT::CustomMetric Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Dimension": { "Name": "A unique identifier for the dimension.", "StringValues": "Specifies the value or list of values for the dimension. For `TOPIC_FILTER` dimensions, this is a pattern used to match the MQTT topic (for example, \"admin/#\").", "Tags": "Metadata that can be used to manage the dimension.", "Type": "Specifies the type of dimension. Supported types: `TOPIC_FILTER.`" }, + "AWS::IoT::Dimension Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::DomainConfiguration": { "AuthorizerConfig": "An object that specifies the authorization service for a domain.", "DomainConfigurationName": "The name of the domain configuration. This value must be unique to a region.", @@ -14700,6 +16432,10 @@ "ServerCertificateStatus": "The status of the server certificate.", "ServerCertificateStatusDetail": "Details that explain the status of the server certificate." }, + "AWS::IoT::DomainConfiguration Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::DomainConfiguration TlsConfig": { "SecurityPolicy": "The security policy for a domain configuration. For more information, see [Security policies](https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html#tls-policy-table) in the *AWS IoT Core developer guide* ." }, @@ -14719,9 +16455,14 @@ "Name": "The name of the aggregation type.", "Values": "A list of the values of aggregation types." }, + "AWS::IoT::FleetMetric Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::JobTemplate": { "AbortConfig": "The criteria that determine when and how a job abort takes place.", "Description": "A description of the job template.", + "DestinationPackageVersions": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", "Document": "The job document.\n\nRequired if you don't specify a value for `documentSource` .", "DocumentSource": "An S3 link, or S3 object URL, to the job document. The link is an Amazon S3 object URL and is required if you don't specify a value for `document` .\n\nFor example, `--document-source https://s3. *region-code* .amazonaws.com/example-firmware/device-firmware.1.0`\n\nFor more information, see [Methods for accessing a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html) .", "JobArn": "The ARN of the job to use as the basis for the job template.", @@ -14770,6 +16511,10 @@ "FailureType": "The type of job execution failures that can initiate a job retry.", "NumberOfRetries": "The number of retries allowed for a failure type for the job." }, + "AWS::IoT::JobTemplate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::JobTemplate TimeoutConfig": { "InProgressTimeoutInMinutes": "Specifies the amount of time, in minutes, this device has to finish execution of this job. The timeout interval can be anywhere between 1 minute and 7 days (1 to 10080 minutes). The in progress timer can't be updated and will apply to all job executions for the job. Whenever a job execution remains in the IN_PROGRESS status for longer than this interval, the job execution will fail and switch to the terminal `TIMED_OUT` status." }, @@ -14806,6 +16551,10 @@ "AWS::IoT::MitigationAction ReplaceDefaultPolicyVersionParams": { "TemplateName": "The name of the template to be applied. The only supported value is `BLANK_POLICY` ." }, + "AWS::IoT::MitigationAction Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::MitigationAction UpdateCACertificateParams": { "Action": "The action that you want to apply to the CA certificate. The only supported value is `DEACTIVATE` ." }, @@ -14814,7 +16563,12 @@ }, "AWS::IoT::Policy": { "PolicyDocument": "The JSON document that describes the policy.", - "PolicyName": "The policy name." + "PolicyName": "The policy name.", + "Tags": "" + }, + "AWS::IoT::Policy Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." }, "AWS::IoT::PolicyPrincipalAttachment": { "PolicyName": "The name of the AWS IoT policy.", @@ -14834,6 +16588,10 @@ "PayloadVersion": "The payload that was sent to the target function. The valid payload is `\"2020-04-01\"` .", "TargetArn": "The ARN of the target function." }, + "AWS::IoT::ProvisioningTemplate Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ResourceSpecificLogging": { "LogLevel": "The default log level.Valid Values: `DEBUG | INFO | ERROR | WARN | DISABLED`", "TargetName": "The target name.", @@ -14845,6 +16603,10 @@ "RoleArn": "The role ARN.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::IoT::RoleAlias Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ScheduledAudit": { "DayOfMonth": "The day of the month on which the scheduled audit is run (if the `frequency` is \"MONTHLY\"). If days 29-31 are specified, and the month does not have that many days, the audit takes place on the \"LAST\" day of the month.", "DayOfWeek": "The day of the week on which the scheduled audit is run (if the `frequency` is \"WEEKLY\" or \"BIWEEKLY\").", @@ -14853,6 +16615,10 @@ "Tags": "Metadata that can be used to manage the scheduled audit.", "TargetCheckNames": "Which checks are performed during the scheduled audit. Checks must be enabled for your account. (Use `DescribeAccountAuditConfiguration` to see the list of all checks, including those that are enabled or use `UpdateAccountAuditConfiguration` to select which checks are enabled.)\n\nThe following checks are currently aviable:\n\n- `AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK`\n- `CA_CERTIFICATE_EXPIRING_CHECK`\n- `CA_CERTIFICATE_KEY_QUALITY_CHECK`\n- `CONFLICTING_CLIENT_IDS_CHECK`\n- `DEVICE_CERTIFICATE_EXPIRING_CHECK`\n- `DEVICE_CERTIFICATE_KEY_QUALITY_CHECK`\n- `DEVICE_CERTIFICATE_SHARED_CHECK`\n- `IOT_POLICY_OVERLY_PERMISSIVE_CHECK`\n- `IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK`\n- `IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK`\n- `LOGGING_DISABLED_CHECK`\n- `REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK`\n- `REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK`\n- `UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK`" }, + "AWS::IoT::ScheduledAudit Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::SecurityProfile": { "AdditionalMetricsToRetainV2": "A list of metrics whose data is retained (stored). By default, data is retained for any metric used in the profile's `behaviors` , but it's also retained for any metric specified here. Can be used with custom metrics; can't be used with dimensions.", "AlertTargets": "Specifies the destinations to which alerts are sent. (Alerts are always sent to the console.) Alerts are generated when a device (thing) violates a behavior.", @@ -14867,7 +16633,7 @@ "RoleArn": "The ARN of the role that grants permission to send alerts to the notification target." }, "AWS::IoT::SecurityProfile Behavior": { - "Criteria": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "Criteria": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", "Metric": "What is measured by the behavior.", "MetricDimension": "The dimension of the metric.", "Name": "The name you've given to the behavior.", @@ -14904,6 +16670,30 @@ "AWS::IoT::SecurityProfile StatisticalThreshold": { "Statistic": "The percentile that resolves to a threshold value by which compliance with a behavior is determined. Metrics are collected over the specified period ( `durationSeconds` ) from all reporting devices in your account and statistical ranks are calculated. Then, the measurements from a device are collected over the same period. If the accumulated measurements from the device fall above or below ( `comparisonOperator` ) the value associated with the percentile specified, then the device is considered to be in compliance with the behavior, otherwise a violation occurs." }, + "AWS::IoT::SecurityProfile Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::IoT::SoftwarePackage": { + "Description": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "PackageName": "The name of the new software package.", + "Tags": "Metadata that can be used to manage the package." + }, + "AWS::IoT::SoftwarePackage Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, + "AWS::IoT::SoftwarePackageVersion": { + "Attributes": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", + "Description": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "PackageName": "The name of the associated software package.", + "Tags": "Metadata that can be used to manage the package version.", + "VersionName": "The name of the new package version." + }, + "AWS::IoT::SoftwarePackageVersion Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::Thing": { "AttributePayload": "A string that contains up to three key value pairs. Maximum length of 800. Duplicates not allowed.", "ThingName": "The name of the thing to update.\n\nYou can't change a thing's name. To change a thing's name, you must create a new thing, give it the new name, and then delete the old thing." @@ -14921,6 +16711,10 @@ "AWS::IoT::ThingGroup AttributePayload": { "Attributes": "A JSON string containing up to three key-value pair in JSON format. For example:\n\n`{\\\"attributes\\\":{\\\"string1\\\":\\\"string2\\\"}}`" }, + "AWS::IoT::ThingGroup Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ThingGroup ThingGroupProperties": { "AttributePayload": "The thing group attributes in JSON format.", "ThingGroupDescription": "The thing group description." @@ -14935,6 +16729,10 @@ "ThingTypeName": "The name of the thing type.", "ThingTypeProperties": "The thing type properties for the thing type to create. It contains information about the new thing type including a description, and a list of searchable thing attribute names. `ThingTypeProperties` can't be updated after the initial creation of the `ThingType` ." }, + "AWS::IoT::ThingType Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::ThingType ThingTypeProperties": { "SearchableAttributes": "A list of searchable thing attribute names.", "ThingTypeDescription": "The description of the thing type." @@ -15061,10 +16859,15 @@ "AWS::IoT::TopicRule KafkaAction": { "ClientProperties": "Properties of the Apache Kafka producer client.", "DestinationArn": "The ARN of Kafka action's VPC `TopicRuleDestination` .", + "Headers": "The list of Kafka headers that you specify.", "Key": "The Kafka message key.", "Partition": "The Kafka message partition.", "Topic": "The Kafka topic for messages to be sent to the Kafka broker." }, + "AWS::IoT::TopicRule KafkaActionHeader": { + "Key": "The key of the Kafka header.", + "Value": "The value of the Kafka header." + }, "AWS::IoT::TopicRule KinesisAction": { "PartitionKey": "The partition key.", "RoleArn": "The ARN of the IAM role that grants access to the Amazon Kinesis stream.", @@ -15138,6 +16941,10 @@ "RoleArn": "The ARN of the role that grants IoT permission to start execution of a state machine (\"Action\":\"states:StartExecution\").", "StateMachineName": "The name of the Step Functions state machine whose execution will be started." }, + "AWS::IoT::TopicRule Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoT::TopicRule Timestamp": { "Unit": "The precision of the timestamp value that results from the expression described in `value` .", "Value": "An expression that returns a long epoch time value." @@ -15202,6 +17009,10 @@ "NumberOfDays": "The number of days that message data is kept. The `unlimited` parameter must be false.", "Unlimited": "If true, message data is kept indefinitely." }, + "AWS::IoTAnalytics::Channel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Dataset": { "Actions": "The `DatasetAction` objects that automatically create the dataset contents.", "ContentDeliveryRules": "When dataset contents are created they are delivered to destinations specified here.", @@ -15283,6 +17094,10 @@ "AWS::IoTAnalytics::Dataset Schedule": { "ScheduleExpression": "The expression that defines when to trigger an update. For more information, see [Schedule Expressions for Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html) in the Amazon CloudWatch documentation." }, + "AWS::IoTAnalytics::Dataset Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Dataset Trigger": { "Schedule": "The \"Schedule\" when the trigger is initiated.", "TriggeringDataset": "Information about the data set whose content generation triggers the new data set content generation." @@ -15354,6 +17169,10 @@ "AWS::IoTAnalytics::Datastore SchemaDefinition": { "Columns": "Specifies one or more columns that store your data.\n\nEach schema can have up to 100 columns. Each column can have up to 100 nested types." }, + "AWS::IoTAnalytics::Datastore Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTAnalytics::Datastore TimestampPartition": { "AttributeName": "The attribute name of the partition defined by a timestamp.", "TimestampFormat": "The timestamp format of a partition defined by a timestamp. The default format is seconds since epoch (January 1, 1970 at midnight UTC time)." @@ -15430,20 +17249,28 @@ "Name": "The name of the 'selectAttributes' activity.", "Next": "The next activity in the pipeline." }, + "AWS::IoTAnalytics::Pipeline Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition": { "SuiteDefinitionConfiguration": "The configuration of the Suite Definition. Listed below are the required elements of the `SuiteDefinitionConfiguration` .\n\n- ***devicePermissionRoleArn*** - The device permission arn.\n\nThis is a required element.\n\n*Type:* String\n- ***devices*** - The list of configured devices under test. For more information on devices under test, see [DeviceUnderTest](https://docs.aws.amazon.com/iot/latest/apireference/API_iotdeviceadvisor_DeviceUnderTest.html)\n\nNot a required element.\n\n*Type:* List of devices under test\n- ***intendedForQualification*** - The tests intended for qualification in a suite.\n\nNot a required element.\n\n*Type:* Boolean\n- ***rootGroup*** - The test suite root group. For more information on creating and using root groups see the [Device Advisor workflow](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-workflow.html) .\n\nThis is a required element.\n\n*Type:* String\n- ***suiteDefinitionName*** - The Suite Definition Configuration name.\n\nThis is a required element.\n\n*Type:* String", "Tags": "Metadata that can be used to manage the the Suite Definition." }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition DeviceUnderTest": { - "CertificateArn": "", - "ThingArn": "" + "CertificateArn": "Lists device's certificate ARN.", + "ThingArn": "Lists device's thing ARN." }, "AWS::IoTCoreDeviceAdvisor::SuiteDefinition SuiteDefinitionConfiguration": { - "DevicePermissionRoleArn": "", - "Devices": "", - "IntendedForQualification": "", - "RootGroup": "", - "SuiteDefinitionName": "" + "DevicePermissionRoleArn": "Gets the device permission ARN. This is a required parameter.", + "Devices": "Gets the devices configured.", + "IntendedForQualification": "Gets the tests intended for qualification in a suite.", + "RootGroup": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", + "SuiteDefinitionName": "Gets the suite definition name. This is a required parameter." + }, + "AWS::IoTCoreDeviceAdvisor::SuiteDefinition Tag": { + "Key": "", + "Value": "" }, "AWS::IoTEvents::AlarmModel": { "AlarmCapabilities": "Contains the configuration information of alarm state changes.", @@ -15556,6 +17383,10 @@ "QueueUrl": "The URL of the SQS queue where the data is written.", "UseBase64": "Set this to TRUE if you want the data to be base-64 encoded before it is written to the queue. Otherwise, set this to FALSE." }, + "AWS::IoTEvents::AlarmModel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTEvents::DetectorModel": { "DetectorModelDefinition": "Information that defines how a detector operates.", "DetectorModelDescription": "A brief description of the detector model.", @@ -15688,6 +17519,10 @@ "OnInput": "When an input is received and the `condition` is TRUE, perform the specified `actions` .", "StateName": "The name of the state." }, + "AWS::IoTEvents::DetectorModel Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTEvents::DetectorModel TransitionEvent": { "Actions": "The actions to be performed.", "Condition": "Required. A Boolean expression that when TRUE causes the actions to be performed and the `nextState` to be entered.", @@ -15706,12 +17541,20 @@ "AWS::IoTEvents::Input InputDefinition": { "Attributes": "The attributes from the JSON payload that are made available by the input. Inputs are derived from messages sent to the AWS IoT Events system using `BatchPutMessage` . Each such message contains a JSON payload, and those attributes (and their paired values) specified here are available for use in the `condition` expressions used by detectors that monitor this input." }, + "AWS::IoTEvents::Input Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetHub::Application": { "ApplicationDescription": "An optional description of the web application.", "ApplicationName": "The name of the web application.", "RoleArn": "The ARN of the role that the web application assumes when it interacts with AWS IoT Core .\n\n> The name of the role must be in the form `FleetHub_random_string` . \n\nPattern: `^arn:[!-~]+$`", "Tags": "A set of key/value pairs that you can use to manage the web application resource." }, + "AWS::IoTFleetHub::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTFleetWise::Campaign": { "Action": "Specifies how to update a campaign. The action can be one of the following:\n\n- `APPROVE` - To approve delivering a data collection scheme to vehicles.\n- `SUSPEND` - To suspend collecting signal data. The campaign is deleted from vehicles and all vehicles in the suspended campaign will stop sending data.\n- `RESUME` - To reactivate the `SUSPEND` campaign. The campaign is redeployed to all vehicles and the vehicles will resume sending data.\n- `UPDATE` - To update a campaign.", "CollectionScheme": "The data collection scheme associated with the campaign. You can specify a scheme that collects data based on time or an event.", @@ -15756,6 +17599,10 @@ "MinimumSamplingIntervalMs": "(Optional) The minimum duration of time (in milliseconds) between two triggering events to collect data.\n\n> If a signal changes often, you might want to collect data at a slower rate.", "Name": "The name of the signal." }, + "AWS::IoTFleetWise::Campaign Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::Campaign TimeBasedCollectionScheme": { "PeriodMs": "The time period (in milliseconds) to decide how often to collect data. For example, if the time period is `60000` , the Edge Agent software collects data once every minute." }, @@ -15777,6 +17624,11 @@ "ProtocolName": "(Optional) The name of the communication protocol for the interface.", "ProtocolVersion": "(Optional) The version of the communication protocol for the interface." }, + "AWS::IoTFleetWise::DecoderManifest CanNetworkInterface": { + "CanInterface": "Information about a network interface specified by the Controller Area Network (CAN) protocol.", + "InterfaceId": "The ID of the network interface.", + "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + }, "AWS::IoTFleetWise::DecoderManifest CanSignal": { "Factor": "A multiplier used to decode the CAN message.", "IsBigEndian": "Whether the byte ordering of a CAN message is big-endian.", @@ -15787,12 +17639,16 @@ "Offset": "The offset used to calculate the signal value. Combined with factor, the calculation is `value = raw_value * factor + offset` .", "StartBit": "Indicates the beginning of the CAN message." }, - "AWS::IoTFleetWise::DecoderManifest NetworkInterfacesItems": { - "CanInterface": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "InterfaceId": "The ID of the network interface.", - "ObdInterface": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", + "AWS::IoTFleetWise::DecoderManifest CanSignalDecoder": { + "CanSignal": "Information about a single controller area network (CAN) signal and the messages it receives and transmits.", + "FullyQualifiedName": "The fully qualified name of a signal decoder as defined in a vehicle model.", + "InterfaceId": "The ID of a network interface that specifies what network protocol a vehicle follows.", "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." }, + "AWS::IoTFleetWise::DecoderManifest NetworkInterfacesItems": { + "CanNetworkInterface": "", + "ObdNetworkInterface": "" + }, "AWS::IoTFleetWise::DecoderManifest ObdInterface": { "DtcRequestIntervalSeconds": "(Optional) The maximum number message requests per diagnostic trouble code per second.", "HasTransmissionEcu": "(Optional) Whether the vehicle has a transmission control module (TCM).", @@ -15802,6 +17658,11 @@ "RequestMessageId": "The ID of the message requesting vehicle data.", "UseExtendedIds": "(Optional) Whether to use extended IDs in the message." }, + "AWS::IoTFleetWise::DecoderManifest ObdNetworkInterface": { + "InterfaceId": "The ID of the network interface.", + "ObdInterface": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", + "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + }, "AWS::IoTFleetWise::DecoderManifest ObdSignal": { "BitMaskLength": "(Optional) The number of bits to mask in a message.", "BitRightShift": "(Optional) The number of positions to shift bits in the message.", @@ -15813,12 +17674,19 @@ "ServiceMode": "The mode of operation (diagnostic service) in a message.", "StartByte": "Indicates the beginning of the message." }, + "AWS::IoTFleetWise::DecoderManifest ObdSignalDecoder": { + "FullyQualifiedName": "", + "InterfaceId": "", + "ObdSignal": "Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", + "Type": "" + }, "AWS::IoTFleetWise::DecoderManifest SignalDecodersItems": { - "CanSignal": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "FullyQualifiedName": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "InterfaceId": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "ObdSignal": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "Type": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs." + "CanSignalDecoder": "", + "ObdSignalDecoder": "" + }, + "AWS::IoTFleetWise::DecoderManifest Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." }, "AWS::IoTFleetWise::Fleet": { "Description": "(Optional) A brief description of the fleet.", @@ -15826,6 +17694,10 @@ "SignalCatalogArn": "The ARN of the signal catalog associated with the fleet.", "Tags": "(Optional) Metadata that can be used to manage the fleet." }, + "AWS::IoTFleetWise::Fleet Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::ModelManifest": { "Description": "(Optional) A brief description of the vehicle model.", "Name": "The name of the vehicle model.", @@ -15834,6 +17706,10 @@ "Status": "(Optional) The state of the vehicle model. If the status is `ACTIVE` , the vehicle model can't be edited. If the status is `DRAFT` , you can edit the vehicle model.", "Tags": "(Optional) Metadata that can be used to manage the vehicle model." }, + "AWS::IoTFleetWise::ModelManifest Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::SignalCatalog": { "Description": "(Optional) A brief description of the signal catalog.", "Name": "(Optional) The name of the signal catalog.", @@ -15888,6 +17764,10 @@ "Min": "(Optional) The specified possible minimum value of the sensor.", "Unit": "(Optional) The scientific unit of measurement for data collected by the sensor." }, + "AWS::IoTFleetWise::SignalCatalog Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTFleetWise::Vehicle": { "AssociationBehavior": "(Optional) An option to create a new AWS IoT thing when creating a vehicle, or to validate an existing thing as a vehicle.", "Attributes": "(Optional) Static information about a vehicle in a key-value pair. For example: `\"engine Type\"` : `\"v6\"`", @@ -15896,6 +17776,10 @@ "Name": "The unique ID of the vehicle.", "Tags": "(Optional) Metadata which can be used to manage the vehicle." }, + "AWS::IoTFleetWise::Vehicle Tag": { + "Key": "The tag's key.", + "Value": "The tag's value." + }, "AWS::IoTSiteWise::AccessPolicy": { "AccessPolicyIdentity": "The identity for this access policy. Choose an IAM Identity Center user, an IAM Identity Center group, or an IAM user.", "AccessPolicyPermission": "The permission level for this access policy. Choose either a `ADMINISTRATOR` or `VIEWER` . Note that a project `ADMINISTRATOR` is also known as a project owner.", @@ -15943,6 +17827,10 @@ "NotificationState": "The MQTT notification state ( `ENABLED` or `DISABLED` ) for this asset property. When the notification state is `ENABLED` , AWS IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see [Interacting with other services](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/interact-with-other-services.html) in the *AWS IoT SiteWise User Guide* .\n\nIf you omit this parameter, the notification state is set to `DISABLED` .\n\n> You must use all caps for the NotificationState parameter. If you use lower case letters, you will receive a schema validation error.", "Unit": "The unit (such as `Newtons` or `RPM` ) of the asset property." }, + "AWS::IoTSiteWise::Asset Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::AssetModel": { "AssetModelCompositeModels": "The composite asset models that are part of this asset model. Composite asset models are asset models that contain specific properties. Each composite model has a type that defines the properties that the composite model supports. You can use composite asset models to define alarms on this asset model.", "AssetModelDescription": "A description for the asset model.", @@ -15991,6 +17879,10 @@ "Transform": "Specifies an asset transform property. A transform contains a mathematical expression that maps a property's data points from one form to another, such as a unit conversion from Celsius to Fahrenheit.\n\nThis is required if the `TypeName` is `Transform` .", "TypeName": "The type of property type, which can be one of `Attribute` , `Measurement` , `Metric` , or `Transform` ." }, + "AWS::IoTSiteWise::AssetModel Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::AssetModel Transform": { "Expression": "The mathematical expression that defines the transformation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.\n\nFor more information, see [Quotas](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/quotas.html) in the *AWS IoT SiteWise User Guide* .", "Variables": "The list of variables used in the expression." @@ -16010,6 +17902,10 @@ "ProjectId": "The ID of the project in which to create the dashboard.", "Tags": "A list of key-value pairs that contain metadata for the dashboard. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ." }, + "AWS::IoTSiteWise::Dashboard Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Gateway": { "GatewayCapabilitySummaries": "A list of gateway capability summaries that each contain a namespace and status. Each gateway capability defines data sources for the gateway. To retrieve a capability configuration's definition, use [DescribeGatewayCapabilityConfiguration](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeGatewayCapabilityConfiguration.html) .", "GatewayName": "A unique, friendly name for the gateway.\n\nThe maximum length is 256 characters with the pattern `[^\\u0000-\\u001F\\u007F]+` .", @@ -16030,10 +17926,14 @@ "AWS::IoTSiteWise::Gateway GreengrassV2": { "CoreDeviceThingName": "The name of the AWS IoT thing for your AWS IoT Greengrass V2 core device." }, + "AWS::IoTSiteWise::Gateway Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Portal": { "Alarms": "Contains the configuration information of an alarm created in an AWS IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see [Monitoring with alarms](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/monitor-alarms.html) in the *AWS IoT SiteWise Application Guide* .", "NotificationSenderEmail": "The email address that sends alarm notifications.\n\n> If you use the [AWS IoT Events managed Lambda function](https://docs.aws.amazon.com/iotevents/latest/developerguide/lambda-support.html) to manage your emails, you must [verify the sender email address in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html) .", - "PortalAuthMode": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "PortalAuthMode": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "PortalContactEmail": "The AWS administrator's contact email address.", "PortalDescription": "A description for the portal.", "PortalName": "A friendly name for the portal.", @@ -16044,6 +17944,10 @@ "AlarmRoleArn": "The [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the IAM role that allows the alarm to perform actions and access AWS resources and services, such as AWS IoT Events .", "NotificationLambdaArn": "The [ARN](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the Lambda function that manages alarm notifications. For more information, see [Managing alarm notifications](https://docs.aws.amazon.com/iotevents/latest/developerguide/lambda-support.html) in the *AWS IoT Events Developer Guide* ." }, + "AWS::IoTSiteWise::Portal Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTSiteWise::Project": { "AssetIds": "A list that contains the IDs of each asset associated with the project.", "PortalId": "The ID of the portal in which to create the project.", @@ -16051,6 +17955,10 @@ "ProjectName": "A friendly name for the project.", "Tags": "A list of key-value pairs that contain metadata for the project. For more information, see [Tagging your AWS IoT SiteWise resources](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/tag-resources.html) in the *AWS IoT SiteWise User Guide* ." }, + "AWS::IoTSiteWise::Project Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTTwinMaker::ComponentType": { "ComponentTypeId": "The ID of the component type.", "Description": "The description of the component type.", @@ -16060,7 +17968,7 @@ "PropertyDefinitions": "An object that maps strings to the property definitions in the component type. Each string in the mapping must be unique to this object.\n\nFor information about the PropertyDefinitionResponse object, see the [PropertyDefinitionResponse](https://docs.aws.amazon.com//iot-twinmaker/latest/apireference/API_PropertyDefinitionResponse.html) API reference.", "PropertyGroups": "An object that maps strings to the property groups in the component type. Each string in the mapping must be unique to this object.", "Tags": "The ComponentType tags.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "" }, "AWS::IoTTwinMaker::ComponentType DataConnector": { "IsNative": "A boolean value that specifies whether the data connector is native to IoT TwinMaker.", @@ -16100,7 +18008,7 @@ "Configurations": "A mapping that specifies configuration information about the property.", "DataType": "", "DefaultValue": "A boolean value that specifies whether the property ID comes from an external data store.", - "IsExternalId": "A boolean value that specifies whether the property ID comes from an external data store.", + "IsExternalId": "", "IsRequiredInEntity": "A boolean value that specifies whether the property is required in an entity.", "IsStoredExternally": "A boolean value that specifies whether the property is stored externally.", "IsTimeSeries": "A boolean value that specifies whether the property consists of time series data." @@ -16111,7 +18019,7 @@ }, "AWS::IoTTwinMaker::ComponentType Relationship": { "RelationshipType": "The type of the relationship.", - "TargetComponentTypeId": "The ID of the target component type associated with this relationship." + "TargetComponentTypeId": "" }, "AWS::IoTTwinMaker::ComponentType RelationshipValue": { "TargetComponentName": "The target component name.", @@ -16124,15 +18032,15 @@ "AWS::IoTTwinMaker::Entity": { "Components": "An object that maps strings to the components in the entity. Each string in the mapping must be unique to this object.\n\nFor information on the component object see the [component](https://docs.aws.amazon.com//iot-twinmaker/latest/apireference/API_ComponentResponse.html) API reference.", "Description": "The description of the entity.", - "EntityId": "The entity ID.", + "EntityId": "The ID of the entity.", "EntityName": "The entity name.", "ParentEntityId": "The ID of the parent entity.", "Tags": "Metadata that you can use to manage the entity.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "" }, "AWS::IoTTwinMaker::Entity Component": { "ComponentName": "The name of the component.", - "ComponentTypeId": "The ID of the ComponentType.", + "ComponentTypeId": "", "DefinedIn": "The name of the property definition set in the request.", "Description": "The description of the component.", "Properties": "An object that maps strings to the properties to set in the component type. Each string in the mapping must be unique to this object.", @@ -16197,10 +18105,10 @@ "Capabilities": "A list of capabilities that the scene uses to render.", "ContentLocation": "The relative path that specifies the location of the content definition file.", "Description": "The description of this scene.", - "SceneId": "The scene ID.", + "SceneId": "The ID of the scene.", "SceneMetadata": "The scene metadata.", "Tags": "The ComponentType tags.", - "WorkspaceId": "The ID of the workspace." + "WorkspaceId": "" }, "AWS::IoTTwinMaker::SyncJob": { "SyncRole": "The SyncJob IAM role. This IAM role is used by the sync job to read from the syncSource, and create, update or delete the corresponding resources.", @@ -16223,6 +18131,10 @@ "RoleArn": "The ARN of the IAM Role that authorizes the destination.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items." }, + "AWS::IoTWireless::Destination Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::DeviceProfile": { "LoRaWAN": "LoRaWAN device profile object.", "Name": "The name of the new resource.", @@ -16249,6 +18161,10 @@ "SupportsClassC": "The SupportsClassC value.", "SupportsJoin": "The SupportsJoin value." }, + "AWS::IoTWireless::DeviceProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::FuotaTask": { "AssociateMulticastGroup": "The ID of the multicast group to associate with a FUOTA task.", "AssociateWirelessDevice": "The ID of the wireless device to associate with a multicast group.", @@ -16265,6 +18181,10 @@ "RfRegion": "The frequency band (RFRegion) value.", "StartTime": "Start time of a FUOTA task." }, + "AWS::IoTWireless::FuotaTask Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::MulticastGroup": { "AssociateWirelessDevice": "The ID of the wireless device to associate with a multicast group.", "Description": "The description of the multicast group.", @@ -16279,6 +18199,10 @@ "NumberOfDevicesRequested": "Number of devices that are requested to be associated with the multicast group.", "RfRegion": "The frequency band (RFRegion) value." }, + "AWS::IoTWireless::MulticastGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::NetworkAnalyzerConfiguration": { "Description": "The description of the resource.", "Name": "Name of the network analyzer configuration.", @@ -16287,13 +18211,21 @@ "WirelessDevices": "Wireless device resources to add to the network analyzer configuration. Provide the `WirelessDeviceId` of the resource to add in the input array.", "WirelessGateways": "Wireless gateway resources to add to the network analyzer configuration. Provide the `WirelessGatewayId` of the resource to add in the input array." }, + "AWS::IoTWireless::NetworkAnalyzerConfiguration Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::NetworkAnalyzerConfiguration TraceContent": { "LogLevel": "The log level for a log message. The log levels can be disabled, or set to `ERROR` to display less verbose logs containing only error information, or to `INFO` for more detailed logs", "WirelessDeviceFrameInfo": "`FrameInfo` of your wireless device resources for the trace content. Use FrameInfo to debug the communication between your LoRaWAN end devices and the network server." }, "AWS::IoTWireless::PartnerAccount": { + "AccountLinked": "Whether the partner account is linked to the AWS account.", "PartnerAccountId": "The ID of the partner account to update.", + "PartnerType": "The partner type.", "Sidewalk": "The Sidewalk account credentials.", + "SidewalkResponse": "", + "SidewalkUpdate": "Sidewalk update.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items." }, "AWS::IoTWireless::PartnerAccount SidewalkAccountInfo": { @@ -16307,6 +18239,10 @@ "AWS::IoTWireless::PartnerAccount SidewalkUpdateAccount": { "AppServerPrivateKey": "The new Sidewalk application server private key." }, + "AWS::IoTWireless::PartnerAccount Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::ServiceProfile": { "LoRaWAN": "LoRaWAN service profile object.", "Name": "The name of the new resource.", @@ -16333,10 +18269,16 @@ "UlRate": "The ULRate value.\n\nThis property is `ReadOnly` and can't be inputted for create. It's returned with `Fn::GetAtt`", "UlRatePolicy": "The ULRatePolicy value.\n\nThis property is `ReadOnly` and can't be inputted for create. It's returned with `Fn::GetAtt`" }, + "AWS::IoTWireless::ServiceProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::TaskDefinition": { "AutoCreateTasks": "Whether to automatically create tasks using this task definition for all gateways with the specified current version. If `false` , the task must be created by calling `CreateWirelessGatewayTask` .", + "LoRaWANUpdateGatewayTaskEntry": "LoRaWANUpdateGatewayTaskEntry object.", "Name": "The name of the new resource.", "Tags": "The tags are an array of key-value pairs to attach to the specified resource. Tags can have a minimum of 0 and a maximum of 50 items.", + "TaskDefinitionType": "A filter to list only the wireless gateway task definitions that use this task definition type.", "Update": "Information about the gateways to update." }, "AWS::IoTWireless::TaskDefinition LoRaWANGatewayVersion": { @@ -16354,6 +18296,10 @@ "CurrentVersion": "The version of the gateways that should receive the update.", "UpdateVersion": "The firmware version to update the gateway to." }, + "AWS::IoTWireless::TaskDefinition Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::TaskDefinition UpdateWirelessGatewayTaskCreate": { "LoRaWAN": "The properties that relate to the LoRaWAN wireless gateway.", "UpdateDataRole": "The IAM role used to read data from the S3 bucket.", @@ -16370,15 +18316,15 @@ "Type": "The wireless device type." }, "AWS::IoTWireless::WirelessDevice AbpV10x": { - "DevAddr": "The DevAddr value.", - "SessionKeys": "Session keys for ABP v1.0.x" + "DevAddr": "", + "SessionKeys": "" }, "AWS::IoTWireless::WirelessDevice AbpV11": { "DevAddr": "The DevAddr value.", "SessionKeys": "Session keys for ABP v1.1." }, "AWS::IoTWireless::WirelessDevice LoRaWANDevice": { - "AbpV10x": "LoRaWAN object for create APIs.", + "AbpV10x": "", "AbpV11": "ABP device object for create APIs for v1.1.", "DevEui": "The DevEUI value.", "DeviceProfileId": "The ID of the device profile for the new wireless device.", @@ -16387,8 +18333,8 @@ "ServiceProfileId": "The ID of the service profile." }, "AWS::IoTWireless::WirelessDevice OtaaV10x": { - "AppEui": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", - "AppKey": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." + "AppEui": "", + "AppKey": "" }, "AWS::IoTWireless::WirelessDevice OtaaV11": { "AppKey": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", @@ -16396,8 +18342,8 @@ "NwkKey": "The NwkKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." }, "AWS::IoTWireless::WirelessDevice SessionKeysAbpV10x": { - "AppSKey": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", - "NwkSKey": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." + "AppSKey": "", + "NwkSKey": "" }, "AWS::IoTWireless::WirelessDevice SessionKeysAbpV11": { "AppSKey": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", @@ -16405,6 +18351,10 @@ "NwkSEncKey": "The NwkSEncKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSEncKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", "SNwkSIntKey": "The SNwkSIntKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the SNwkSIntKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value." }, + "AWS::IoTWireless::WirelessDevice Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::WirelessDeviceImportTask": { "DestinationName": "The name of the destination that describes the IoT rule to route messages from the Sidewalk devices in the import task to other applications.", "Sidewalk": "The Sidewalk-related information of the wireless device import task.", @@ -16416,6 +18366,10 @@ "Role": "The IAM role that allows AWS IoT Wireless to access the CSV file in the S3 bucket.", "SidewalkManufacturingSn": "The Sidewalk manufacturing serial number (SMSN) of the Sidewalk device." }, + "AWS::IoTWireless::WirelessDeviceImportTask Tag": { + "Key": "", + "Value": "" + }, "AWS::IoTWireless::WirelessGateway": { "Description": "The description of the new resource. The maximum length is 2048 characters.", "LastUplinkReceivedAt": "The date and time when the most recent uplink was received.", @@ -16429,29 +18383,43 @@ "GatewayEui": "The gateway's EUI value.", "RfRegion": "The frequency band (RFRegion) value." }, + "AWS::IoTWireless::WirelessGateway Tag": { + "Key": "", + "Value": "" + }, "AWS::KMS::Alias": { - "AliasName": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "AliasName": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "TargetKeyId": "Associates the alias with the specified [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) . The KMS key must be in the same AWS account and Region.\n\nA valid key ID is required. If you supply a null or empty string value, this operation returns an error.\n\nFor help finding the key ID and ARN, see [Finding the key ID and ARN](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the *AWS Key Management Service Developer Guide* .\n\nSpecify the key ID or the key ARN of the KMS key.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n\nTo get the key ID and key ARN for a KMS key, use [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) or [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) ." }, "AWS::KMS::Key": { + "BypassPolicyLockoutSafetyCheck": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", "Description": "A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.", - "EnableKeyRotation": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "EnableKeyRotation": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "Enabled": "Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations.\n\nWhen `Enabled` is `true` , the *key state* of the KMS key is `Enabled` . When `Enabled` is `false` , the key state of the KMS key is `Disabled` . The default value is `true` .\n\nThe actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) , [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) , or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operations.\n\nFor information about the key states of a KMS key, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* .", - "KeyPolicy": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "KeyPolicy": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "KeySpec": "Specifies the type of KMS key to create. The default value, `SYMMETRIC_DEFAULT` , creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, `SYMMETRIC_DEFAULT` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the `KeySpec` value after the KMS key is created. For help choosing a key spec for your KMS key, see [Choosing a KMS key type](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) in the *AWS Key Management Service Developer Guide* .\n\nThe `KeySpec` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see [AWS KMS condition keys](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms) in the *AWS Key Management Service Developer Guide* .\n\n> If you change the value of the `KeySpec` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. > [AWS services that are integrated with AWS KMS](https://docs.aws.amazon.com/kms/features/#AWS_Service_Integration) use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see [Identifying asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide* . \n\nAWS KMS supports the following key specs for KMS keys:\n\n- Symmetric encryption key (default)\n\n- `SYMMETRIC_DEFAULT` (AES-256-GCM)\n- HMAC keys (symmetric)\n\n- `HMAC_224`\n- `HMAC_256`\n- `HMAC_384`\n- `HMAC_512`\n- Asymmetric RSA key pairs\n\n- `RSA_2048`\n- `RSA_3072`\n- `RSA_4096`\n- Asymmetric NIST-recommended elliptic curve key pairs\n\n- `ECC_NIST_P256` (secp256r1)\n- `ECC_NIST_P384` (secp384r1)\n- `ECC_NIST_P521` (secp521r1)\n- Other asymmetric elliptic curve key pairs\n\n- `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.\n- SM2 key pairs (China Regions only)\n\n- `SM2`", "KeyUsage": "Determines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT` . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the `KeyUsage` value after the KMS key is created.\n\n> If you change the value of the `KeyUsage` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. \n\nSelect only one valid value.\n\n- For symmetric encryption KMS keys, omit the property or specify `ENCRYPT_DECRYPT` .\n- For asymmetric KMS keys with RSA key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY` .\n- For asymmetric KMS keys with ECC key material, specify `SIGN_VERIFY` .\n- For asymmetric KMS keys with SM2 (China Regions only) key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY` .\n- For HMAC KMS keys, specify `GENERATE_VERIFY_MAC` .", "MultiRegion": "Creates a multi-Region primary key that you can replicate in other AWS Regions . You can't change the `MultiRegion` value after the KMS key is created.\n\nFor a list of AWS Regions in which multi-Region keys are supported, see [Multi-Region keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the ** .\n\n> If you change the value of the `MultiRegion` property on an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing an immutable property value. \n\nFor a multi-Region key, set to this property to `true` . For a single-Region key, omit this property or set it to `false` . The default value is `false` .\n\n*Multi-Region keys* are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store.\n\nTo create a replica of this primary key in a different AWS Region , create an [AWS::KMS::ReplicaKey](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-replicakey.html) resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key.", - "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "Origin": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "Tags": "Assigns one or more tags to the replica key.\n\n> Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see [ABAC for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . \n\nFor information about tags in AWS KMS , see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) in the *AWS Key Management Service Developer Guide* . For information about tags in CloudFormation, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::KMS::Key Tag": { + "Key": "", + "Value": "" + }, "AWS::KMS::ReplicaKey": { "Description": "A description of the KMS key.\n\nThe default value is an empty string (no description).\n\nThe description is not a shared property of multi-Region keys. You can specify the same description or a different description for each key in a set of related multi-Region keys. AWS Key Management Service does not synchronize this property.", "Enabled": "Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations.\n\nWhen `Enabled` is `true` , the *key state* of the KMS key is `Enabled` . When `Enabled` is `false` , the key state of the KMS key is `Disabled` . The default value is `true` .\n\nThe actual key state of the replica might be affected by actions taken outside of CloudFormation, such as running the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) , [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) , or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operations. Also, while the replica key is being created, its key state is `Creating` . When the process is complete, the key state of the replica key changes to `Enabled` .\n\nFor information about the key states of a KMS key, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* .", "KeyPolicy": "The key policy that authorizes use of the replica key.\n\nThe key policy is not a shared property of multi-Region keys. You can specify the same key policy or a different key policy for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.\n\nThe key policy must conform to the following rules.\n\n- The key policy must give the caller [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) permission on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters from the space character ( `\\u0020` ) through the end of the ASCII character range.\n- Printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` ).\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", - "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "PendingWindowInDays": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "PrimaryKeyArn": "Specifies the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS partition. You can create only one replica of a given primary key in each AWS Region .\n\n> If you change the `PrimaryKeyArn` value of a replica key, the existing replica key is scheduled for deletion and a new replica key is created based on the specified primary key. While it is scheduled for deletion, the existing replica key becomes unusable. You can cancel the scheduled deletion of the key outside of CloudFormation.\n> \n> However, if you inadvertently delete a replica key, you can decrypt ciphertext encrypted by that replica key by using any related multi-Region key. If necessary, you can recreate the replica in the same Region after the previous one is completely deleted. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* \n\nSpecify the key ARN of an existing multi-Region primary key. For example, `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab` .", "Tags": "Assigns one or more tags to the replica key.\n\n> Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see [ABAC for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . \n\nTags are not a shared property of multi-Region keys. You can specify the same tags or different tags for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.\n\nEach tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string. You cannot have more than one tag on a KMS key with the same tag key. If you specify an existing tag key with a different tag value, AWS KMS replaces the current tag value with the specified one.\n\nWhen you assign tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For details, see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) ." }, + "AWS::KMS::ReplicaKey Tag": { + "Key": "", + "Value": "" + }, "AWS::KafkaConnect::Connector": { "Capacity": "The connector's compute capacity settings.", "ConnectorConfiguration": "The configuration of the connector.", @@ -16541,6 +18509,7 @@ "DataSourceConfiguration": "Configuration information for an Amazon Kendra data source. The contents of the configuration depend on the type of data source. You can only specify one type of data source in the configuration.\n\nYou can't specify the `Configuration` parameter when the `Type` parameter is set to `CUSTOM` .\n\nThe `Configuration` parameter is required for all other data sources.", "Description": "A description for the data source connector.", "IndexId": "The identifier of the index you want to use with the data source connector.", + "LanguageCode": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", "Name": "The name of the data source.", "RoleArn": "The Amazon Resource Name (ARN) of a role with permission to access the data source.\n\nYou can't specify the `RoleArn` parameter when the `Type` parameter is set to `CUSTOM` .\n\nThe `RoleArn` parameter is required for all other data sources.", "Schedule": "Sets the frequency that Amazon Kendra checks the documents in your data source and updates the index. If you don't set a schedule, Amazon Kendra doesn't periodically update the index.", @@ -16635,9 +18604,9 @@ "WorkDocsConfiguration": "Provides the configuration information to connect to Amazon WorkDocs as your data source." }, "AWS::Kendra::DataSource DataSourceToIndexFieldMapping": { - "DataSourceFieldName": "The name of the column or attribute in the data source.", - "DateFieldFormat": "The type of data stored in the column or attribute.", - "IndexFieldName": "The name of the field in the index." + "DataSourceFieldName": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", + "DateFieldFormat": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", + "IndexFieldName": "The name of the index field to map to the data source field. The index field type must match the data source field type." }, "AWS::Kendra::DataSource DataSourceVpcConfiguration": { "SecurityGroupIds": "A list of identifiers of security groups within your Amazon VPC. The security groups should enable Amazon Kendra to connect to the data source.", @@ -16804,6 +18773,10 @@ "AWS::Kendra::DataSource SqlConfiguration": { "QueryIdentifiersEnclosingOption": "Determines whether Amazon Kendra encloses SQL identifiers for tables and column names in double quotes (\") when making a database query. You can set the value to `DOUBLE_QUOTES` or `NONE` .\n\nBy default, Amazon Kendra passes SQL identifiers the way that they are entered into the data source configuration. It does not change the case of identifiers or enclose them in quotes.\n\nPostgreSQL internally converts uppercase characters to lower case characters in identifiers unless they are quoted. Choosing this option encloses identifiers in quotes so that PostgreSQL does not convert the character's case.\n\nFor MySQL databases, you must enable the ansi_quotes option when you set this field to `DOUBLE_QUOTES` ." }, + "AWS::Kendra::DataSource Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::DataSource WebCrawlerAuthenticationConfiguration": { "BasicAuthentication": "The list of configuration information that's required to connect to and crawl a website host using basic authentication credentials.\n\nThe list includes the name and port number of the website host." }, @@ -16855,8 +18828,12 @@ "Bucket": "The name of the S3 bucket that contains the file.", "Key": "The name of the file." }, + "AWS::Kendra::Faq Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::Index": { - "CapacityUnits": "", + "CapacityUnits": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "Description": "A description for the index.", "DocumentMetadataConfigurations": "Specifies the properties of an index field. You can add either a custom or a built-in field. You can add and remove built-in fields at any time. When a built-in field is removed it's configuration reverts to the default for the field. Custom fields can't be removed from an index after they are added.", "Edition": "Indicates whether the index is a Enterprise Edition index or a Developer Edition index. Valid values are `DEVELOPER_EDITION` and `ENTERPRISE_EDITION` .", @@ -16906,6 +18883,10 @@ "AWS::Kendra::Index ServerSideEncryptionConfiguration": { "KmsKeyId": "The identifier of the AWS KMS key . Amazon Kendra doesn't support asymmetric keys." }, + "AWS::Kendra::Index Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique for the index, FAQ, or data source.", + "Value": "The value associated with the tag. The value may be an empty string but it can't be null." + }, "AWS::Kendra::Index UserTokenConfiguration": { "JsonTokenTypeConfiguration": "Information about the JSON token type configuration.", "JwtTokenTypeConfiguration": "Information about the JWT token type configuration." @@ -16923,6 +18904,10 @@ "AWS::KendraRanking::ExecutionPlan CapacityUnitsConfiguration": { "RescoreCapacityUnits": "The amount of extra capacity for your rescore execution plan.\n\nA single extra capacity unit for a rescore execution plan provides 0.01 rescore requests per second. You can add up to 1000 extra capacity units." }, + "AWS::KendraRanking::ExecutionPlan Tag": { + "Key": "The key for the tag. Keys are not case sensitive and must be unique.", + "Value": "The value associated with the tag. The value can be an empty string but it can't be null." + }, "AWS::Kinesis::Stream": { "Name": "The name of the Kinesis stream. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the stream name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nIf you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", "RetentionPeriodHours": "The number of hours for the data records that are stored in shards to remain accessible. The default value is 24. For more information about the stream retention period, see [Changing the Data Retention Period](https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html) in the Amazon Kinesis Developer Guide.", @@ -16938,6 +18923,10 @@ "AWS::Kinesis::Stream StreamModeDetails": { "StreamMode": "Specifies the capacity mode to which you want to set your data stream. Currently, in Kinesis Data Streams, you can choose between an *on-demand* capacity mode and a *provisioned* capacity mode for your data streams." }, + "AWS::Kinesis::Stream Tag": { + "Key": "A unique identifier for the tag. Maximum length: 128 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @", + "Value": "An optional string, typically used to describe or define the tag. Maximum length: 256 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @" + }, "AWS::Kinesis::StreamConsumer": { "ConsumerName": "The name of the consumer is something you choose when you register the consumer.", "StreamARN": "The ARN of the stream with which you registered the consumer." @@ -17070,7 +19059,7 @@ "ApplicationMaintenanceConfiguration": "", "ApplicationMode": "To create a Kinesis Data Analytics Studio notebook, you must set the mode to `INTERACTIVE` . However, for a Kinesis Data Analytics for Apache Flink application, the mode is optional.", "ApplicationName": "The name of the application.", - "RunConfiguration": "", + "RunConfiguration": "Describes the starting parameters for an Managed Service for Apache Flink application.", "RuntimeEnvironment": "The runtime environment for the application.", "ServiceExecutionRole": "Specifies the IAM role that the application uses to access external resources.", "Tags": "A list of one or more tags to assign to the application. A tag is a key-value pair that identifies an application. Note that the maximum number of application tags includes system tags. The maximum number of user-defined application tags is 50." @@ -17080,11 +19069,11 @@ "CodeContentType": "Specifies whether the code content is in text or zip format." }, "AWS::KinesisAnalyticsV2::Application ApplicationConfiguration": { - "ApplicationCodeConfiguration": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", - "ApplicationSnapshotConfiguration": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", - "EnvironmentProperties": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", - "FlinkApplicationConfiguration": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", - "SqlApplicationConfiguration": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "ApplicationCodeConfiguration": "The code location and type parameters for a Managed Service for Apache Flink application.", + "ApplicationSnapshotConfiguration": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", + "EnvironmentProperties": "Describes execution properties for a Managed Service for Apache Flink application.", + "FlinkApplicationConfiguration": "The creation and update parameters for a Managed Service for Apache Flink application.", + "SqlApplicationConfiguration": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "VpcConfigurations": "The array of descriptions of VPC configurations available to the application.", "ZeppelinApplicationConfiguration": "The configuration parameters for a Kinesis Data Analytics Studio notebook." }, @@ -17096,7 +19085,7 @@ "SnapshotName": "The identifier of an existing snapshot of application state to use to restart an application. The application uses this value if `RESTORE_FROM_CUSTOM_SNAPSHOT` is specified for the `ApplicationRestoreType` ." }, "AWS::KinesisAnalyticsV2::Application ApplicationSnapshotConfiguration": { - "SnapshotsEnabled": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application." + "SnapshotsEnabled": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application CSVMappingParameters": { "RecordColumnDelimiter": "The column delimiter. For example, in a CSV format, a comma (\",\") is the typical column delimiter.", @@ -17107,14 +19096,14 @@ }, "AWS::KinesisAnalyticsV2::Application CheckpointConfiguration": { "CheckpointInterval": "Describes the interval in milliseconds between checkpoint operations.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointInterval` value of 60000, even if this value is set to another value using this API or in application code.", - "CheckpointingEnabled": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", - "ConfigurationType": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "CheckpointingEnabled": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "ConfigurationType": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "MinPauseBetweenCheckpoints": "Describes the minimum time in milliseconds after a checkpoint operation completes that a new checkpoint operation can start. If a checkpoint operation takes longer than the `CheckpointInterval` , the application otherwise performs continual checkpoint operations. For more information, see [Tuning Checkpointing](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/ops/state/large_state_tuning.html#tuning-checkpointing) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/) .\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `MinPauseBetweenCheckpoints` value of 5000, even if this value is set using this API or in application code." }, "AWS::KinesisAnalyticsV2::Application CodeContent": { "S3ContentLocation": "Information about the Amazon S3 bucket that contains the application code.", - "TextContent": "The text-format code for a Flink-based Kinesis Data Analytics application.", - "ZipFileContent": "The zip-format code for a Flink-based Kinesis Data Analytics application." + "TextContent": "The text-format code for a Managed Service for Apache Flink application.", + "ZipFileContent": "The zip-format code for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application CustomArtifactConfiguration": { "ArtifactType": "Set this to either `UDF` or `DEPENDENCY_JAR` . `UDF` stands for user-defined functions. This type of artifact must be in an S3 bucket. A `DEPENDENCY_JAR` can be in either Maven or an S3 bucket.", @@ -17140,11 +19129,11 @@ }, "AWS::KinesisAnalyticsV2::Application Input": { "InputParallelism": "Describes the number of in-application streams to create.", - "InputProcessingConfiguration": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "InputProcessingConfiguration": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "InputSchema": "Describes the format of the data in the streaming source, and how each data element maps to corresponding columns in the in-application stream that is being created.\n\nAlso used to describe the format of the reference data source.", "KinesisFirehoseInput": "If the streaming source is an Amazon Kinesis Data Firehose delivery stream, identifies the delivery stream's ARN.", "KinesisStreamsInput": "If the streaming source is an Amazon Kinesis data stream, identifies the stream's Amazon Resource Name (ARN).", - "NamePrefix": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on." + "NamePrefix": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on." }, "AWS::KinesisAnalyticsV2::Application InputLambdaProcessor": { "ResourceARN": "The ARN of the Amazon Lambda function that operates on records in the stream.\n\n> To specify an earlier version of the Lambda function than the latest, include the Lambda function version in the Lambda function ARN. For more information about Lambda ARNs, see [Example ARNs: Amazon Lambda](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-lambda)" @@ -17153,7 +19142,7 @@ "Count": "The number of in-application streams to create." }, "AWS::KinesisAnalyticsV2::Application InputProcessingConfiguration": { - "InputLambdaProcessor": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code." + "InputLambdaProcessor": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code." }, "AWS::KinesisAnalyticsV2::Application InputSchema": { "RecordColumns": "A list of `RecordColumn` objects.", @@ -17184,9 +19173,9 @@ "MetricsLevel": "Describes the granularity of the CloudWatch Logs for an application. The `Parallelism` level is not recommended for applications with a Parallelism over 64 due to excessive costs." }, "AWS::KinesisAnalyticsV2::Application ParallelismConfiguration": { - "AutoScalingEnabled": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", - "ConfigurationType": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", - "Parallelism": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "AutoScalingEnabled": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", + "ConfigurationType": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "Parallelism": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "ParallelismPerKPU": "Describes the number of parallel tasks that a Java-based Kinesis Data Analytics application can perform per Kinesis Processing Unit (KPU) used by the application. For more information about KPUs, see [Amazon Kinesis Data Analytics Pricing](https://docs.aws.amazon.com/kinesis/data-analytics/pricing/) ." }, "AWS::KinesisAnalyticsV2::Application PropertyGroup": { @@ -17204,7 +19193,7 @@ }, "AWS::KinesisAnalyticsV2::Application RunConfiguration": { "ApplicationRestoreConfiguration": "Describes the restore behavior of a restarting application.", - "FlinkRunConfiguration": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application." + "FlinkRunConfiguration": "Describes the starting parameters for a Managed Service for Apache Flink application." }, "AWS::KinesisAnalyticsV2::Application S3ContentBaseLocation": { "BasePath": "The base path for the S3 bucket.", @@ -17216,7 +19205,11 @@ "ObjectVersion": "The version of the object containing the application code." }, "AWS::KinesisAnalyticsV2::Application SqlApplicationConfiguration": { - "Inputs": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application." + "Inputs": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application." + }, + "AWS::KinesisAnalyticsV2::Application Tag": { + "Key": "The key of the key-value tag.", + "Value": "The value of the key-value tag. The value is optional." }, "AWS::KinesisAnalyticsV2::Application VpcConfiguration": { "SecurityGroupIds": "The array of [SecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SecurityGroup.html) IDs used by the VPC configuration.", @@ -17240,7 +19233,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationOutput": { "ApplicationName": "The name of the application.", - "Output": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream." + "Output": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream." }, "AWS::KinesisAnalyticsV2::ApplicationOutput DestinationSchema": { "RecordFormatType": "Specifies the format of the records on the output stream." @@ -17263,7 +19256,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource": { "ApplicationName": "The name of the application.", - "ReferenceDataSource": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table." + "ReferenceDataSource": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table." }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource CSVMappingParameters": { "RecordColumnDelimiter": "The column delimiter. For example, in a CSV format, a comma (\",\") is the typical column delimiter.", @@ -17287,7 +19280,7 @@ }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceDataSource": { "ReferenceSchema": "Describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.", - "S3ReferenceDataSource": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "S3ReferenceDataSource": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "TableName": "The name of the in-application table to create." }, "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceSchema": { @@ -17300,7 +19293,7 @@ "FileKey": "The object key name containing the reference data." }, "AWS::KinesisFirehose::DeliveryStream": { - "AmazonOpenSearchServerlessDestinationConfiguration": "", + "AmazonOpenSearchServerlessDestinationConfiguration": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "AmazonopensearchserviceDestinationConfiguration": "The destination in Amazon OpenSearch Service. You can specify only one destination.", "DeliveryStreamEncryptionConfigurationInput": "Specifies the type and Amazon Resource Name (ARN) of the CMK to use for Server-Side Encryption (SSE).", "DeliveryStreamName": "The name of the delivery stream.", @@ -17309,29 +19302,30 @@ "ExtendedS3DestinationConfiguration": "An Amazon S3 destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Extended S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "HttpEndpointDestinationConfiguration": "Enables configuring Kinesis Firehose to deliver data to any HTTP endpoint destination. You can specify only one destination.", "KinesisStreamSourceConfiguration": "When a Kinesis stream is used as the source for the delivery stream, a [KinesisStreamSourceConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-kinesisstreamsourceconfiguration.html) containing the Kinesis stream ARN and the role ARN for the source stream.", + "MSKSourceConfiguration": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", "RedshiftDestinationConfiguration": "An Amazon Redshift destination for the delivery stream.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon Redshift destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "S3DestinationConfiguration": "The `S3DestinationConfiguration` property type specifies an Amazon Simple Storage Service (Amazon S3) destination to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.\n\nConditional. You must specify only one destination configuration.\n\nIf you change the delivery stream destination from an Amazon S3 destination to an Amazon ES destination, update requires [some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) .", "SplunkDestinationConfiguration": "The configuration of a destination in Splunk for the delivery stream.", "Tags": "A set of tags to assign to the delivery stream. A tag is a key-value pair that you can define and assign to AWS resources. Tags are metadata. For example, you can add friendly names and descriptions or other types of information that can help you distinguish the delivery stream. For more information about tags, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the AWS Billing and Cost Management User Guide.\n\nYou can specify up to 50 tags when creating a delivery stream." }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessBufferingHints": { - "IntervalInSeconds": "", - "SizeInMBs": "" + "IntervalInSeconds": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", + "SizeInMBs": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher." }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessDestinationConfiguration": { - "BufferingHints": "", + "BufferingHints": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "CloudWatchLoggingOptions": "", - "CollectionEndpoint": "", - "IndexName": "", + "CollectionEndpoint": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", + "IndexName": "The Serverless offering for Amazon OpenSearch Service index name.", "ProcessingConfiguration": "", - "RetryOptions": "", - "RoleARN": "", - "S3BackupMode": "", + "RetryOptions": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", + "RoleARN": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", + "S3BackupMode": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "S3Configuration": "", "VpcConfiguration": "" }, "AWS::KinesisFirehose::DeliveryStream AmazonOpenSearchServerlessRetryOptions": { - "DurationInSeconds": "" + "DurationInSeconds": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries." }, "AWS::KinesisFirehose::DeliveryStream AmazonopensearchserviceBufferingHints": { "IntervalInSeconds": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", @@ -17341,7 +19335,7 @@ "BufferingHints": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "CloudWatchLoggingOptions": "Describes the Amazon CloudWatch logging options for your delivery stream.", "ClusterEndpoint": "The endpoint to use when communicating with the cluster. Specify either this ClusterEndpoint or the DomainARN field.", - "DocumentIdOptions": "", + "DocumentIdOptions": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "DomainARN": "The ARN of the Amazon OpenSearch Service domain.", "IndexName": "The Amazon OpenSearch Service index name.", "IndexRotationPeriod": "The Amazon OpenSearch Service index rotation period. Index rotation appends a timestamp to the IndexName to facilitate the expiration of old data.", @@ -17356,6 +19350,10 @@ "AWS::KinesisFirehose::DeliveryStream AmazonopensearchserviceRetryOptions": { "DurationInSeconds": "After an initial failure to deliver to Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries." }, + "AWS::KinesisFirehose::DeliveryStream AuthenticationConfiguration": { + "Connectivity": "The type of connectivity used to access the Amazon MSK cluster.", + "RoleARN": "The ARN of the role used to access the Amazon MSK cluster." + }, "AWS::KinesisFirehose::DeliveryStream BufferingHints": { "IntervalInSeconds": "The length of time, in seconds, that Kinesis Data Firehose buffers incoming data before delivering it to the destination. For valid values, see the `IntervalInSeconds` content for the [BufferingHints](https://docs.aws.amazon.com/firehose/latest/APIReference/API_BufferingHints.html) data type in the *Amazon Kinesis Data Firehose API Reference* .", "SizeInMBs": "The size of the buffer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it to the destination. For valid values, see the `SizeInMBs` content for the [BufferingHints](https://docs.aws.amazon.com/firehose/latest/APIReference/API_BufferingHints.html) data type in the *Amazon Kinesis Data Firehose API Reference* ." @@ -17385,7 +19383,7 @@ "OpenXJsonSerDe": "The OpenX SerDe. Used by Kinesis Data Firehose for deserializing data, which means converting it from the JSON format in preparation for serializing it to the Parquet or ORC format. This is one of two deserializers you can choose, depending on which one offers the functionality you need. The other option is the native Hive / HCatalog JsonSerDe." }, "AWS::KinesisFirehose::DeliveryStream DocumentIdOptions": { - "DefaultDocumentIdFormat": "" + "DefaultDocumentIdFormat": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance." }, "AWS::KinesisFirehose::DeliveryStream DynamicPartitioningConfiguration": { "Enabled": "Specifies whether dynamic partitioning is enabled for this Kinesis Data Firehose delivery stream.", @@ -17399,7 +19397,7 @@ "BufferingHints": "Configures how Kinesis Data Firehose buffers incoming data while delivering it to the Amazon ES domain.", "CloudWatchLoggingOptions": "The Amazon CloudWatch Logs logging options for the delivery stream.", "ClusterEndpoint": "The endpoint to use when communicating with the cluster. Specify either this `ClusterEndpoint` or the `DomainARN` field.", - "DocumentIdOptions": "", + "DocumentIdOptions": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "DomainARN": "The ARN of the Amazon ES domain. The IAM role must have permissions for `DescribeElasticsearchDomain` , `DescribeElasticsearchDomains` , and `DescribeElasticsearchDomainConfig` after assuming the role specified in *RoleARN* .\n\nSpecify either `ClusterEndpoint` or `DomainARN` .", "IndexName": "The name of the Elasticsearch index to which Kinesis Data Firehose adds data for indexing.", "IndexRotationPeriod": "The frequency of Elasticsearch index rotation. If you enable index rotation, Kinesis Data Firehose appends a portion of the UTC arrival timestamp to the specified index name, and rotates the appended timestamp accordingly. For more information, see [Index Rotation for the Amazon ES Destination](https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#es-index-rotation) in the *Amazon Kinesis Data Firehose Developer Guide* .", @@ -17470,6 +19468,11 @@ "KinesisStreamARN": "The ARN of the source Kinesis data stream.", "RoleARN": "The ARN of the role that provides access to the source Kinesis data stream." }, + "AWS::KinesisFirehose::DeliveryStream MSKSourceConfiguration": { + "AuthenticationConfiguration": "The authentication configuration of the Amazon MSK cluster.", + "MSKClusterARN": "The ARN of the Amazon MSK cluster.", + "TopicName": "The topic name within the Amazon MSK cluster." + }, "AWS::KinesisFirehose::DeliveryStream OpenXJsonSerDe": { "CaseInsensitive": "When set to `true` , which is the default, Kinesis Data Firehose converts JSON keys to lowercase before deserializing them.", "ColumnToJsonKeyMappings": "Maps column names to JSON keys that aren't identical to the column names. This is useful when the JSON contains keys that are Hive keywords. For example, `timestamp` is a Hive keyword. If you have a JSON key named `timestamp` , set this parameter to `{\"ts\": \"timestamp\"}` to map this key to a column named `ts` .", @@ -17565,6 +19568,10 @@ "AWS::KinesisFirehose::DeliveryStream SplunkRetryOptions": { "DurationInSeconds": "The total amount of time that Kinesis Data Firehose spends on retries. This duration starts after the initial attempt to send data to Splunk fails. It doesn't include the periods during which Kinesis Data Firehose waits for acknowledgment from Splunk after each attempt." }, + "AWS::KinesisFirehose::DeliveryStream Tag": { + "Key": "A unique identifier for the tag. Maximum length: 128 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @", + "Value": "An optional string, which you can use to describe or define the tag. Maximum length: 256 characters. Valid characters: Unicode letters, digits, white space, _ . / = + - % @" + }, "AWS::KinesisFirehose::DeliveryStream VpcConfiguration": { "RoleARN": "The ARN of the IAM role that you want the delivery stream to use to create endpoints in the destination VPC. You can use your existing Kinesis Data Firehose delivery role or you can specify a new role. In either case, make sure that the role trusts the Kinesis Data Firehose service principal and that it grants the following permissions:\n\n- `ec2:DescribeVpcs`\n- `ec2:DescribeVpcAttribute`\n- `ec2:DescribeSubnets`\n- `ec2:DescribeSecurityGroups`\n- `ec2:DescribeNetworkInterfaces`\n- `ec2:CreateNetworkInterface`\n- `ec2:CreateNetworkInterfacePermission`\n- `ec2:DeleteNetworkInterface`\n\nIf you revoke these permissions after you create the delivery stream, Kinesis Data Firehose can't scale out by creating more ENIs when necessary. You might therefore see a degradation in performance.", "SecurityGroupIds": "The IDs of the security groups that you want Kinesis Data Firehose to use when it creates ENIs in the VPC of the Amazon ES destination. You can use the same security group that the Amazon ES domain uses or different ones. If you specify different security groups here, ensure that they allow outbound HTTPS traffic to the Amazon ES domain's security group. Also ensure that the Amazon ES domain's security group allows HTTPS traffic from the security groups specified here. If you use the same security group for both your delivery stream and the Amazon ES domain, make sure the security group inbound rule allows HTTPS traffic.", @@ -17576,6 +19583,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "Type": "A type of the signaling channel that you are creating. Currently, `SINGLE_MASTER` is the only supported channel type." }, + "AWS::KinesisVideo::SignalingChannel Tag": { + "Key": "The key of the tag that is associated with the specified signaling channel.", + "Value": "The value of the tag that is associated with the specified signaling channel." + }, "AWS::KinesisVideo::Stream": { "DataRetentionInHours": "How long the stream retains data, in hours.", "DeviceName": "The name of the device that is associated with the stream.", @@ -17584,6 +19595,10 @@ "Name": "The name of the stream.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::KinesisVideo::Stream Tag": { + "Key": "The key of the tag that is associated with the specified signaling channel.", + "Value": "The value of the tag that is associated with the specified signaling channel." + }, "AWS::LakeFormation::DataCellsFilter": { "ColumnNames": "An array of UTF-8 strings. A list of column names.", "ColumnWildcard": "A wildcard with exclusions. You must specify either a `ColumnNames` list or the `ColumnWildCard` .", @@ -17603,20 +19618,18 @@ "AWS::LakeFormation::DataLakeSettings": { "Admins": "A list of AWS Lake Formation principals.", "AllowExternalDataFiltering": "Whether to allow Amazon EMR clusters or other third-party query engines to access data managed by Lake Formation .\n\nIf set to true, you allow Amazon EMR clusters or other third-party engines to access data in Amazon S3 locations that are registered with Lake Formation .\n\nIf false or null, no third-party query engines will be able to access data in Amazon S3 locations that are registered with Lake Formation.\n\nFor more information, see [External data filtering setting](https://docs.aws.amazon.com/lake-formation/latest/dg/initial-LF-setup.html#external-data-filter) .", + "AllowFullTableExternalDataAccess": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", "AuthorizedSessionTagValueList": "Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = \"LakeFormationTrustedCaller\" and value = \"TRUE\" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation 's administrative API operations.", "CreateDatabaseDefaultPermissions": "Specifies whether access control on a newly created database is managed by Lake Formation permissions or exclusively by IAM permissions.\n\nA null value indicates that the access is controlled by Lake Formation permissions. `ALL` permissions assigned to `IAM_ALLOWED_PRINCIPALS` group indicates that the user's IAM permissions determine the access to the database. This is referred to as the setting \"Use only IAM access control,\" and is to support backward compatibility with the AWS Glue permission model implemented by IAM permissions.\n\nThe only permitted values are an empty array or an array that contains a single JSON object that grants `ALL` to `IAM_ALLOWED_PRINCIPALS` .\n\nFor more information, see [Changing the default security settings for your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html) .", "CreateTableDefaultPermissions": "Specifies whether access control on a newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.\n\nA null value indicates that the access is controlled by Lake Formation permissions. `ALL` permissions assigned to `IAM_ALLOWED_PRINCIPALS` group indicate that the user's IAM permissions determine the access to the table. This is referred to as the setting \"Use only IAM access control,\" and is to support the backward compatibility with the AWS Glue permission model implemented by IAM permissions.\n\nThe only permitted values are an empty array or an array that contains a single JSON object that grants `ALL` permissions to `IAM_ALLOWED_PRINCIPALS` .\n\nFor more information, see [Changing the default security settings for your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html) .", "ExternalDataFilteringAllowList": "A list of the account IDs of AWS accounts with Amazon EMR clusters or third-party engines that are allwed to perform data filtering.", + "MutationType": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", "Parameters": "A key-value map that provides an additional configuration on your data lake. `CrossAccountVersion` is the key you can configure in the `Parameters` field. Accepted values for the `CrossAccountVersion` key are 1, 2, and 3.", "TrustedResourceOwners": "An array of UTF-8 strings.\n\nA list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log. You may want to specify this property when you are in a high-trust boundary, such as the same team or company." }, - "AWS::LakeFormation::DataLakeSettings Admins": {}, - "AWS::LakeFormation::DataLakeSettings CreateDatabaseDefaultPermissions": {}, - "AWS::LakeFormation::DataLakeSettings CreateTableDefaultPermissions": {}, "AWS::LakeFormation::DataLakeSettings DataLakePrincipal": { "DataLakePrincipalIdentifier": "An identifier for the Lake Formation principal." }, - "AWS::LakeFormation::DataLakeSettings ExternalDataFilteringAllowList": {}, "AWS::LakeFormation::DataLakeSettings PrincipalPermissions": { "Permissions": "The permissions that are granted to the principal.", "Principal": "The principal who is granted permissions." @@ -17653,7 +19666,6 @@ "Name": "The name of the table.", "TableWildcard": "An empty object representing all tables under a database. If this field is specified instead of the `Name` field, all tables under `DatabaseName` will have permission changes applied." }, - "AWS::LakeFormation::Permissions TableWildcard": {}, "AWS::LakeFormation::Permissions TableWithColumnsResource": { "CatalogId": "The identifier for the Data Catalog . By default, it is the account ID of the caller.", "ColumnNames": "The list of column names for the table. At least one of `ColumnNames` or `ColumnWildcard` is required.", @@ -17713,7 +19725,7 @@ "TableWithColumns": "The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3." }, "AWS::LakeFormation::PrincipalPermissions TableResource": { - "CatalogId": "", + "CatalogId": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "DatabaseName": "The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.", "Name": "The name of the table.", "TableWildcard": "A wildcard object representing every table under a database.\n\nAt least one of `TableResource$Name` or `TableResource$TableWildcard` is required." @@ -17888,8 +19900,9 @@ "ImageConfig": "Configuration values that override the container image Dockerfile settings. For more information, see [Container image settings](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms) .", "KmsKeyArn": "The ARN of the AWS Key Management Service ( AWS KMS ) customer managed key that's used to encrypt your function's [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption) . When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart-security.html) is activated, Lambda also uses this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR).\nIf you don't provide a customer managed key, Lambda uses a default service key.", "Layers": "A list of [function layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) to add to the function's execution environment. Specify each layer by its ARN, including the version.", - "MemorySize": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "MemorySize": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "PackageType": "The type of deployment package. Set to `Image` for container image and set `Zip` for .zip file archive.", + "Policy": "", "ReservedConcurrentExecutions": "The number of simultaneous executions to reserve for the function.", "Role": "The Amazon Resource Name (ARN) of the function's execution role.", "Runtime": "The identifier of the function's [runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) . Runtime is required if the deployment package is a .zip file archive.\n\nThe following list includes deprecated runtimes. For more information, see [Runtime deprecation policy](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy) .", @@ -17936,10 +19949,15 @@ "ApplyOn": "When set to `PublishedVersions` , Lambda creates a snapshot of the execution environment when you publish a function version.", "OptimizationStatus": "When you provide a [qualified Amazon Resource Name (ARN)](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using) , this response element indicates whether SnapStart is activated for the specified function version." }, + "AWS::Lambda::Function Tag": { + "Key": "", + "Value": "" + }, "AWS::Lambda::Function TracingConfig": { "Mode": "The tracing mode." }, "AWS::Lambda::Function VpcConfig": { + "Ipv6AllowedForDualStack": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", "SecurityGroupIds": "A list of VPC security group IDs.", "SubnetIds": "A list of VPC subnet IDs." }, @@ -17991,11 +20009,16 @@ "CodeSha256": "Only publish a version if the hash value matches the value that's specified. Use this option to avoid publishing a version if the function code has changed since you last updated it. Updates are not supported for this property.", "Description": "A description for the version to override the description in the function configuration. Updates are not supported for this property.", "FunctionName": "The name of the Lambda function.\n\n**Name formats** - *Function name* - `MyFunction` .\n- *Function ARN* - `arn:aws:lambda:us-west-2:123456789012:function:MyFunction` .\n- *Partial ARN* - `123456789012:function:MyFunction` .\n\nThe length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.", - "ProvisionedConcurrencyConfig": "Specifies a provisioned concurrency configuration for a function's version. Updates are not supported for this property." + "ProvisionedConcurrencyConfig": "Specifies a provisioned concurrency configuration for a function's version. Updates are not supported for this property.", + "RuntimePolicy": "" }, "AWS::Lambda::Version ProvisionedConcurrencyConfiguration": { "ProvisionedConcurrentExecutions": "The amount of provisioned concurrency to allocate for the version." }, + "AWS::Lambda::Version RuntimePolicy": { + "RuntimeVersionArn": "", + "UpdateRuntimeOn": "" + }, "AWS::Lex::Bot": { "AutoBuildBotLocales": "Indicates whether Amazon Lex V2 should automatically build the locales for the bot after a change.", "BotFileS3Location": "The Amazon S3 location of files used to import a bot. The files must be in the import format specified in [JSON format for importing and exporting](https://docs.aws.amazon.com/lexv2/latest/dg/import-export-format.html) in the *Amazon Lex developer guide.*", @@ -18386,6 +20409,10 @@ "MessageGroupsList": "One or more message groups, each containing one or more messages, that define the prompts that Amazon Lex sends to the user.", "TimeoutInSeconds": "If Amazon Lex waits longer than this length of time for a response, it will stop sending messages." }, + "AWS::Lex::Bot Tag": { + "Key": "", + "Value": "" + }, "AWS::Lex::Bot TestBotAliasSettings": { "BotAliasLocaleSettings": "Specifies settings that are unique to a locale. For example, you can use a different Lambda function depending on the bot's locale.", "ConversationLogSettings": "Specifies settings for conversation logs that save audio, text, and metadata information for conversations with your users.", @@ -18460,6 +20487,10 @@ "AWS::Lex::BotAlias SentimentAnalysisSettings": { "DetectSentiment": "Sets whether Amazon Lex uses Amazon Comprehend to detect the sentiment of user utterances." }, + "AWS::Lex::BotAlias Tag": { + "Key": "", + "Value": "" + }, "AWS::Lex::BotAlias TextLogDestination": { "CloudWatch": "Defines the Amazon CloudWatch Logs log group where text and metadata logs are delivered." }, @@ -18562,16 +20593,25 @@ "AllowPublicOverrides": "A Boolean value indicating whether the access control list (ACL) permissions that are applied to individual objects override the `GetObject` option that is currently specified.\n\nWhen this is true, you can use the [PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html) Amazon S3 API operation to set individual objects to public (read-only) or private, using either the `public-read` ACL or the `private` ACL.", "GetObject": "Specifies the anonymous access to all objects in a bucket.\n\nThe following options can be specified:\n\n- `public` - Sets all objects in the bucket to public (read-only), making them readable by everyone on the internet.\n\nIf the `GetObject` value is set to `public` , then all objects in the bucket default to public regardless of the `allowPublicOverrides` value.\n- `private` - Sets all objects in the bucket to private, making them readable only by you and anyone that you grant access to.\n\nIf the `GetObject` value is set to `private` , and the `allowPublicOverrides` value is set to `true` , then all objects in the bucket default to private unless they are configured with a `public-read` ACL. Individual objects with a `public-read` ACL are readable by everyone on the internet." }, + "AWS::Lightsail::Bucket Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Certificate": { "CertificateName": "The name of the certificate.", "DomainName": "The domain name of the certificate.", "SubjectAlternativeNames": "An array of strings that specify the alternate domains (such as `example.org` ) and subdomains (such as `blog.example.com` ) of the certificate.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources." }, + "AWS::Lightsail::Certificate Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Container": { "ContainerServiceDeployment": "An object that describes the current container deployment of the container service.", "IsDisabled": "A Boolean value indicating whether the container service is disabled.", "Power": "The power specification of the container service.\n\nThe power specifies the amount of RAM, the number of vCPUs, and the base price of the container service.", + "PrivateRegistryAccess": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", "PublicDomainNames": "The public domain name of the container service, such as `example.com` and `www.example.com` .\n\nYou can specify up to four public domain names for a container service. The domain names that you specify are used when you create a deployment with a container that is configured as the public endpoint of your container service.\n\nIf you don't specify public domain names, then you can use the default domain of the container service.\n\n> You must create and validate an SSL/TLS certificate before you can use public domain names with your container service. Use the [AWS::Lightsail::Certificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lightsail-certificate.html) resource to create a certificate for the public domain names that you want to use with your container service.", "Scale": "The scale specification of the container service.\n\nThe scale specifies the allocated compute nodes of the container service.", "ServiceName": "The name of the container service.", @@ -18588,6 +20628,10 @@ "Containers": "An object that describes the configuration for the containers of the deployment.", "PublicEndpoint": "An object that describes the endpoint of the deployment." }, + "AWS::Lightsail::Container EcrImagePullerRole": { + "IsActive": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "PrincipalArn": "The principle Amazon Resource Name (ARN) of the role. This property is read-only." + }, "AWS::Lightsail::Container EnvironmentVariable": { "Value": "The environment variable value.", "Variable": "The environment variable key." @@ -18604,6 +20648,9 @@ "Port": "The open firewall ports of the container.", "Protocol": "The protocol name for the open ports.\n\n*Allowed values* : `HTTP` | `HTTPS` | `TCP` | `UDP`" }, + "AWS::Lightsail::Container PrivateRegistryAccess": { + "EcrImagePullerRole": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed." + }, "AWS::Lightsail::Container PublicDomainName": { "CertificateName": "The name of the certificate for the public domains.", "DomainNames": "The public domain names to use with the container service." @@ -18613,6 +20660,10 @@ "ContainerPort": "The port of the specified container to which traffic is forwarded to.", "HealthCheckConfig": "An object that describes the health check configuration of the container." }, + "AWS::Lightsail::Container Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Database": { "AvailabilityZone": "The Availability Zone for the database.", "BackupRetention": "A Boolean value indicating whether automated backup retention is enabled for the database.", @@ -18640,11 +20691,15 @@ "ParameterName": "The name of the parameter.", "ParameterValue": "The value for the parameter." }, + "AWS::Lightsail::Database Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Disk": { "AddOns": "An array of add-ons for the disk.\n\n> If the disk has an add-on enabled when performing a delete disk request, the add-on is automatically disabled before the disk is deleted.", "AvailabilityZone": "The AWS Region and Availability Zone location for the disk (for example, `us-east-1a` ).", "DiskName": "The name of the disk.", - "Location": "", + "Location": "The AWS Region and Availability Zone where the disk is located.", "SizeInGb": "The size of the disk in GB.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources." }, @@ -18657,8 +20712,12 @@ "SnapshotTimeOfDay": "The daily time when an automatic snapshot will be created.\n\nConstraints:\n\n- Must be in `HH:00` format, and in an hourly increment.\n- Specified in Coordinated Universal Time (UTC).\n- The snapshot will be automatically created between the time specified and up to 45 minutes after." }, "AWS::Lightsail::Disk Location": { - "AvailabilityZone": "", - "RegionName": "" + "AvailabilityZone": "The Availability Zone where the disk is located.", + "RegionName": "The AWS Region where the disk is located." + }, + "AWS::Lightsail::Disk Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" }, "AWS::Lightsail::Distribution": { "BundleId": "The ID of the bundle applied to the distribution.", @@ -18706,6 +20765,10 @@ "Option": "Indicates whether the distribution forwards and caches based on query strings.", "QueryStringsAllowList": "The specific query strings that the distribution forwards to the origin.\n\nYour distribution caches content based on the specified query strings.\n\nIf the `option` parameter is true, then your distribution forwards all query strings, regardless of what you specify using the `QueryStringsAllowList` parameter." }, + "AWS::Lightsail::Distribution Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::Instance": { "AddOns": "An array of add-ons for the instance.\n\n> If the instance has an add-on enabled when performing a delete instance request, the add-on is automatically disabled before the instance is deleted.", "AvailabilityZone": "The Availability Zone for the instance.", @@ -18769,6 +20832,10 @@ "Code": "The status code of the instance.", "Name": "The state of the instance (for example, `running` or `pending` )." }, + "AWS::Lightsail::Instance Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::LoadBalancer": { "AttachedInstances": "The Lightsail instances to attach to the load balancer.", "HealthCheckPath": "The path on the attached instance where the health check will be performed. If no path is specified, the load balancer tries to make a request to the default (root) page ( `/index.html` ).", @@ -18780,6 +20847,10 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .\n\n> The `Value` of `Tags` is optional for Lightsail resources.", "TlsPolicyName": "The name of the TLS security policy for the load balancer." }, + "AWS::Lightsail::LoadBalancer Tag": { + "Key": "The key of the tag.\n\nConstraints: Tag keys accept a maximum of 128 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @", + "Value": "The value of the tag.\n\nConstraints: Tag values accept a maximum of 256 letters, numbers, spaces in UTF-8, or the following characters: + - = . _ : / @" + }, "AWS::Lightsail::LoadBalancerTlsCertificate": { "CertificateAlternativeNames": "An array of alternative domain names and subdomain names for your SSL/TLS certificate.\n\nIn addition to the primary domain name, you can have up to nine alternative domain names. Wildcards (such as `*.example.com` ) are not supported.", "CertificateDomainName": "The domain name for the SSL/TLS certificate. For example, `example.com` or `www.example.com` .", @@ -18832,6 +20903,12 @@ "ConsumerArn": "The Amazon Resource Name (ARN) for the geofence collection to be associated to tracker resource. Used when you need to specify a resource across all AWS .\n\n- Format example: `arn:aws:geo:region:account-id:geofence-collection/ExampleGeofenceCollectionConsumer`", "TrackerName": "The name for the tracker resource.\n\nRequirements:\n\n- Contain only alphanumeric characters (A-Z, a-z, 0-9) , hyphens (-), periods (.), and underscores (_).\n- Must be a unique tracker resource name.\n- No spaces allowed. For example, `ExampleTracker` ." }, + "AWS::Logs::AccountPolicy": { + "PolicyDocument": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "PolicyName": "A name for the policy. This must be unique within the account.", + "PolicyType": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "Scope": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used." + }, "AWS::Logs::Destination": { "DestinationName": "The name of the destination.", "DestinationPolicy": "An IAM policy document that governs which AWS accounts can create subscription filters against this destination.", @@ -18845,6 +20922,10 @@ "RetentionInDays": "The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.\n\nTo set a log group so that its log events do not expire, use [DeleteRetentionPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteRetentionPolicy.html) .", "Tags": "An array of key-value pairs to apply to the log group.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Logs::LogGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Logs::LogStream": { "LogGroupName": "The name of the log group where the log stream is created.", "LogStreamName": "The name of the log stream. The name must be unique within the log group." @@ -18890,7 +20971,7 @@ "DataOutputConfiguration": "Specifies configuration information for the output results for the inference scheduler, including the Amazon S3 location for the output.", "DataUploadFrequency": "How often data is uploaded to the source S3 bucket for the input data. This value is the length of time between data uploads. For instance, if you select 5 minutes, Amazon Lookout for Equipment will upload the real-time data to the source bucket once every 5 minutes. This frequency also determines how often Amazon Lookout for Equipment starts a scheduled inference on your data. In this example, it starts once every 5 minutes.", "InferenceSchedulerName": "The name of the inference scheduler.", - "ModelName": "The name of the ML model used for the inference scheduler.", + "ModelName": "The name of the machine learning model used for the inference scheduler.", "RoleArn": "The Amazon Resource Name (ARN) of a role with permission to access the data source being used for the inference.", "ServerSideKmsKeyId": "Provides the identifier of the AWS KMS key used to encrypt inference scheduler data by Amazon Lookout for Equipment .", "Tags": "Any tags associated with the inference scheduler.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." @@ -18916,6 +20997,10 @@ "Bucket": "", "Prefix": "" }, + "AWS::LookoutEquipment::InferenceScheduler Tag": { + "Key": "The key for the specified tag.", + "Value": "The value for the specified tag." + }, "AWS::LookoutMetrics::Alert": { "Action": "Action that will be triggered when there is an alert.", "AlertDescription": "A description of the alert.", @@ -19034,7 +21119,7 @@ "EngineType": "The type of the target platform for this application.", "KmsKeyId": "The identifier of a customer managed key.", "Name": "The name of the application.", - "RoleArn": "", + "RoleArn": "The Amazon Resource Name (ARN) of the role associated with the application.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::M2::Application Definition": { @@ -19077,7 +21162,7 @@ }, "AWS::MSK::Cluster": { "BrokerNodeGroupInfo": "Information about the broker nodes in the cluster.", - "ClientAuthentication": "Includes all client authentication related information.", + "ClientAuthentication": "VPC connection control settings for brokers.", "ClusterName": "The name of the cluster.", "ConfigurationInfo": "Represents the configuration that you want MSK to use for the cluster.", "CurrentVersion": "The version of the cluster that you want to update.", @@ -19099,7 +21184,7 @@ "BrokerAZDistribution": "This parameter is currently not in use.", "ClientSubnets": "The list of subnets to connect to in the client virtual private cloud (VPC). Amazon creates elastic network interfaces inside these subnets. Client applications use elastic network interfaces to produce and consume data.\n\nIf you use the US West (N. California) Region, specify exactly two subnets. For other Regions where Amazon MSK is available, you can specify either two or three subnets. The subnets that you specify must be in distinct Availability Zones. When you create a cluster, Amazon MSK distributes the broker nodes evenly across the subnets that you specify.\n\nClient subnets can't occupy the Availability Zone with ID `use1-az3` .", "ConnectivityInfo": "Information about the cluster's connectivity setting.", - "InstanceType": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "InstanceType": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "SecurityGroups": "The security groups to associate with the elastic network interfaces in order to specify who can connect to and communicate with the Amazon MSK cluster. If you don't specify a security group, Amazon MSK uses the default security group associated with the VPC. If you specify security groups that were shared with you, you must ensure that you have permissions to them. Specifically, you need the `ec2:DescribeSecurityGroups` permission.", "StorageInfo": "Contains information about storage volumes attached to Amazon MSK broker nodes." }, @@ -19125,7 +21210,7 @@ "VolumeSize": "The size in GiB of the EBS volume for the data drive on each broker node." }, "AWS::MSK::Cluster EncryptionAtRest": { - "DataVolumeKMSKeyId": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it." + "DataVolumeKMSKeyId": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it." }, "AWS::MSK::Cluster EncryptionInTransit": { "ClientBroker": "Indicates the encryption setting for data in transit between clients and brokers. You must set it to one of the following values.\n\n`TLS` means that client-broker communication is enabled with TLS only.\n\n`TLS_PLAINTEXT` means that client-broker communication is enabled for both TLS-encrypted, as well as plaintext data.\n\n`PLAINTEXT` means that client-broker communication is enabled in plaintext only.\n\nThe default value is `TLS` .", @@ -19137,7 +21222,7 @@ }, "AWS::MSK::Cluster Firehose": { "DeliveryStream": "The Kinesis Data Firehose delivery stream that is the destination for broker logs.", - "Enabled": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream." + "Enabled": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream." }, "AWS::MSK::Cluster Iam": { "Enabled": "SASL/IAM authentication is enabled or not." @@ -19181,7 +21266,7 @@ "EBSStorageInfo": "EBS volume information." }, "AWS::MSK::Cluster Tls": { - "CertificateAuthorityArnList": "List of AWS Private CA ARNs.", + "CertificateAuthorityArnList": "List of AWS Private CA Amazon Resource Name (ARN)s.", "Enabled": "TLS authentication is enabled or not." }, "AWS::MSK::Cluster Unauthenticated": { @@ -19214,11 +21299,61 @@ "AWS::MSK::Configuration": { "Description": "The description of the configuration.", "KafkaVersionsList": "", + "LatestRevision": "Latest revision of the configuration.", "Name": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", "ServerProperties": "Contents of the server.properties file. When using the API, you must ensure that the contents of the file are base64 encoded. When using the console, the SDK, or the CLI, the contents of server.properties can be in plaintext." }, + "AWS::MSK::Configuration LatestRevision": { + "CreationTime": "", + "Description": "", + "Revision": "" + }, + "AWS::MSK::Replicator": { + "CurrentVersion": "", + "Description": "", + "KafkaClusters": "", + "ReplicationInfoList": "", + "ReplicatorName": "", + "ServiceExecutionRoleArn": "", + "Tags": "" + }, + "AWS::MSK::Replicator AmazonMskCluster": { + "MskClusterArn": "" + }, + "AWS::MSK::Replicator ConsumerGroupReplication": { + "ConsumerGroupsToExclude": "", + "ConsumerGroupsToReplicate": "", + "DetectAndCopyNewConsumerGroups": "", + "SynchroniseConsumerGroupOffsets": "" + }, + "AWS::MSK::Replicator KafkaCluster": { + "AmazonMskCluster": "", + "VpcConfig": "" + }, + "AWS::MSK::Replicator KafkaClusterClientVpcConfig": { + "SecurityGroupIds": "", + "SubnetIds": "" + }, + "AWS::MSK::Replicator ReplicationInfo": { + "ConsumerGroupReplication": "", + "SourceKafkaClusterArn": "", + "TargetCompressionType": "", + "TargetKafkaClusterArn": "", + "TopicReplication": "" + }, + "AWS::MSK::Replicator Tag": { + "Key": "", + "Value": "" + }, + "AWS::MSK::Replicator TopicReplication": { + "CopyAccessControlListsForTopics": "", + "CopyTopicConfigurations": "", + "DetectAndCopyNewTopics": "", + "TopicsToExclude": "", + "TopicsToReplicate": "" + }, "AWS::MSK::ServerlessCluster": { - "ClientAuthentication": "", + "ClientAuthentication": "Includes all client authentication information.", "ClusterName": "", "Tags": "", "VpcConfigs": "" @@ -19246,7 +21381,7 @@ }, "AWS::MWAA::Environment": { "AirflowConfigurationOptions": "A list of key-value pairs containing the Airflow configuration options for your environment. For example, `core.default_timezone: utc` . To learn more, see [Apache Airflow configuration options](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-env-variables.html) .", - "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "AirflowVersion": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` (latest)", "DagS3Path": "The relative path to the DAGs folder on your Amazon S3 bucket. For example, `dags` . To learn more, see [Adding or updating DAGs](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-folder.html) .", "EnvironmentClass": "The environment class type. Valid values: `mw1.small` , `mw1.medium` , `mw1.large` . To learn more, see [Amazon MWAA environment class](https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html) .", "ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, `arn:aws:iam::123456789:role/my-execution-role` . To learn more, see [Amazon MWAA Execution role](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html) .", @@ -19264,7 +21399,7 @@ "SourceBucketArn": "The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, `arn:aws:s3:::my-airflow-bucket-unique-name` . To learn more, see [Create an Amazon S3 bucket for Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-s3-bucket.html) .", "StartupScriptS3ObjectVersion": "The version of the startup shell script in your Amazon S3 bucket. You must specify the [version ID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html) that Amazon S3 assigns to the file every time you update the script.\n\nVersion IDs are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example:\n\n`3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo`\n\nFor more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", "StartupScriptS3Path": "The relative path to the startup shell script in your Amazon S3 bucket. For example, `s3://mwaa-environment/startup.sh` .\n\nAmazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see [Using a startup script](https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html) .", - "Tags": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "Tags": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "WebserverAccessMode": "The Apache Airflow *Web server* access mode. To learn more, see [Apache Airflow access modes](https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-networking.html) . Valid values: `PRIVATE_ONLY` or `PUBLIC_ONLY` .", "WeeklyMaintenanceWindowStart": "The day and time of the week to start weekly maintenance updates of your environment in the following format: `DAY:HH:MM` . For example: `TUE:03:30` . You can specify a start time in 30 minute increments only. Supported input includes the following:\n\n- MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)" }, @@ -19288,7 +21423,7 @@ "Criteria": "The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an Amazon S3 object that lists specific text to ignore ( `S3WordsList` ), or a regular expression ( `Regex` ) that defines a text pattern to ignore.", "Description": "A custom description of the allow list. The description can contain 1-512 characters.", "Name": "A custom name for the allow list. The name can contain 1-128 characters.", - "Tags": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + "Tags": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Macie::AllowList Criteria": { "Regex": "The regular expression ( *regex* ) that defines the text pattern to ignore. The expression can contain 1-512 characters.", @@ -19298,20 +21433,30 @@ "BucketName": "The full name of the S3 bucket that contains the object. This value correlates to the `Name` field of a bucket's properties in Amazon S3 .\n\nThis value is case sensitive. In addition, don't use wildcard characters or specify partial values for the name.", "ObjectKey": "The full name of the S3 object. This value correlates to the `Key` field of an object's properties in Amazon S3 . If the name includes a path, include the complete path. For example, `AllowLists/Macie/MyList.txt` .\n\nThis value is case sensitive. In addition, don't use wildcard characters or specify partial values for the name." }, + "AWS::Macie::AllowList Tag": { + "Key": "", + "Value": "" + }, "AWS::Macie::CustomDataIdentifier": { "Description": "A custom description of the custom data identifier. The description can contain 1-512 characters.\n\nAvoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie .", "IgnoreWords": "An array of character sequences ( *ignore words* ) to exclude from the results. If text matches the regular expression ( `Regex` ) but it contains a string in this array, Amazon Macie ignores the text and doesn't include it in the results.\n\nThe array can contain 1-10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.", "Keywords": "An array of character sequences ( *keywords* ), one of which must precede and be in proximity ( `MaximumMatchDistance` ) of the regular expression ( `Regex` ) to match.\n\nThe array can contain 1-50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.", "MaximumMatchDistance": "The maximum number of characters that can exist between the end of at least one complete character sequence specified by the `Keywords` array and the end of text that matches the regular expression ( `Regex` ). If a complete keyword precedes all the text that matches the regular expression and the keyword is within the specified distance, Amazon Macie includes the result.\n\nThe distance can be 1-300 characters. The default value is 50.", "Name": "A custom name for the custom data identifier. The name can contain 1-128 characters.\n\nAvoid including sensitive data in the name of a custom data identifier. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie .", - "Regex": "The regular expression ( *regex* ) that defines the text pattern to match. The expression can contain 1-512 characters." + "Regex": "The regular expression ( *regex* ) that defines the text pattern to match. The expression can contain 1-512 characters.", + "Tags": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." + }, + "AWS::Macie::CustomDataIdentifier Tag": { + "Key": "", + "Value": "" }, "AWS::Macie::FindingsFilter": { "Action": "The action to perform on findings that match the filter criteria ( `FindingCriteria` ). Valid values are:\n\n- `ARCHIVE` - Suppress (automatically archive) the findings.\n- `NOOP` - Don't perform any action on the findings.", "Description": "A custom description of the findings filter. The description can contain 1-512 characters.\n\nAvoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie .", "FindingCriteria": "The criteria to use to filter findings.", "Name": "A custom name for the findings filter. The name can contain 3-64 characters.\n\nAvoid including sensitive data in the name. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie .", - "Position": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings." + "Position": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "Tags": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::Macie::FindingsFilter CriterionAdditionalProperties": { "eq": "The value for the specified property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.", @@ -19324,6 +21469,10 @@ "AWS::Macie::FindingsFilter FindingCriteria": { "Criterion": "Specifies a condition that defines the property, operator, and one or more values to use to filter the results." }, + "AWS::Macie::FindingsFilter Tag": { + "Key": "", + "Value": "" + }, "AWS::Macie::Session": { "FindingPublishingFrequency": "Specifies how often Amazon Macie publishes updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events ). Valid values are:\n\n- FIFTEEN_MINUTES\n- ONE_HOUR\n- SIX_HOURS", "Status": "The status of Amazon Macie for the account. Valid values are: `ENABLED` , start or resume all Macie activities for the account; and, `PAUSED` , suspend all Macie activities for the account." @@ -19332,6 +21481,10 @@ "AccessorType": "The type of the accessor.\n\n> Currently, accessor type is restricted to `BILLING_TOKEN` .", "Tags": "The tags assigned to the Accessor.\n\nFor more information about tags, see [Tagging Resources](https://docs.aws.amazon.com/managed-blockchain/latest/ethereum-dev/tagging-resources.html) in the *Amazon Managed Blockchain Ethereum Developer Guide* , or [Tagging Resources](https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/tagging-resources.html) in the *Amazon Managed Blockchain Hyperledger Fabric Developer Guide* ." }, + "AWS::ManagedBlockchain::Accessor Tag": { + "Key": "", + "Value": "" + }, "AWS::ManagedBlockchain::Member": { "InvitationId": "The unique identifier of the invitation to join the network sent to the account that creates the member.", "MemberConfiguration": "Configuration properties of the member.", @@ -19374,7 +21527,7 @@ }, "AWS::ManagedBlockchain::Node": { "MemberId": "The unique identifier of the member to which the node belongs. Applies only to Hyperledger Fabric.", - "NetworkId": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "NetworkId": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "NodeConfiguration": "Configuration properties of a peer node." }, "AWS::ManagedBlockchain::Node NodeConfiguration": { @@ -19384,7 +21537,7 @@ "AWS::MediaConnect::Bridge": { "EgressGatewayBridge": "Create a bridge with the egress bridge type. An egress bridge is a cloud-to-ground bridge. The content comes from an existing MediaConnect flow and is delivered to your premises.", "IngressGatewayBridge": "Create a bridge with the ingress bridge type. An ingress bridge is a ground-to-cloud bridge. The content originates at your premises and is delivered to the cloud.", - "Name": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "Name": "The name of the bridge. This name can not be modified after the bridge is created.", "Outputs": "The outputs that you want to add to this bridge.", "PlacementArn": "The bridge placement Amazon Resource Number (ARN).", "SourceFailoverConfig": "The settings for source failover.", @@ -19450,7 +21603,7 @@ "AWS::MediaConnect::BridgeSource": { "BridgeArn": "The ARN of the bridge that you want to describe.", "FlowSource": "Add a flow source to an existing bridge.", - "Name": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "Name": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "NetworkSource": "Add a network source to an existing bridge." }, "AWS::MediaConnect::BridgeSource BridgeFlowSource": { @@ -19490,14 +21643,14 @@ "State": "The state of source failover on the flow. If the state is inactive, the flow can have only one source. If the state is active, the flow can have one or two sources." }, "AWS::MediaConnect::Flow GatewayBridgeSource": { - "BridgeArn": "", - "VpcInterfaceAttachment": "" + "BridgeArn": "The ARN of the bridge feeding this flow.", + "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source." }, "AWS::MediaConnect::Flow Source": { "Decryption": "The type of encryption that is used on the content ingested from the source.", "Description": "A description of the source. This description is not visible outside of the current AWS account.", "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to content that comes from another AWS account. The entitlement is set by the content originator and the ARN is generated as part of the originator\u2019s flow.", - "GatewayBridgeSource": "", + "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", "IngestIp": "The IP address that the flow listens on for incoming content.", "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", @@ -19519,7 +21672,7 @@ "PrimarySource": "The name of the source you choose as the primary source for this flow." }, "AWS::MediaConnect::Flow VpcInterfaceAttachment": { - "VpcInterfaceName": "" + "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." }, "AWS::MediaConnect::FlowEntitlement": { "DataTransferSubscriberFeePercent": "The percentage of the entitlement data transfer fee that you want the subscriber to be responsible for.", @@ -19549,7 +21702,7 @@ "FlowArn": "The Amazon Resource Name (ARN) of the flow this output is attached to.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based, Zixi-based, and Fujitsu-based streams.", "MinLatency": "The minimum latency in milliseconds for SRT-based streams. In streams that use the SRT protocol, this value that you set on your MediaConnect source or output represents the minimal potential latency of that connection. The latency of the stream is set to the highest number between the sender\u2019s minimum latency and the receiver\u2019s minimum latency.", - "Name": "The name of the VPC interface.", + "Name": "The name of the output. This value must be unique within the current flow.", "Port": "The port to use when MediaConnect distributes content to the output.", "Protocol": "The protocol to use for the output.", "RemoteId": "The identifier that is assigned to the Zixi receiver. This parameter applies only to outputs that use Zixi pull.", @@ -19571,7 +21724,7 @@ "Description": "A description of the source. This description is not visible outside of the current AWS account.", "EntitlementArn": "The ARN of the entitlement that allows you to subscribe to the flow. The entitlement is set by the content originator, and the ARN is generated as part of the originator's flow.", "FlowArn": "The Amazon Resource Name (ARN) of the flow this source is connected to. The flow must have Failover enabled to add an additional source.", - "GatewayBridgeSource": "", + "GatewayBridgeSource": "The source configuration for cloud flows receiving a stream from a bridge.", "IngestPort": "The port that the flow listens on for incoming content. If the protocol of the source is Zixi, the port must be set to 2088.", "MaxBitrate": "The maximum bitrate for RIST, RTP, and RTP-FEC streams.", "MaxLatency": "The maximum latency in milliseconds. This parameter applies only to RIST-based, Zixi-based, and Fujitsu-based streams.", @@ -19598,11 +21751,11 @@ "Url": "The URL from the API Gateway proxy that you set up to talk to your key server. This parameter is required for SPEKE encryption and is not valid for static key encryption." }, "AWS::MediaConnect::FlowSource GatewayBridgeSource": { - "BridgeArn": "", - "VpcInterfaceAttachment": "" + "BridgeArn": "The ARN of the bridge feeding this flow.", + "VpcInterfaceAttachment": "The name of the VPC interface attachment to use for this bridge source." }, "AWS::MediaConnect::FlowSource VpcInterfaceAttachment": { - "VpcInterfaceName": "" + "VpcInterfaceName": "The name of the VPC interface that you want to send your output to." }, "AWS::MediaConnect::FlowVpcInterface": { "FlowArn": "The Amazon Resource Name (ARN) of the flow.", @@ -19613,7 +21766,7 @@ }, "AWS::MediaConnect::Gateway": { "EgressCidrBlocks": "The range of IP addresses that are allowed to contribute content or initiate output requests for flows communicating with this gateway. These IP addresses should be in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.", - "Name": "The name of the gateway. This name can not be modified after the gateway is created.", + "Name": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "Networks": "The list of networks that you want to add." }, "AWS::MediaConnect::Gateway GatewayNetwork": { @@ -19625,7 +21778,7 @@ "Category": "Optional. A category for the job template you are creating", "Description": "Optional. A description of the job template you are creating.", "HopDestinations": "Optional. Configuration for a destination queue to which the job can hop once a customer-defined minimum wait time has passed. For more information, see [Setting Up Queue Hopping to Avoid Long Waits](https://docs.aws.amazon.com/mediaconvert/latest/ug/setting-up-queue-hopping-to-avoid-long-waits.html) in the *AWS Elemental MediaConvert User Guide* .", - "Name": "The name of the job template you are creating.", + "Name": "Name of the output group", "Priority": "Specify the relative priority for this job. In any given queue, the service begins processing the job with the highest value first. When more than one job has the same priority, the service begins processing the job that you submitted first. If you don't specify a priority, the service uses the default value 0. Minimum: -50 Maximum: 50", "Queue": "Optional. The queue that jobs created from this template are assigned to. Specify the Amazon Resource Name (ARN) of the queue. For example, arn:aws:mediaconvert:us-west-2:505474453218:queues/Default. If you don't specify this, jobs will go to the default queue.", "SettingsJson": "Specify, in JSON format, the transcoding job settings for this job template. This specification must conform to the AWS Elemental MediaConvert job validation. For information about forming this specification, see the Remarks section later in this topic.\n\nFor more information about MediaConvert job templates, see [Working with AWS Elemental MediaConvert Job Templates](https://docs.aws.amazon.com/mediaconvert/latest/ug/working-with-job-templates.html) in the ** .", @@ -19662,7 +21815,7 @@ "InputAttachments": "The list of input attachments for the channel.", "InputSpecification": "The input specification for this channel. It specifies the key characteristics of the inputs for this channel: the maximum bitrate, the resolution, and the codec.", "LogLevel": "The verbosity for logging activity for this channel. Charges for logging (which are generated through Amazon CloudWatch Logging) are higher for higher verbosities.", - "Maintenance": "", + "Maintenance": "Maintenance settings for this channel.", "Name": "A name for this audio selector. The AudioDescription (in an output) references this name in order to identify a specific input audio to include in that output.", "RoleArn": "The IAM role for MediaLive to assume when running this channel. The role is identified by its ARN.", "Tags": "A collection of tags for this channel. Each tag is a key-value pair.", @@ -19680,6 +21833,7 @@ "VbrQuality": "The VBR quality level. This is used only if rateControlMode is VBR." }, "AWS::MediaLive::Channel Ac3Settings": { + "AttenuationControl": "", "Bitrate": "The average bitrate in bits/second. Valid bitrates depend on the coding mode.", "BitstreamMode": "Specifies the bitstream mode (bsmod) for the emitted AC-3 stream. For more information about these values, see ATSC A/52-2012.", "CodingMode": "The Dolby Digital coding mode. This determines the number of channels.", @@ -19711,8 +21865,6 @@ "AWS::MediaLive::Channel ArchiveS3Settings": { "CannedAcl": "Specify the canned ACL to apply to each S3 request. Defaults to none." }, - "AWS::MediaLive::Channel AribDestinationSettings": {}, - "AWS::MediaLive::Channel AribSourceSettings": {}, "AWS::MediaLive::Channel AudioChannelMapping": { "InputChannelLevels": "The indices and gain values for each input channel that should be remixed into this output channel.", "OutputChannel": "The index of the output channel that is being produced." @@ -19883,8 +22035,6 @@ "AWS::MediaLive::Channel CdiInputSpecification": { "Resolution": "Maximum CDI input resolution" }, - "AWS::MediaLive::Channel ColorSpacePassthroughSettings": {}, - "AWS::MediaLive::Channel DolbyVision81Settings": {}, "AWS::MediaLive::Channel DvbNitSettings": { "NetworkId": "The numeric value placed in the Network Information Table (NIT).", "NetworkName": "The network name text placed in the networkNameDescriptor inside the Network Information Table (NIT). The maximum length is 256 characters.", @@ -19959,8 +22109,6 @@ "FontFamily": "Specifies the font family to include in the font data attached to the EBU-TT captions. Valid only if styleControl is set to include. If you leave this field empty, the font family is set to \"monospaced\". (If styleControl is set to exclude, the font family is always set to \"monospaced\".) You specify only the font family. All other style information (color, bold, position and so on) is copied from the input captions. The size is always set to 100% to allow the downstream player to choose the size. - Enter a list of font families, as a comma-separated list of font names, in order of preference. The name can be a font family (such as \u201cArial\u201d), or a generic font family (such as \u201cserif\u201d), or \u201cdefault\u201d (to let the downstream player choose the font).\n- Leave blank to set the family to \u201cmonospace\u201d.", "StyleControl": "Specifies the style information (font color, font position, and so on) to include in the font data that is attached to the EBU-TT captions. - include: Take the style information (font color, font position, and so on) from the source captions and include that information in the font data attached to the EBU-TT captions. This option is valid only if the source captions are Embedded or Teletext.\n- exclude: In the font data attached to the EBU-TT captions, set the font family to \"monospaced\". Do not include any other style information." }, - "AWS::MediaLive::Channel EmbeddedDestinationSettings": {}, - "AWS::MediaLive::Channel EmbeddedPlusScte20DestinationSettings": {}, "AWS::MediaLive::Channel EmbeddedSourceSettings": { "Convert608To708": "If this is upconvert, 608 data is both passed through the \"608 compatibility bytes\" fields of the 708 wrapper as well as translated into 708. If 708 data is present in the source content, it is discarded.", "Scte20Detection": "Set to \"auto\" to handle streams with intermittent or non-aligned SCTE-20 and embedded captions.", @@ -19978,6 +22126,7 @@ "MotionGraphicsConfiguration": "Settings to enable and configure the motion graphics overlay feature in the channel.", "NielsenConfiguration": "The settings to configure Nielsen watermarks.", "OutputGroups": "The settings for the output groups in the channel.", + "ThumbnailConfiguration": "", "TimecodeConfig": "Contains settings used to acquire and adjust timecode information from the inputs.", "VideoDescriptions": "The encoding information for output videos." }, @@ -20017,7 +22166,6 @@ "Destination": "The destination for the frame capture files. The destination is either the URI for an Amazon S3 bucket and object, plus a file name prefix (for example, s3ssl://sportsDelivery/highlights/20180820/curling_) or the URI for a MediaStore container, plus a file name prefix (for example, mediastoressl://sportsDelivery/20180820/curling_). The final file names consist of the prefix from the destination field (for example, \"curling_\") + name modifier + the counter (5 digits, starting from 00001) + extension (which is always .jpg). For example, curlingLow.00001.jpg.", "FrameCaptureCdnSettings": "Settings to configure the destination of a Frame Capture output." }, - "AWS::MediaLive::Channel FrameCaptureHlsSettings": {}, "AWS::MediaLive::Channel FrameCaptureOutputSettings": { "NameModifier": "Required if the output group contains more than one output. This modifier forms part of the output file name." }, @@ -20190,7 +22338,7 @@ "Mode": "If \"vod,\" all segments are indexed and kept permanently in the destination and manifest. If \"live,\" only the number segments specified in keepSegments and indexNSegments are kept. Newer segments replace older segments, which might prevent players from rewinding all the way to the beginning of the channel. VOD mode uses HLS EXT-X-PLAYLIST-TYPE of EVENT while the channel is running, converting it to a \"VOD\" type manifest on completion of the stream.", "OutputSelection": "MANIFESTSANDSEGMENTS: Generates manifests (the master manifest, if applicable, and media manifests) for this output group. SEGMENTSONLY: Doesn't generate any manifests for this output group.", "ProgramDateTime": "Includes or excludes the EXT-X-PROGRAM-DATE-TIME tag in .m3u8 manifest files. The value is calculated as follows: Either the program date and time are initialized using the input timecode source, or the time is initialized using the input timecode source and the date is initialized using the timestampOffset.", - "ProgramDateTimeClock": "", + "ProgramDateTimeClock": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "ProgramDateTimePeriod": "The period of insertion of the EXT-X-PROGRAM-DATE-TIME entry, in seconds.", "RedundantManifest": "ENABLED: The master manifest (.m3u8 file) for each pipeline includes information about both pipelines: first its own media files, then the media files of the other pipeline. This feature allows a playout device that supports stale manifest detection to switch from one manifest to the other, when the current manifest seems to be stale. There are still two destinations and two master manifests, but both master manifests reference the media files from both pipelines. DISABLED: The master manifest (.m3u8 file) for each pipeline includes information about its own pipeline only. For an HLS output group with MediaPackage as the destination, the DISABLED behavior is always followed. MediaPackage regenerates the manifests it serves to players, so a redundant manifest from MediaLive is irrelevant.", "SegmentLength": "The length of the MPEG-2 Transport Stream segments to create, in seconds. Note that segments will end on the next keyframe after this number of seconds, so the actual segment length might be longer.", @@ -20238,7 +22386,6 @@ "NumRetries": "The number of retry attempts that are made before the channel is put into an error state.", "RestartDelay": "If a streaming output fails, the number of seconds to wait until a restart is initiated. A value of 0 means never restart." }, - "AWS::MediaLive::Channel HtmlMotionGraphicsSettings": {}, "AWS::MediaLive::Channel InputAttachment": { "AutomaticInputFailoverSettings": "Settings to implement automatic input failover in this input.", "InputAttachmentName": "A name for the attachment. This is required if you want to use this input in an input switch action.", @@ -20339,6 +22486,8 @@ "AudioFramesPerPes": "The number of audio frames to insert for each PES packet.", "AudioPids": "The PID of the elementary audio streams in the transport stream. Multiple values are accepted, and can be entered in ranges or by comma separation. You can enter the value as a decimal or hexadecimal value.", "EcmPid": "This parameter is unused and deprecated.", + "KlvBehavior": "", + "KlvDataPids": "", "NielsenId3Behavior": "If set to passthrough, Nielsen inaudible tones for media tracking will be detected in the input audio and an equivalent ID3 tag will be inserted in the output.", "PatInterval": "The number of milliseconds between instances of this table in the output transport stream. A value of \\\"0\\\" writes out the PMT once per segment file.", "PcrControl": "When set to pcrEveryPesPacket, a Program Clock Reference value is inserted for every Packetized Elementary Stream (PES) header. This parameter is effective only when the PCR PID is the same as the video or audio elementary stream.", @@ -20355,13 +22504,8 @@ "VideoPid": "The PID of the elementary video stream in the transport stream. You can enter the value as a decimal or hexadecimal value." }, "AWS::MediaLive::Channel MaintenanceCreateSettings": { - "MaintenanceDay": "", - "MaintenanceStartTime": "" - }, - "AWS::MediaLive::Channel MaintenanceUpdateSettings": { - "MaintenanceDay": "", - "MaintenanceScheduledDate": "", - "MaintenanceStartTime": "" + "MaintenanceDay": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", + "MaintenanceStartTime": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows." }, "AWS::MediaLive::Channel MediaPackageGroupSettings": { "Destination": "The MediaPackage channel destination." @@ -20369,7 +22513,6 @@ "AWS::MediaLive::Channel MediaPackageOutputDestinationSettings": { "ChannelId": "The ID of the channel in MediaPackage that is the destination for this output group. You don't need to specify the individual inputs in MediaPackage; MediaLive handles the connection of the two MediaLive pipelines to the two MediaPackage inputs. The MediaPackage channel and MediaLive channel must be in the same Region." }, - "AWS::MediaLive::Channel MediaPackageOutputSettings": {}, "AWS::MediaLive::Channel MotionGraphicsConfiguration": { "MotionGraphicsInsertion": "Enables or disables the motion graphics overlay feature in the channel.", "MotionGraphicsSettings": "Settings to enable and configure the motion graphics overlay feature in the channel." @@ -20429,7 +22572,6 @@ "H265PackagingType": "Only applicable when this output is referencing an H.265 video description.\nSpecifies whether MP4 segments should be packaged as HEV1 or HVC1.", "NameModifier": "A string that is concatenated to the end of the destination file name. This is required for multiple outputs of the same type." }, - "AWS::MediaLive::Channel MultiplexGroupSettings": {}, "AWS::MediaLive::Channel MultiplexOutputSettings": { "Destination": "Destination is a Multiplex." }, @@ -20507,22 +22649,18 @@ "RtmpOutputSettings": "The settings for an RTMP output.\n\nThe parent of this entity is OutputGroupSettings.", "UdpOutputSettings": "The settings for a UDP output.\n\nThe parent of this entity is OutputGroupSettings." }, - "AWS::MediaLive::Channel PassThroughSettings": {}, - "AWS::MediaLive::Channel RawSettings": {}, - "AWS::MediaLive::Channel Rec601Settings": {}, - "AWS::MediaLive::Channel Rec709Settings": {}, "AWS::MediaLive::Channel RemixSettings": { "ChannelMappings": "A mapping of input channels to output channels, with appropriate gain adjustments.", "ChannelsIn": "The number of input channels to be used.", "ChannelsOut": "The number of output channels to be produced. Valid values: 1, 2, 4, 6, 8." }, - "AWS::MediaLive::Channel RtmpCaptionInfoDestinationSettings": {}, "AWS::MediaLive::Channel RtmpGroupSettings": { "AdMarkers": "Choose the ad marker type for this output group. MediaLive will create a message based on the content of each SCTE-35 message, format it for that marker type, and insert it in the datastream.", "AuthenticationScheme": "An authentication scheme to use when connecting with a CDN.", "CacheFullBehavior": "Controls behavior when the content cache fills up. If a remote origin server stalls the RTMP connection and doesn't accept content fast enough, the media cache fills up. When the cache reaches the duration specified by cacheLength, the cache stops accepting new content. If set to disconnectImmediately, the RTMP output forces a disconnect. Clear the media cache, and reconnect after restartDelay seconds. If set to waitForServer, the RTMP output waits up to 5 minutes to allow the origin server to begin accepting data again.", "CacheLength": "The cache length, in seconds, that is used to calculate buffer size.", "CaptionData": "Controls the types of data that pass to onCaptionInfo outputs. If set to all, 608 and 708 carried DTVCC data is passed. If set to field1AndField2608, DTVCC data is stripped out, but 608 data from both fields is passed. If set to field1608, only the data carried in 608 from field 1 video is passed.", + "IncludeFillerNalUnits": "", "InputLossAction": "Controls the behavior of this RTMP group if the input becomes unavailable. emitOutput: Emit a slate until the input returns. pauseOutput: Stop transmitting data until the input returns. This does not close the underlying RTMP connection.", "RestartDelay": "If a streaming output fails, the number of seconds to wait until a restart is initiated. A value of 0 means never restart." }, @@ -20532,12 +22670,10 @@ "Destination": "The RTMP endpoint excluding the stream name (for example, rtmp://host/appname).", "NumRetries": "The number of retry attempts." }, - "AWS::MediaLive::Channel Scte20PlusEmbeddedDestinationSettings": {}, "AWS::MediaLive::Channel Scte20SourceSettings": { "Convert608To708": "If upconvert, 608 data is both passed through the \"608 compatibility bytes\" fields of the 708 wrapper as well as translated into 708. Any 708 data present in the source content is discarded.", "Source608ChannelNumber": "Specifies the 608/708 channel number within the video track from which to extract captions." }, - "AWS::MediaLive::Channel Scte27DestinationSettings": {}, "AWS::MediaLive::Channel Scte27SourceSettings": { "OcrLanguage": "If you will configure a WebVTT caption description that references this caption selector, use this field to\nprovide the language to consider when translating the image-based source to text.", "Pid": "The PID field is used in conjunction with the captions selector languageCode field as follows: Specify PID and Language: Extracts captions from that PID; the language is \"informational.\" Specify PID and omit Language: Extracts the specified PID. Omit PID and specify Language: Extracts the specified language, whichever PID that happens to be. Omit PID and omit Language: Valid only if source is DVB-Sub that is being passed through; all languages are passed through." @@ -20552,7 +22688,6 @@ "NoRegionalBlackoutFlag": "When set to ignore, segment descriptors with noRegionalBlackoutFlag set to 0 no longer trigger blackouts or ad avail slates.", "WebDeliveryAllowedFlag": "When set to ignore, segment descriptors with webDeliveryAllowedFlag set to 0 no longer trigger blackouts or ad avail slates." }, - "AWS::MediaLive::Channel SmpteTtDestinationSettings": {}, "AWS::MediaLive::Channel StandardHlsSettings": { "AudioRenditionSets": "Lists all the audio groups that are used with the video output stream. This inputs all the audio GROUP-IDs that are associated with the video, separated by a comma (,).", "M3u8Settings": "Settings for the M3U8 container." @@ -20561,7 +22696,6 @@ "KeyProviderServer": "The URL of the license server that is used for protecting content.", "StaticKeyValue": "The static key value as a 32 character hexadecimal string." }, - "AWS::MediaLive::Channel TeletextDestinationSettings": {}, "AWS::MediaLive::Channel TeletextSourceSettings": { "OutputRectangle": "Settings to configure the caption rectangle for an output captions that will be created using this Teletext source captions.", "PageNumber": "Specifies the Teletext page number within the data stream from which to extract captions. The range is 0x100 (256) to 0x8FF (2303). This is unused for passthrough. It should be specified as a hexadecimal string with no \"0x\" prefix." @@ -20570,6 +22704,9 @@ "PostFilterSharpening": "If you enable this filter, the results are the following:\n- If the source content is noisy (it contains excessive digital artifacts), the filter cleans up the source.\n- If the source content is already clean, the filter tends to decrease the bitrate, especially when the rate control mode is QVBR.", "Strength": "Choose a filter strength. We recommend a strength of 1 or 2. A higher strength might take out good information, resulting in an image that is overly soft." }, + "AWS::MediaLive::Channel ThumbnailConfiguration": { + "State": "" + }, "AWS::MediaLive::Channel TimecodeBurninSettings": { "FontSize": "", "Position": "", @@ -20662,9 +22799,6 @@ "AWS::MediaLive::Input InputDestinationRequest": { "StreamName": "The stream name (application name/application instance) for the location the RTMP source content will be pushed to in MediaLive." }, - "AWS::MediaLive::Input InputDeviceRequest": { - "Id": "This property is not used. Ignore it." - }, "AWS::MediaLive::Input InputDeviceSettings": { "Id": "The unique ID for the device." }, @@ -20700,6 +22834,10 @@ "PackagingConfigurationId": "The ID of a packaging configuration that's applied to this asset.", "Url": "The URL that's used to request content from this endpoint." }, + "AWS::MediaPackage::Asset Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::Channel": { "Description": "Any descriptive information that you want to add to the channel for future identification purposes.", "EgressAccessLogs": "Configures egress access logs.", @@ -20720,6 +22858,10 @@ "AWS::MediaPackage::Channel LogConfiguration": { "LogGroupName": "Sets a custom Amazon CloudWatch log group name." }, + "AWS::MediaPackage::Channel Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::OriginEndpoint": { "Authorization": "Parameters for CDN authorization.", "ChannelId": "The ID of the channel associated with this endpoint.", @@ -20775,7 +22917,10 @@ "UtcTiming": "Determines the type of UTC timing included in the DASH Media Presentation Description (MPD).", "UtcTimingUri": "Specifies the value attribute of the UTC timing field when utcTiming is set to HTTP-ISO or HTTP-HEAD." }, - "AWS::MediaPackage::OriginEndpoint EncryptionContractConfiguration": {}, + "AWS::MediaPackage::OriginEndpoint EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream." + }, "AWS::MediaPackage::OriginEndpoint HlsEncryption": { "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used with the key for encrypting blocks.", "EncryptionMethod": "HLS encryption type.", @@ -20831,6 +22976,10 @@ "MinVideoBitsPerSecond": "The lower limit of the bitrates that this endpoint serves. If the video track is below this threshold, then AWS Elemental MediaPackage excludes it from output. If you don't specify a value, it defaults to 0 bits per second.", "StreamOrder": "Order in which the different video bitrates are presented to the player.\n\nValid values: `ORIGINAL` , `VIDEO_BITRATE_ASCENDING` , `VIDEO_BITRATE_DESCENDING` ." }, + "AWS::MediaPackage::OriginEndpoint Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::PackagingConfiguration": { "CmafPackage": "Parameters for CMAF packaging.", "DashPackage": "Parameters for DASH-ISO packaging.", @@ -20869,7 +23018,10 @@ "SegmentDurationSeconds": "Duration (in seconds) of each fragment. Actual fragments are rounded to the nearest multiple of the source segment duration.", "SegmentTemplateFormat": "Determines the type of SegmentTemplate included in the Media Presentation Description (MPD). When set to `NUMBER_WITH_TIMELINE` , a full timeline is presented in each SegmentTemplate, with $Number$ media URLs. When set to `TIME_WITH_TIMELINE` , a full timeline is presented in each SegmentTemplate, with $Time$ media URLs. When set to `NUMBER_WITH_DURATION` , only a duration is included in each SegmentTemplate, with $Number$ media URLs." }, - "AWS::MediaPackage::PackagingConfiguration EncryptionContractConfiguration": {}, + "AWS::MediaPackage::PackagingConfiguration EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream." + }, "AWS::MediaPackage::PackagingConfiguration HlsEncryption": { "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used with the key for encrypting blocks. If you don't specify a constant initialization vector (IV), AWS Elemental MediaPackage periodically rotates the IV.", "EncryptionMethod": "HLS encryption type.", @@ -20913,6 +23065,10 @@ "MinVideoBitsPerSecond": "The lower limit of the bitrates that this endpoint serves. If the video track is below this threshold, then AWS Elemental MediaPackage excludes it from output. If you don't specify a value, it defaults to 0 bits per second.", "StreamOrder": "Order in which the different video bitrates are presented to the player.\n\nValid values: `ORIGINAL` , `VIDEO_BITRATE_ASCENDING` , `VIDEO_BITRATE_DESCENDING` ." }, + "AWS::MediaPackage::PackagingConfiguration Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaPackage::PackagingGroup": { "Authorization": "Parameters for CDN authorization.", "EgressAccessLogs": "The configuration parameters for egress access logging.", @@ -20926,12 +23082,118 @@ "AWS::MediaPackage::PackagingGroup LogConfiguration": { "LogGroupName": "Sets a custom Amazon CloudWatch log group name for egress logs. If a log group name isn't specified, the default name is used: /aws/MediaPackage/EgressAccessLogs." }, + "AWS::MediaPackage::PackagingGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::Channel": { + "ChannelGroupName": "The name of the channel group associated with the channel configuration.", + "ChannelName": "The name of the channel.", + "Description": "The description of the channel.", + "Tags": "The tags associated with the channel." + }, + "AWS::MediaPackageV2::Channel IngestEndpoint": { + "Id": "The identifier associated with the ingest endpoint of the channel.", + "Url": "The URL associated with the ingest endpoint of the channel." + }, + "AWS::MediaPackageV2::Channel Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::ChannelGroup": { + "ChannelGroupName": "The name of the channel group.", + "Description": "The configuration for a MediaPackage V2 channel group.", + "Tags": "The tags associated with the channel group." + }, + "AWS::MediaPackageV2::ChannelGroup Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::ChannelPolicy": { + "ChannelGroupName": "The name of the channel group associated with the channel policy.", + "ChannelName": "The name of the channel associated with the channel policy.", + "Policy": "The policy associated with the channel." + }, + "AWS::MediaPackageV2::OriginEndpoint": { + "ChannelGroupName": "The name of the channel group associated with the origin endpoint configuration.", + "ChannelName": "The channel name associated with the origin endpoint.", + "ContainerType": "The container type associated with the origin endpoint configuration.", + "Description": "The description associated with the origin endpoint.", + "HlsManifests": "The HLS manfiests associated with the origin endpoint configuration.", + "LowLatencyHlsManifests": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "OriginEndpointName": "The name of the origin endpoint associated with the origin endpoint configuration.", + "Segment": "The segment associated with the origin endpoint.", + "StartoverWindowSeconds": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "Tags": "The tags associated with the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint Encryption": { + "ConstantInitializationVector": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "EncryptionMethod": "The encryption method to use.", + "KeyRotationIntervalSeconds": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "SpekeKeyProvider": "The SPEKE key provider to use for encryption." + }, + "AWS::MediaPackageV2::OriginEndpoint EncryptionContractConfiguration": { + "PresetSpeke20Audio": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "PresetSpeke20Video": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint EncryptionMethod": { + "CmafEncryptionMethod": "The encryption method to use.", + "TsEncryptionMethod": "The encryption method to use." + }, + "AWS::MediaPackageV2::OriginEndpoint HlsManifestConfiguration": { + "ChildManifestName": "The name of the child manifest associated with the HLS manifest configuration.", + "ManifestName": "The name of the manifest associated with the HLS manifest configuration.", + "ManifestWindowSeconds": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "ProgramDateTimeIntervalSeconds": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "ScteHls": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "Url": "The URL of the HLS manifest configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint LowLatencyHlsManifestConfiguration": { + "ChildManifestName": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "ManifestName": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "ManifestWindowSeconds": "The total duration (in seconds) of the manifest's content.", + "ProgramDateTimeIntervalSeconds": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "ScteHls": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "Url": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint." + }, + "AWS::MediaPackageV2::OriginEndpoint Scte": { + "ScteFilter": "The filter associated with the SCTE-35 configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint ScteHls": { + "AdMarkerHls": "The SCTE-35 HLS ad-marker configuration." + }, + "AWS::MediaPackageV2::OriginEndpoint Segment": { + "Encryption": "Whether to use encryption for the segment.", + "IncludeIframeOnlyStreams": "Whether the segment includes I-frame-only streams.", + "Scte": "The SCTE-35 configuration associated with the segment.", + "SegmentDurationSeconds": "The duration of the segment, in seconds.", + "SegmentName": "The name of the segment associated with the origin endpoint.", + "TsIncludeDvbSubtitles": "Whether the segment includes DVB subtitles.", + "TsUseAudioRenditionGroup": "Whether the segment is an audio rendition group." + }, + "AWS::MediaPackageV2::OriginEndpoint SpekeKeyProvider": { + "DrmSystems": "The DRM solution provider you're using to protect your content during distribution.", + "EncryptionContractConfiguration": "The encryption contract configuration associated with the SPEKE key provider.", + "ResourceId": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "RoleArn": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "Url": "The URL of the SPEKE key provider." + }, + "AWS::MediaPackageV2::OriginEndpoint Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaPackageV2::OriginEndpointPolicy": { + "ChannelGroupName": "The name of the channel group associated with the origin endpoint policy.", + "ChannelName": "The channel name associated with the origin endpoint policy.", + "OriginEndpointName": "The name of the origin endpoint associated with the origin endpoint policy.", + "Policy": "The policy associated with the origin endpoint." + }, "AWS::MediaStore::Container": { "AccessLoggingEnabled": "The state of access logging on the container. This value is `false` by default, indicating that AWS Elemental MediaStore does not send access logs to Amazon CloudWatch Logs. When you enable access logging on the container, MediaStore changes this value to `true` , indicating that the service delivers access logs for objects stored in that container to CloudWatch Logs.", "ContainerName": "The name for the container. The name must be from 1 to 255 characters. Container names must be unique to your AWS account within a specific region. As an example, you could create a container named `movies` in every region, as long as you don\u2019t have an existing container with that name.", "CorsPolicy": "Sets the cross-origin resource sharing (CORS) configuration on a container so that the container can service cross-origin requests. For example, you might want to enable a request whose origin is http://www.example.com to access your AWS Elemental MediaStore container at my.example.container.com by using the browser's XMLHttpRequest capability.\n\nTo enable CORS on a container, you attach a CORS policy to the container. In the CORS policy, you configure rules that identify origins and the HTTP methods that can be executed on your container. The policy can contain up to 398,000 characters. You can add up to 100 rules to a CORS policy. If more than one rule applies, the service uses the first applicable rule listed.\n\nTo learn more about CORS, see [Cross-Origin Resource Sharing (CORS) in AWS Elemental MediaStore](https://docs.aws.amazon.com/mediastore/latest/ug/cors-policy.html) .", "LifecyclePolicy": "Writes an object lifecycle policy to a container. If the container already has an object lifecycle policy, the service replaces the existing policy with the new policy. It takes up to 20 minutes for the change to take effect.\n\nFor information about how to construct an object lifecycle policy, see [Components of an Object Lifecycle Policy](https://docs.aws.amazon.com/mediastore/latest/ug/policies-object-lifecycle-components.html) .", - "MetricPolicy": "", + "MetricPolicy": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "Policy": "Creates an access policy for the specified container to restrict the users and clients that can access it. For information about the data that is included in an access policy, see the [AWS Identity and Access Management User Guide](https://docs.aws.amazon.com/iam/) .\n\nFor this release of the REST API, you can create only one policy for a container. If you enter `PutContainerPolicy` twice, the second command modifies the existing policy.", "Tags": "" }, @@ -20950,37 +23212,96 @@ "ObjectGroup": "A path or file name that defines which objects to include in the group. Wildcards (*) are acceptable.", "ObjectGroupName": "A name that allows you to refer to the object group." }, + "AWS::MediaStore::Container Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, + "AWS::MediaTailor::Channel": { + "ChannelName": "The name of the channel.", + "FillerSlate": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "LogConfiguration": "The log configuration.", + "Outputs": "The channel's output properties.", + "PlaybackMode": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "Tags": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "Tier": "The tier for this channel. STANDARD tier channels can contain live programs." + }, + "AWS::MediaTailor::Channel DashPlaylistSettings": { + "ManifestWindowSeconds": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "MinBufferTimeSeconds": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "MinUpdatePeriodSeconds": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "SuggestedPresentationDelaySeconds": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds." + }, + "AWS::MediaTailor::Channel HlsPlaylistSettings": { + "AdMarkupType": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "ManifestWindowSeconds": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds." + }, + "AWS::MediaTailor::Channel LogConfigurationForChannel": { + "LogTypes": "The log types." + }, + "AWS::MediaTailor::Channel RequestOutputItem": { + "DashPlaylistSettings": "DASH manifest configuration parameters.", + "HlsPlaylistSettings": "HLS playlist configuration parameters.", + "ManifestName": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "SourceGroup": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` ." + }, + "AWS::MediaTailor::Channel SlateSource": { + "SourceLocationName": "The name of the source location where the slate VOD source is stored.", + "VodSourceName": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate." + }, + "AWS::MediaTailor::Channel Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::ChannelPolicy": { + "ChannelName": "The name of the channel associated with this Channel Policy.", + "Policy": "The IAM policy for the channel. IAM policies are used to control access to your channel." + }, + "AWS::MediaTailor::LiveSource": { + "HttpPackageConfigurations": "The HTTP package configurations for the live source.", + "LiveSourceName": "The name that's used to refer to a live source.", + "SourceLocationName": "The name of the source location.", + "Tags": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) ." + }, + "AWS::MediaTailor::LiveSource HttpPackageConfiguration": { + "Path": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "SourceGroup": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "Type": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` ." + }, + "AWS::MediaTailor::LiveSource Tag": { + "Key": "", + "Value": "" + }, "AWS::MediaTailor::PlaybackConfiguration": { - "AdDecisionServerUrl": "", - "AvailSuppression": "", - "Bumper": "", - "CdnConfiguration": "", + "AdDecisionServerUrl": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", + "AvailSuppression": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", + "Bumper": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", + "CdnConfiguration": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "ConfigurationAliases": "The player parameters and aliases used as dynamic variables during session initialization. For more information, see [Domain Variables](https://docs.aws.amazon.com/mediatailor/latest/ug/variables-domain.html) .", - "DashConfiguration": "", + "DashConfiguration": "The configuration for a DASH source.", "HlsConfiguration": "The configuration for HLS content.", - "LivePreRollConfiguration": "", - "ManifestProcessingRules": "", - "Name": "", - "PersonalizationThresholdSeconds": "", - "SlateAdUrl": "", - "Tags": "", - "TranscodeProfileName": "", - "VideoContentSourceUrl": "" + "LivePreRollConfiguration": "The configuration for pre-roll ad insertion.", + "ManifestProcessingRules": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", + "Name": "The identifier for the playback configuration.", + "PersonalizationThresholdSeconds": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", + "SlateAdUrl": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", + "Tags": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "TranscodeProfileName": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", + "VideoContentSourceUrl": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters." }, "AWS::MediaTailor::PlaybackConfiguration AdMarkerPassthrough": { - "Enabled": "" + "Enabled": "Enables ad marker passthrough for your configuration." }, "AWS::MediaTailor::PlaybackConfiguration AvailSuppression": { - "Mode": "", - "Value": "" + "Mode": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", + "Value": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge." }, "AWS::MediaTailor::PlaybackConfiguration Bumper": { - "EndUrl": "", - "StartUrl": "" + "EndUrl": "The URL for the end bumper asset.", + "StartUrl": "The URL for the start bumper asset." }, "AWS::MediaTailor::PlaybackConfiguration CdnConfiguration": { - "AdSegmentUrlPrefix": "", - "ContentSegmentUrlPrefix": "" + "AdSegmentUrlPrefix": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", + "ContentSegmentUrlPrefix": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments." }, "AWS::MediaTailor::PlaybackConfiguration DashConfiguration": { "ManifestEndpointPrefix": "The URL generated by MediaTailor to initiate a playback session. The session uses server-side reporting. This setting is ignored in PUT operations.", @@ -20991,17 +23312,71 @@ "ManifestEndpointPrefix": "The URL that is used to initiate a playback session for devices that support Apple HLS. The session uses server-side reporting." }, "AWS::MediaTailor::PlaybackConfiguration LivePreRollConfiguration": { - "AdDecisionServerUrl": "", - "MaxDurationSeconds": "" + "AdDecisionServerUrl": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", + "MaxDurationSeconds": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns." }, "AWS::MediaTailor::PlaybackConfiguration ManifestProcessingRules": { - "AdMarkerPassthrough": "" + "AdMarkerPassthrough": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` ." + }, + "AWS::MediaTailor::PlaybackConfiguration Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::SourceLocation": { + "AccessConfiguration": "The access configuration for the source location.", + "DefaultSegmentDeliveryConfiguration": "The default segment delivery configuration.", + "HttpConfiguration": "The HTTP configuration for the source location.", + "SegmentDeliveryConfigurations": "The segment delivery configurations for the source location.", + "SourceLocationName": "The name of the source location.", + "Tags": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) ." + }, + "AWS::MediaTailor::SourceLocation AccessConfiguration": { + "AccessType": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "SecretsManagerAccessTokenConfiguration": "AWS Secrets Manager access token configuration parameters." + }, + "AWS::MediaTailor::SourceLocation DefaultSegmentDeliveryConfiguration": { + "BaseUrl": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* ." + }, + "AWS::MediaTailor::SourceLocation HttpConfiguration": { + "BaseUrl": "The base URL for the source location host server. This string must include the protocol, such as *https://* ." + }, + "AWS::MediaTailor::SourceLocation SecretsManagerAccessTokenConfiguration": { + "HeaderName": "The name of the HTTP header used to supply the access token in requests to the source location.", + "SecretArn": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "SecretStringKey": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token." + }, + "AWS::MediaTailor::SourceLocation SegmentDeliveryConfiguration": { + "BaseUrl": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "Name": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location." + }, + "AWS::MediaTailor::SourceLocation Tag": { + "Key": "", + "Value": "" + }, + "AWS::MediaTailor::VodSource": { + "HttpPackageConfigurations": "The HTTP package configurations for the VOD source.", + "SourceLocationName": "The name of the source location that the VOD source is associated with.", + "Tags": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "VodSourceName": "The name of the VOD source." + }, + "AWS::MediaTailor::VodSource HttpPackageConfiguration": { + "Path": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "SourceGroup": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "Type": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` ." + }, + "AWS::MediaTailor::VodSource Tag": { + "Key": "", + "Value": "" }, "AWS::MemoryDB::ACL": { "ACLName": "The name of the Access Control List.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "UserNames": "The list of users that belong to the Access Control List." }, + "AWS::MemoryDB::ACL Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::Cluster": { "ACLName": "The name of the Access Control List to associate with the cluster .", "AutoMinorVersionUpgrade": "When set to true, the cluster will automatically receive minor engine version upgrades after launch.", @@ -21033,6 +23408,10 @@ "Address": "The DNS hostname of the node.", "Port": "The port number that the engine is listening on." }, + "AWS::MemoryDB::Cluster Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::ParameterGroup": { "Description": "A description of the parameter group.", "Family": "The name of the parameter group family that this parameter group is compatible with.", @@ -21040,12 +23419,20 @@ "Parameters": "Returns the detailed parameter list for the parameter group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::MemoryDB::ParameterGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::SubnetGroup": { "Description": "A description of the subnet group.", "SubnetGroupName": "The name of the subnet group to be used for the cluster .", "SubnetIds": "A list of Amazon VPC subnet IDs for the subnet group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::MemoryDB::SubnetGroup Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." + }, "AWS::MemoryDB::User": { "AccessString": "Access permissions string used for this user.", "AuthenticationMode": "Denotes whether the user requires a password to authenticate.\n\n*Example:*\n\n`mynewdbuser: Type: AWS::MemoryDB::User Properties: AccessString: on ~* &* +@all AuthenticationMode: Passwords: '1234567890123456' Type: password UserName: mynewdbuser AuthenticationMode: { \"Passwords\": [\"1234567890123456\"], \"Type\": \"Password\" }`", @@ -21053,8 +23440,12 @@ "UserName": "The name of the user." }, "AWS::MemoryDB::User AuthenticationMode": { - "Passwords": "", - "Type": "" + "Passwords": "The password(s) used for authentication", + "Type": "Indicates whether the user requires a password to authenticate. All newly-created users require a password." + }, + "AWS::MemoryDB::User Tag": { + "Key": "The key for the tag. May not be null.", + "Value": "The tag's value. May be null." }, "AWS::Neptune::DBCluster": { "AssociatedRoles": "Provides a list of the Amazon Identity and Access Management (IAM) roles that are associated with the DB cluster. IAM roles that are associated with a DB cluster grant permission for the DB cluster to access other Amazon services on your behalf.", @@ -21064,12 +23455,14 @@ "DBClusterIdentifier": "Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster.", "DBClusterParameterGroupName": "Provides the name of the DB cluster parameter group.\n\nAn update may require some interruption. See [ModifyDBInstance](https://docs.aws.amazon.com/neptune/latest/userguide/api-instances.html#ModifyDBInstance) in the Amazon Neptune User Guide for more information.", "DBInstanceParameterGroupName": "The name of the DB parameter group to apply to all instances of the DB cluster. Used only in case of a major engine version upgrade request\n\nNote that when you apply a parameter group using `DBInstanceParameterGroupName` , parameter changes are applied immediately, not during the next maintenance window.\n\n**Constraints** - The DB parameter group must be in the same DB parameter group family as the target DB cluster version.\n- The `DBInstanceParameterGroupName` parameter is only valid for major engine version upgrades.", + "DBPort": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", "DBSubnetGroupName": "Specifies information on the subnet group associated with the DB cluster, including the name, description, and subnets in the subnet group.", "DeletionProtection": "Indicates whether or not the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled.", "EnableCloudwatchLogsExports": "Specifies a list of log types that are enabled for export to CloudWatch Logs.", "EngineVersion": "Indicates the database engine version.", "IamAuthEnabled": "True if mapping of Amazon Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.", "KmsKeyId": "If `StorageEncrypted` is true, the Amazon KMS key identifier for the encrypted DB cluster.", + "Port": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> This property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", "PreferredBackupWindow": "Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the `BackupRetentionPeriod` .\n\nAn update may require some interruption.", "PreferredMaintenanceWindow": "Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).", "RestoreToTime": "Creates a new DB cluster from a DB snapshot or DB cluster snapshot.\n\nIf a DB snapshot is specified, the target DB cluster is created from the source DB snapshot with a default configuration and default security group.\n\nIf a DB cluster snapshot is specified, the target DB cluster is created from the source DB cluster restore point with the same configuration as the original source DB cluster, except that the new DB cluster is created with the default security group.", @@ -21087,8 +23480,12 @@ "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that is associated with the DB cluster." }, "AWS::Neptune::DBCluster ServerlessScalingConfiguration": { - "MaxCapacity": "", - "MinCapacity": "" + "MaxCapacity": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", + "MinCapacity": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on." + }, + "AWS::Neptune::DBCluster Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." }, "AWS::Neptune::DBClusterParameterGroup": { "Description": "Provides the customer-specified description for this DB cluster parameter group.", @@ -21097,6 +23494,10 @@ "Parameters": "The parameters to set for this DB cluster parameter group.\n\nThe parameters are expressed as a JSON object consisting of key-value pairs.\n\nIf you update the parameters, some interruption may occur depending on which parameters you update.", "Tags": "The tags that you want to attach to this parameter group." }, + "AWS::Neptune::DBClusterParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBInstance": { "AllowMajorVersionUpgrade": "Indicates that major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. This parameter must be set to true when specifying a value for the EngineVersion parameter that is a different major version than the DB instance's current version.\n\nWhen you change this parameter for an existing DB cluster, CloudFormation will replace your existing DB cluster with a new, empty one that uses the engine version you specified.", "AutoMinorVersionUpgrade": "Indicates that minor version patches are applied automatically.\n\nWhen updating this property, some interruptions may occur.", @@ -21110,6 +23511,10 @@ "PreferredMaintenanceWindow": "Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).", "Tags": "An arbitrary set of tags (key-value pairs) for this DB instance." }, + "AWS::Neptune::DBInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBParameterGroup": { "Description": "Provides the customer-specified description for this DB parameter group.", "Family": "Must be `neptune1` for engine versions prior to [1.2.0.0](https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html) , or `neptune1.2` for engine version `1.2.0.0` and higher.", @@ -21117,12 +23522,20 @@ "Parameters": "The parameters to set for this DB parameter group.\n\nThe parameters are expressed as a JSON object consisting of key-value pairs.\n\nChanges to dynamic parameters are applied immediately. During an update, if you have static parameters (whether they were changed or not), it triggers AWS CloudFormation to reboot the associated DB instance without failover.", "Tags": "The tags that you want to attach to this parameter group." }, + "AWS::Neptune::DBParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::Neptune::DBSubnetGroup": { "DBSubnetGroupDescription": "Provides the description of the DB subnet group.", "DBSubnetGroupName": "The name of the DB subnet group.", "SubnetIds": "The Amazon EC2 subnet IDs for the DB subnet group.", "Tags": "The tags that you want to attach to the DB subnet group." }, + "AWS::Neptune::DBSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\")." + }, "AWS::NetworkFirewall::Firewall": { "DeleteProtection": "A flag indicating whether it is possible to delete the firewall. A setting of `TRUE` indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to `TRUE` .", "Description": "A description of the firewall.", @@ -21138,6 +23551,10 @@ "IPAddressType": "The subnet's IP address type. You can't change the IP address type after you create the subnet.", "SubnetId": "The unique identifier for the subnet." }, + "AWS::NetworkFirewall::Firewall Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkFirewall::FirewallPolicy": { "Description": "A description of the firewall policy.", "FirewallPolicy": "The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.", @@ -21174,7 +23591,7 @@ "Dimensions": "" }, "AWS::NetworkFirewall::FirewallPolicy StatefulEngineOptions": { - "RuleOrder": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "RuleOrder": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "StreamExceptionPolicy": "Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.\n\n- `DROP` - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.\n- `CONTINUE` - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to `drop http` traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent\u2014a TCP-layer rule using a `flow:stateless` rule would still match, as would the `aws:drop_strict` default action.\n- `REJECT` - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic." }, "AWS::NetworkFirewall::FirewallPolicy StatefulRuleGroupOverride": { @@ -21189,6 +23606,10 @@ "Priority": "An integer setting that indicates the order in which to run the stateless rule groups in a single `FirewallPolicy` . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.", "ResourceArn": "The Amazon Resource Name (ARN) of the stateless rule group." }, + "AWS::NetworkFirewall::FirewallPolicy Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkFirewall::LoggingConfiguration": { "FirewallArn": "The Amazon Resource Name (ARN) of the `Firewall` that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", "FirewallName": "The name of the firewall that the logging configuration is associated with. You can't change the firewall specification after you create the logging configuration.", @@ -21266,7 +23687,7 @@ "ReferenceSets": "The reference sets for the stateful rule group.", "RuleVariables": "Settings that are available for use in the rules in the rule group. You can only use these for stateful rule groups.", "RulesSource": "The stateful rules or stateless rules for the rule group.", - "StatefulRuleOptions": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings." + "StatefulRuleOptions": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* ." }, "AWS::NetworkFirewall::RuleGroup RuleOption": { "Keyword": "The Suricata rule option keywords. For Network Firewall , the keyword signature ID (sid) is required in the format `sid: 112233` . The sid must be unique within the rule group. For information about Suricata rule option keywords, see [Rule options](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html#rule-options) .", @@ -21278,7 +23699,7 @@ }, "AWS::NetworkFirewall::RuleGroup RulesSource": { "RulesSourceList": "Stateful inspection criteria for a domain list rule group.", - "RulesString": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "RulesString": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "StatefulRules": "An array of individual stateful rules inspection criteria to be used together in a stateful rule group. Use this option to specify simple Suricata rules with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html) .", "StatelessRulesAndCustomActions": "Stateless inspection criteria to be used in a stateless rule group." }, @@ -21307,11 +23728,15 @@ "Flags": "Used in conjunction with the `Masks` setting to define the flags that must be set and flags that must not be set in order for the packet to match. This setting can only specify values that are also specified in the `Masks` setting.\n\nFor the flags that are specified in the masks setting, the following must be true for the packet to match:\n\n- The ones that are set in this flags setting must be set in the packet.\n- The ones that are not set in this flags setting must also not be set in the packet.", "Masks": "The set of flags to consider in the inspection. To inspect all flags in the valid values list, leave this with no setting." }, + "AWS::NetworkFirewall::RuleGroup Tag": { + "Key": "The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::NetworkManager::ConnectAttachment": { "CoreNetworkId": "The ID of the core network where the Connect attachment is located.", "EdgeLocation": "The Region where the edge is located.", "Options": "Options for connecting an attachment.", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "Tags": "", "TransportAttachmentId": "The ID of the transport attachment." }, @@ -21323,12 +23748,17 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::ConnectAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::ConnectPeer": { - "BgpOptions": "", + "BgpOptions": "Describes the BGP options.", "ConnectAttachmentId": "The ID of the attachment to connect.", "CoreNetworkAddress": "The IP address of a core network.", "InsideCidrBlocks": "The inside IP addresses used for a Connect peer configuration.", "PeerAddress": "The IP address of the Connect peer.", + "SubnetArn": "The subnet ARN of the Connect peer.", "Tags": "The list of key-value tags associated with the Connect peer." }, "AWS::NetworkManager::ConnectPeer BgpOptions": { @@ -21347,6 +23777,10 @@ "PeerAddress": "The IP address of the Connect peer.", "Protocol": "The protocol used for a Connect peer configuration." }, + "AWS::NetworkManager::ConnectPeer Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::CoreNetwork": { "Description": "The description of a core network.", "GlobalNetworkId": "The ID of the global network that your core network is a part of.", @@ -21363,6 +23797,10 @@ "Name": "The name of a core network segment.", "SharedSegments": "The shared segments of a core network." }, + "AWS::NetworkManager::CoreNetwork Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::CustomerGatewayAssociation": { "CustomerGatewayArn": "The Amazon Resource Name (ARN) of the customer gateway.", "DeviceId": "The ID of the device.", @@ -21370,7 +23808,7 @@ "LinkId": "The ID of the link." }, "AWS::NetworkManager::Device": { - "AWSLocation": "", + "AWSLocation": "The AWS location of the device.", "Description": "A description of the device.\n\nConstraints: Maximum length of 256 characters.", "GlobalNetworkId": "The ID of the global network.", "Location": "The site location.", @@ -21382,18 +23820,28 @@ "Vendor": "The vendor of the device.\n\nConstraints: Maximum length of 128 characters." }, "AWS::NetworkManager::Device AWSLocation": { - "SubnetArn": "", - "Zone": "" + "SubnetArn": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", + "Zone": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost." }, "AWS::NetworkManager::Device Location": { "Address": "The physical address.", "Latitude": "The latitude.", "Longitude": "The longitude." }, + "AWS::NetworkManager::Device Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::GlobalNetwork": { + "CreatedAt": "The date and time that the global network was created.", "Description": "A description of the global network.\n\nConstraints: Maximum length of 256 characters.", + "State": "The state of the global network.", "Tags": "The tags for the global network." }, + "AWS::NetworkManager::GlobalNetwork Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::Link": { "Bandwidth": "The bandwidth for the link.", "Description": "A description of the link.\n\nConstraints: Maximum length of 256 characters.", @@ -21407,6 +23855,10 @@ "DownloadSpeed": "Download speed in Mbps.", "UploadSpeed": "Upload speed in Mbps." }, + "AWS::NetworkManager::Link Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::LinkAssociation": { "DeviceId": "The device ID for the link association.", "GlobalNetworkId": "The ID of the global network.", @@ -21423,9 +23875,13 @@ "Latitude": "The latitude.", "Longitude": "The longitude." }, + "AWS::NetworkManager::Site Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::SiteToSiteVpnAttachment": { "CoreNetworkId": "", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "Tags": "", "VpnConnectionArn": "The ARN of the site-to-site VPN attachment." }, @@ -21434,11 +23890,19 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::SiteToSiteVpnAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::TransitGatewayPeering": { "CoreNetworkId": "The ID of the core network.", "Tags": "The list of key-value tags associated with the peering.", "TransitGatewayArn": "The ARN of the transit gateway." }, + "AWS::NetworkManager::TransitGatewayPeering Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::TransitGatewayRegistration": { "GlobalNetworkId": "The ID of the global network.", "TransitGatewayArn": "The Amazon Resource Name (ARN) of the transit gateway." @@ -21454,10 +23918,14 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::TransitGatewayRouteTableAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::VpcAttachment": { "CoreNetworkId": "The core network ID.", "Options": "Options for creating the VPC attachment.", - "ProposedSegmentChange": "", + "ProposedSegmentChange": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "SubnetArns": "The subnet ARNs.", "Tags": "The tags associated with the VPC attachment.", "VpcArn": "The ARN of the VPC attachment." @@ -21467,6 +23935,10 @@ "SegmentName": "The name of the segment to change.", "Tags": "The list of key-value tags that changed for the segment." }, + "AWS::NetworkManager::VpcAttachment Tag": { + "Key": "The tag key.\n\nConstraints: Maximum length of 128 characters.", + "Value": "The tag value.\n\nConstraints: Maximum length of 256 characters." + }, "AWS::NetworkManager::VpcAttachment VpcOptions": { "ApplianceModeSupport": "Indicates whether appliance mode is supported. If enabled, traffic flow between a source and destination use the same Availability Zone for the VPC attachment for the lifetime of that flow. The default value is `false` .", "Ipv6Support": "Indicates whether IPv6 is supported." @@ -21482,20 +23954,20 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::NimbleStudio::LaunchProfile StreamConfiguration": { - "AutomaticTerminationMode": "", + "AutomaticTerminationMode": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "ClipboardMode": "Allows or deactivates the use of the system clipboard to copy and paste between the streaming session and streaming client.", "Ec2InstanceTypes": "The EC2 instance types that users can select from when launching a streaming session with this launch profile.", "MaxSessionLengthInMinutes": "The length of time, in minutes, that a streaming session can be active before it is stopped or terminated. After this point, Nimble Studio automatically terminates or stops the session. The default length of time is 690 minutes, and the maximum length of time is 30 days.", "MaxStoppedSessionLengthInMinutes": "Integer that determines if you can start and stop your sessions and how long a session can stay in the `STOPPED` state. The default value is 0. The maximum value is 5760.\n\nThis field is allowed only when `sessionPersistenceMode` is `ACTIVATED` and `automaticTerminationMode` is `ACTIVATED` .\n\nIf the value is set to 0, your sessions can\u2019t be `STOPPED` . If you then call `StopStreamingSession` , the session fails. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be terminated (instead of `STOPPED` ).\n\nIf the value is set to a positive number, the session can be stopped. You can call `StopStreamingSession` to stop sessions in the `READY` state. If the time that a session stays in the `READY` state exceeds the `maxSessionLengthInMinutes` value, the session will automatically be stopped (instead of terminated).", - "SessionBackup": "", - "SessionPersistenceMode": "", + "SessionBackup": "Information about the streaming session backup.", + "SessionPersistenceMode": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "SessionStorage": "The upload storage for a streaming session.", "StreamingImageIds": "The streaming images that users can select from when launching a streaming session with this launch profile.", - "VolumeConfiguration": "" + "VolumeConfiguration": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` ." }, "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionBackup": { - "MaxBackupsToRetain": "", - "Mode": "" + "MaxBackupsToRetain": "The maximum number of backups that each streaming session created from this launch profile can have.", + "Mode": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` ." }, "AWS::NimbleStudio::LaunchProfile StreamConfigurationSessionStorage": { "Mode": "Allows artists to upload files to their workstations. The only valid option is `UPLOAD` .", @@ -21506,9 +23978,9 @@ "Windows": "The folder path in Windows workstations where files are uploaded." }, "AWS::NimbleStudio::LaunchProfile VolumeConfiguration": { - "Iops": "", - "Size": "", - "Throughput": "" + "Iops": "The number of I/O operations per second for the root volume that is attached to streaming session.", + "Size": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", + "Throughput": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s." }, "AWS::NimbleStudio::StreamingImage": { "Description": "A human-readable description of the streaming image.", @@ -21518,8 +23990,8 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::NimbleStudio::StreamingImage StreamingImageEncryptionConfiguration": { - "KeyArn": "", - "KeyType": "" + "KeyArn": "The ARN for a KMS key that is used to encrypt studio data.", + "KeyType": "The type of KMS key that is used to encrypt studio data." }, "AWS::NimbleStudio::Studio": { "AdminRoleArn": "The IAM role that studio admins assume when logging in to the Nimble Studio portal.", @@ -21539,7 +24011,9 @@ "Ec2SecurityGroupIds": "The EC2 security groups that control access to the studio component.", "InitializationScripts": "Initialization scripts for studio components.", "Name": "A friendly name for the studio component resource.", + "RuntimeRoleArn": "An IAM role attached to a Studio Component that gives the studio component access to AWS resources at anytime while the instance is running.", "ScriptParameters": "Parameters for the studio component scripts.", + "SecureInitializationRoleArn": "An IAM role attached to Studio Component when the system initialization script runs which give the studio component access to AWS resources when the system initialization script runs.", "StudioId": "The unique identifier for a studio resource. In Nimble Studio , all other resources are contained in a studio resource.", "Subtype": "The specific subtype of a studio component.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", @@ -21594,12 +24068,16 @@ "VpcOptions": "Options that specify the subnets and security groups for an OpenSearch Ingestion VPC endpoint." }, "AWS::OSIS::Pipeline CloudWatchLogDestination": { - "LogGroup": "" + "LogGroup": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` ." }, "AWS::OSIS::Pipeline LogPublishingOptions": { "CloudWatchLogDestination": "The destination for OpenSearch Ingestion logs sent to Amazon CloudWatch Logs. This parameter is required if `IsLoggingEnabled` is set to `true` .", "IsLoggingEnabled": "Whether logs should be published." }, + "AWS::OSIS::Pipeline Tag": { + "Key": "The tag key. Tag keys must be unique for the pipeline to which they are attached.", + "Value": "The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of `project : Trinity` and `cost-center : Trinity`" + }, "AWS::OSIS::Pipeline VpcEndpoint": { "VpcEndpointId": "The unique identifier of the endpoint.", "VpcId": "The ID for your VPC. AWS PrivateLink generates this value when you create a VPC.", @@ -21611,7 +24089,7 @@ }, "AWS::Oam::Link": { "LabelTemplate": "Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.\n\nYou can include the following variables in your template:\n\n- `$AccountName` is the name of the account\n- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as `mariagarcia@example.com`\n- `$AccountEmailNoDomain` is an email address without the domain name, such as `mariagarcia`", - "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "ResourceTypes": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "SinkIdentifier": "The ARN of the sink in the monitoring account that you want to link to. You can use [ListSinks](https://docs.aws.amazon.com/OAM/latest/APIReference/API_ListSinks.html) to find the ARNs of sinks.", "Tags": "An array of key-value pairs to apply to the link.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, @@ -21657,13 +24135,14 @@ "AWS::Omics::RunGroup": { "MaxCpus": "The group's maximum CPU count setting.", "MaxDuration": "The group's maximum duration setting in minutes.", + "MaxGpus": "The maximum GPUs that can be used by a run group.", "MaxRuns": "The group's maximum concurrent run setting.", "Name": "The group's name.", "Tags": "Tags for the group." }, "AWS::Omics::SequenceStore": { "Description": "A description for the store.", - "FallbackLocation": "", + "FallbackLocation": "An S3 location that is used to store files that have failed a direct upload.", "Name": "A name for the store.", "SseConfig": "Server-side encryption (SSE) settings for the store.", "Tags": "Tags for the store." @@ -21687,6 +24166,7 @@ "Type": "The encryption type." }, "AWS::Omics::Workflow": { + "Accelerators": "", "DefinitionUri": "The URI of a definition for the workflow.", "Description": "The parameter's description.", "Engine": "An engine for the workflow.", @@ -21710,7 +24190,11 @@ "Description": "A description of the collection.", "Name": "The name of the collection.\n\nCollection names must meet the following criteria:\n\n- Starts with a lowercase letter\n- Unique to your account and AWS Region\n- Contains between 3 and 28 characters\n- Contains only lowercase letters a-z, the numbers 0-9, and the hyphen (-)", "Tags": "An arbitrary set of tags (key\u2013value pairs) to associate with the collection.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", - "Type": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) ." + "Type": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) ." + }, + "AWS::OpenSearchServerless::Collection Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." }, "AWS::OpenSearchServerless::SecurityConfig": { "Description": "The description of the security configuration.", @@ -21848,6 +24332,10 @@ "AWS::OpenSearchService::Domain SoftwareUpdateOptions": { "AutoSoftwareUpdateEnabled": "Specifies whether automatic service software updates are enabled for the domain." }, + "AWS::OpenSearchService::Domain Tag": { + "Key": "The tag key. Tag keys must be unique for the domain to which they are attached.", + "Value": "The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of `project : Trinity` and `cost-center : Trinity`" + }, "AWS::OpenSearchService::Domain VPCOptions": { "SecurityGroupIds": "The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't provide a security group ID, OpenSearch Service uses the default security group for the VPC. To learn more, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "SubnetIds": "Provide one subnet ID for each Availability Zone that your domain uses. For example, you must specify three subnet IDs for a three-AZ domain. To learn more, see [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon VPC User Guide* .\n\nIf you specify more than one subnet, you must also configure `ZoneAwarenessEnabled` and `ZoneAwarenessConfig` within [ClusterConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-clusterconfig.html) , otherwise you'll see the error \"You must specify exactly one subnet\" during template creation." @@ -21880,7 +24368,7 @@ }, "AWS::OpsWorks::App EnvironmentVariable": { "Key": "(Required) The environment variable's name, which can consist of up to 64 characters and must be specified. The name can contain upper- and lowercase letters, numbers, and underscores (_), but it must start with a letter or underscore.", - "Secure": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "Secure": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "Value": "(Optional) The environment variable's value, which can be left empty. If you specify a value, it can contain up to 256 characters, which must all be printable." }, "AWS::OpsWorks::App Source": { @@ -21901,7 +24389,7 @@ "LayerId": "The AWS OpsWorks layer ID to which the Elastic Load Balancing load balancer is attached." }, "AWS::OpsWorks::Instance": { - "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "AmiId": "A custom AMI ID to be used to create the instance. The AMI should be based on one of the supported operating systems. For more information, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .\n\n> If you specify a custom AMI, you must set `Os` to `Custom` .", "Architecture": "The instance architecture. The default option is `x86_64` . Instance types do not necessarily support both architectures. For a list of the architectures that are supported by the different instance types, see [Instance Families and Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) .", "AutoScalingType": "For load-based or time-based instances, the type. Windows stacks can use only time-based instances.", @@ -21910,10 +24398,10 @@ "EbsOptimized": "Whether to create an Amazon EBS-optimized instance.", "ElasticIps": "A list of Elastic IP addresses to associate with the instance.", "Hostname": "The instance host name. The following are character limits for instance host names.\n\n- Linux-based instances: 63 characters\n- Windows-based instances: 15 characters", - "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "InstanceType": "The instance type, such as `t2.micro` . For a list of supported instance types, open the stack in the console, choose *Instances* , and choose *+ Instance* . The *Size* list contains the currently supported types. For more information, see [Instance Families and Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) . The parameter values that you use to specify the various types are in the *API Name* column of the *Available Instance Types* table.", "LayerIds": "An array that contains the instance's layer IDs.", - "Os": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "Os": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "RootDeviceType": "The instance root device type. For more information, see [Storage for the Root Device](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#storage-for-the-root-device) .", "SshKeyName": "The instance's Amazon EC2 key-pair name.", "StackId": "The stack ID.", @@ -21954,7 +24442,7 @@ "CustomRecipes": "A `LayerCustomRecipes` object that specifies the layer custom recipes.", "CustomSecurityGroupIds": "An array containing the layer custom security group IDs.", "EnableAutoHealing": "Whether to disable auto healing for the layer.", - "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "InstallUpdatesOnBoot": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "LifecycleEventConfiguration": "A `LifeCycleEventConfiguration` object that you can use to configure the Shutdown event to specify an execution timeout and enable or disable Elastic Load Balancer connection draining.", "LoadBasedAutoScaling": "The load-based scaling configuration for the AWS OpsWorks layer.", "Name": "The layer name, which is used by the console. Layer names can be a maximum of 32 characters.", @@ -21993,6 +24481,10 @@ "DelayUntilElbConnectionsDrained": "Whether to enable Elastic Load Balancing connection draining. For more information, see [Connection Draining](https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#conn-drain)", "ExecutionTimeout": "The time, in seconds, that AWS OpsWorks Stacks waits after triggering a Shutdown event before shutting down an instance." }, + "AWS::OpsWorks::Layer Tag": { + "Key": "", + "Value": "" + }, "AWS::OpsWorks::Layer VolumeConfiguration": { "Encrypted": "Specifies whether an Amazon EBS volume is encrypted. For more information, see [Amazon EBS Encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) .", "Iops": "The number of I/O operations per second (IOPS) to provision for the volume. For PIOPS volumes, the IOPS per disk.\n\nIf you specify `io1` for the volume type, you must specify this property.", @@ -22003,7 +24495,7 @@ "VolumeType": "The volume type. For more information, see [Amazon EBS Volume Types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) .\n\n- `standard` - Magnetic. Magnetic volumes must have a minimum size of 1 GiB and a maximum size of 1024 GiB.\n- `io1` - Provisioned IOPS (SSD). PIOPS volumes must have a minimum size of 4 GiB and a maximum size of 16384 GiB.\n- `gp2` - General Purpose (SSD). General purpose volumes must have a minimum size of 1 GiB and a maximum size of 16384 GiB.\n- `st1` - Throughput Optimized hard disk drive (HDD). Throughput optimized HDD volumes must have a minimum size of 500 GiB and a maximum size of 16384 GiB.\n- `sc1` - Cold HDD. Cold HDD volumes must have a minimum size of 500 GiB and a maximum size of 16384 GiB." }, "AWS::OpsWorks::Stack": { - "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "AgentVersion": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "Attributes": "One or more user-defined key-value pairs to be added to the stack attributes.", "ChefConfiguration": "A `ChefConfiguration` object that specifies whether to enable Berkshelf and the Berkshelf version on Chef 11.10 stacks. For more information, see [Create a New Stack](https://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks-creating.html) .", "CloneAppIds": "If you're cloning an AWS OpsWorks stack, a list of AWS OpsWorks application stack IDs from the source stack to include in the cloned stack.", @@ -22054,6 +24546,10 @@ "Name": "The name. This parameter must be set to `Chef` .", "Version": "The Chef version. This parameter must be set to 12, 11.10, or 11.4 for Linux stacks, and to 12.2 for Windows stacks. The default value for Linux stacks is 12." }, + "AWS::OpsWorks::Stack Tag": { + "Key": "", + "Value": "" + }, "AWS::OpsWorks::UserProfile": { "AllowSelfManagement": "Whether users can specify their own SSH public key through the My Settings page. For more information, see [Managing User Permissions](https://docs.aws.amazon.com/opsworks/latest/userguide/security-settingsshkey.html) .", "IamUserArn": "The user's IAM ARN.", @@ -22092,21 +24588,33 @@ "Name": "The name of the engine attribute.\n\n*Attribute name for Chef Automate servers:*\n\n- `CHEF_AUTOMATE_ADMIN_PASSWORD`\n\n*Attribute names for Puppet Enterprise servers:*\n\n- `PUPPET_ADMIN_PASSWORD`\n- `PUPPET_R10K_REMOTE`\n- `PUPPET_R10K_PRIVATE_KEY`", "Value": "The value of the engine attribute.\n\n*Attribute value for Chef Automate servers:*\n\n- `CHEF_AUTOMATE_PIVOTAL_KEY` : A base64-encoded RSA public key. The corresponding private key is required to access the Chef API. You can generate this key by running the following [OpenSSL](https://docs.aws.amazon.com/https://www.openssl.org/) command on Linux-based computers.\n\n`openssl genrsa -out *pivotal_key_file_name* .pem 2048`\n\nOn Windows-based computers, you can use the PuTTYgen utility to generate a base64-encoded RSA private key. For more information, see [PuTTYgen - Key Generator for PuTTY on Windows](https://docs.aws.amazon.com/https://www.ssh.com/ssh/putty/windows/puttygen) on SSH.com.\n\n*Attribute values for Puppet Enterprise servers:*\n\n- `PUPPET_ADMIN_PASSWORD` : An administrator password that you can use to sign in to the Puppet Enterprise console webpage after the server is online. The password must use between 8 and 32 ASCII characters.\n- `PUPPET_R10K_REMOTE` : The r10k remote is the URL of your control repository (for example, ssh://git@your.git-repo.com:user/control-repo.git). Specifying an r10k remote opens TCP port 8170.\n- `PUPPET_R10K_PRIVATE_KEY` : If you are using a private Git repository, add `PUPPET_R10K_PRIVATE_KEY` to specify a PEM-encoded private SSH key." }, + "AWS::OpsWorksCM::Server Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 127 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-owcm-server` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "AWS::Organizations::Account": { "AccountName": "The account name given to the account when it was created.", "Email": "The email address associated with the AWS account.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for this parameter is a string of characters that represents a standard internet email address.", "ParentIds": "The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the `ParentId` defaults to the root ID.\n\nThis parameter only accepts a string array with one string value.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", - "RoleName": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "RoleName": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "Tags": "A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide.\n\n> If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created." }, + "AWS::Organizations::Account Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::Organization": { - "FeatureSet": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` ." + "FeatureSet": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` ." }, "AWS::Organizations::OrganizationalUnit": { "Name": "The friendly name of this OU.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter is a string of any of the characters in the ASCII character range.", "ParentId": "The unique identifier (ID) of the parent root or OU that you want to create the new OU in.\n\n> To update the `ParentId` parameter value, you must first remove all accounts attached to the organizational unit (OU). OUs can't be moved within the organization with accounts still attached. \n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", "Tags": "A list of tags that you want to attach to the newly created OU. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide.\n\n> If any one of the tags is not valid or if you exceed the allowed number of tags for an OU, then the entire request fails and the OU is not created." }, + "AWS::Organizations::OrganizationalUnit Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::Policy": { "Content": "The policy text content. You can specify the policy content as a JSON object or a JSON string.\n\n> When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. \n\nThe text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:\n\n- Service control policies: 5,120 bytes *(not characters)*\n- AI services opt-out policies: 2,500 characters\n- Backup policies: 10,000 characters\n- Tag policies: 10,000 characters\n\nFor more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide* .", "Description": "Human readable description of the policy.", @@ -22115,10 +24623,244 @@ "TargetIds": "List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to. You can get the ID by calling the [ListRoots](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html) , [ListOrganizationalUnitsForParent](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOrganizationalUnitsForParent.html) , or [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) operations. If you don't specify this parameter, the policy is created but not attached to any organization resource.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) for a target ID string requires one of the following:\n\n- *Root* - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or digits.\n- *Account* - A string that consists of exactly 12 digits.\n- *Organizational unit (OU)* - A string that begins with \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.", "Type": "The type of policy to create." }, + "AWS::Organizations::Policy Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Organizations::ResourcePolicy": { "Content": "The policy text of the organization resource policy. You can specify the resource policy content as a JSON object or a JSON string.\n\n> When you specify the resource policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the resource policy content as a JSON object instead.", "Tags": "A list of tags that you want to attach to the newly created resource policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null` . For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the *AWS Organizations User Guide* .\n\n> If any one of the tags is not valid or if you exceed the allowed number of tags for the resource policy, then the entire request fails and the resource policy is not created." }, + "AWS::Organizations::ResourcePolicy Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, + "AWS::PCAConnectorAD::Connector": { + "CertificateAuthorityArn": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "DirectoryId": "The identifier of the Active Directory.", + "Tags": "Metadata assigned to a connector consisting of a key-value pair.", + "VpcInformation": "Information of the VPC and security group(s) used with the connector." + }, + "AWS::PCAConnectorAD::Connector VpcInformation": { + "SecurityGroupIds": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector." + }, + "AWS::PCAConnectorAD::DirectoryRegistration": { + "DirectoryId": "The identifier of the Active Directory.", + "Tags": "Metadata assigned to a directory registration consisting of a key-value pair." + }, + "AWS::PCAConnectorAD::ServicePrincipalName": { + "ConnectorArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "DirectoryRegistrationArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) ." + }, + "AWS::PCAConnectorAD::Template": { + "ConnectorArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "Definition": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "Name": "Name of the templates. Template names must be unique.", + "ReenrollAllCertificateHolders": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "Tags": "Metadata assigned to a template consisting of a key-value pair." + }, + "AWS::PCAConnectorAD::Template ApplicationPolicies": { + "Critical": "Marks the application policy extension as critical.", + "Policies": "Application policies describe what the certificate can be used for." + }, + "AWS::PCAConnectorAD::Template ApplicationPolicy": { + "PolicyObjectIdentifier": "The object identifier (OID) of an application policy.", + "PolicyType": "The type of application policy" + }, + "AWS::PCAConnectorAD::Template CertificateValidity": { + "RenewalPeriod": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "ValidityPeriod": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV2": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV3": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template EnrollmentFlagsV4": { + "EnableKeyReuseOnNtTokenKeysetStorageFull": "Allow renewal using the same key.", + "IncludeSymmetricAlgorithms": "Include symmetric algorithms allowed by the subject.", + "NoSecurityExtension": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "RemoveInvalidCertificateFromPersonalStore": "Delete expired or revoked certificates instead of archiving them.", + "UserInteractionRequired": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used." + }, + "AWS::PCAConnectorAD::Template ExtensionsV2": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template ExtensionsV3": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template ExtensionsV4": { + "ApplicationPolicies": "Application policies specify what the certificate is used for and its purpose.", + "KeyUsage": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV2": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users." + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV3": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users" + }, + "AWS::PCAConnectorAD::Template GeneralFlagsV4": { + "AutoEnrollment": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "MachineType": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users" + }, + "AWS::PCAConnectorAD::Template KeyUsage": { + "Critical": "Sets the key usage extension to critical.", + "UsageFlags": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate." + }, + "AWS::PCAConnectorAD::Template KeyUsageFlags": { + "DataEncipherment": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "DigitalSignature": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "KeyAgreement": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "KeyEncipherment": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "NonRepudiation": "NonRepudiation is asserted when the subject public key is used to verify digital signatures." + }, + "AWS::PCAConnectorAD::Template KeyUsageProperty": { + "PropertyFlags": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "PropertyType": "You can specify all key usages using property type ALL. You can use property type or property flags but not both." + }, + "AWS::PCAConnectorAD::Template KeyUsagePropertyFlags": { + "Decrypt": "Allows key for encryption and decryption.", + "KeyAgreement": "Allows key exchange without encryption.", + "Sign": "Allow key use for digital signature." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV2": { + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV3": { + "Algorithm": "Defines the algorithm used to generate the private key.", + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "KeyUsageProperty": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyAttributesV4": { + "Algorithm": "Defines the algorithm used to generate the private key.", + "CryptoProviders": "Defines the cryptographic providers used to generate the private key.", + "KeySpec": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "KeyUsageProperty": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "MinimalKeyLength": "Set the minimum key length of the private key." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV2": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "StrongKeyProtectionRequired": "Require user input when using the private key for enrollment." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV3": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "RequireAlternateSignatureAlgorithm": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "StrongKeyProtectionRequired": "Requirer user input when using the private key for enrollment." + }, + "AWS::PCAConnectorAD::Template PrivateKeyFlagsV4": { + "ClientVersion": "Defines the minimum client compatibility.", + "ExportableKey": "Allows the private key to be exported.", + "RequireAlternateSignatureAlgorithm": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "RequireSameKeyRenewal": "Renew certificate using the same private key.", + "StrongKeyProtectionRequired": "Require user input when using the private key for enrollment.", + "UseLegacyProvider": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV2": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV3": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template SubjectNameFlagsV4": { + "RequireCommonName": "Include the common name in the subject name.", + "RequireDirectoryPath": "Include the directory path in the subject name.", + "RequireDnsAsCn": "Include the DNS as common name in the subject name.", + "RequireEmail": "Include the subject's email in the subject name.", + "SanRequireDirectoryGuid": "Include the globally unique identifier (GUID) in the subject alternate name.", + "SanRequireDns": "Include the DNS in the subject alternate name.", + "SanRequireDomainDns": "Include the domain DNS in the subject alternate name.", + "SanRequireEmail": "Include the subject's email in the subject alternate name.", + "SanRequireSpn": "Include the service principal name (SPN) in the subject alternate name.", + "SanRequireUpn": "Include the user principal name (UPN) in the subject alternate name." + }, + "AWS::PCAConnectorAD::Template TemplateDefinition": { + "TemplateV2": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "TemplateV3": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "TemplateV4": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings." + }, + "AWS::PCAConnectorAD::Template TemplateV2": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "PrivateKeyFlags": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template TemplateV3": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "HashAlgorithm": "Specifies the hash algorithm used to hash the private key.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "PrivateKeyFlags": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template TemplateV4": { + "CertificateValidity": "Certificate validity describes the validity and renewal periods of a certificate.", + "EnrollmentFlags": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "Extensions": "Extensions describe the key usage extensions and application policies for a template.", + "GeneralFlags": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "HashAlgorithm": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "PrivateKeyAttributes": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "PrivateKeyFlags": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "SubjectNameFlags": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "SupersededTemplates": "List of templates in Active Directory that are superseded by this template." + }, + "AWS::PCAConnectorAD::Template ValidityPeriod": { + "Period": "The numeric value for the validity period.", + "PeriodType": "The unit of time. You can select hours, days, weeks, months, and years." + }, + "AWS::PCAConnectorAD::TemplateGroupAccessControlEntry": { + "AccessRights": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "GroupDisplayName": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "GroupSecurityIdentifier": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "TemplateArn": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) ." + }, + "AWS::PCAConnectorAD::TemplateGroupAccessControlEntry AccessRights": { + "AutoEnroll": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "Enroll": "Allow or deny an Active Directory group from enrolling certificates issued against a template." + }, "AWS::Panorama::ApplicationInstance": { "ApplicationInstanceIdToReplace": "The ID of an application instance to replace with the new instance.", "DefaultRuntimeContextDevice": "The device's ID.", @@ -22135,17 +24877,25 @@ "AWS::Panorama::ApplicationInstance ManifestPayload": { "PayloadData": "The application manifest." }, + "AWS::Panorama::ApplicationInstance Tag": { + "Key": "", + "Value": "" + }, "AWS::Panorama::Package": { "PackageName": "A name for the package.", - "StorageLocation": "", + "StorageLocation": "A storage location.", "Tags": "Tags for the package." }, "AWS::Panorama::Package StorageLocation": { - "BinaryPrefixLocation": "", - "Bucket": "", - "GeneratedPrefixLocation": "", - "ManifestPrefixLocation": "", - "RepoPrefixLocation": "" + "BinaryPrefixLocation": "The location's binary prefix.", + "Bucket": "The location's bucket.", + "GeneratedPrefixLocation": "The location's generated prefix.", + "ManifestPrefixLocation": "The location's manifest prefix.", + "RepoPrefixLocation": "The location's repo prefix." + }, + "AWS::Panorama::Package Tag": { + "Key": "", + "Value": "" }, "AWS::Panorama::PackageVersion": { "MarkLatest": "Whether to mark the new version as the latest version.", @@ -22157,13 +24907,13 @@ }, "AWS::Personalize::Dataset": { "DatasetGroupArn": "The Amazon Resource Name (ARN) of the dataset group.", - "DatasetImportJob": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", + "DatasetImportJob": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", "DatasetType": "One of the following values:\n\n- Interactions\n- Items\n- Users", "Name": "The name of the dataset.", "SchemaArn": "The ARN of the associated schema." }, "AWS::Personalize::Dataset DataSource": { - "DataLocation": "" + "DataLocation": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`" }, "AWS::Personalize::Dataset DatasetImportJob": { "DataSource": "The Amazon S3 bucket that contains the training data to import.", @@ -22176,7 +24926,7 @@ "Domain": "The domain of a Domain dataset group.", "KmsKeyArn": "The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key used to encrypt the datasets.", "Name": "The name of the dataset group.", - "RoleArn": "The ARN of the IAM role that has permissions to create the dataset group." + "RoleArn": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key." }, "AWS::Personalize::Schema": { "Domain": "The domain of a schema that you created for a dataset in a Domain dataset group.", @@ -22193,44 +24943,44 @@ "SolutionConfig": "Describes the configuration properties for the solution." }, "AWS::Personalize::Solution AlgorithmHyperParameterRanges": { - "CategoricalHyperParameterRanges": "", - "ContinuousHyperParameterRanges": "", - "IntegerHyperParameterRanges": "" + "CategoricalHyperParameterRanges": "Provides the name and range of a categorical hyperparameter.", + "ContinuousHyperParameterRanges": "Provides the name and range of a continuous hyperparameter.", + "IntegerHyperParameterRanges": "Provides the name and range of an integer-valued hyperparameter." }, "AWS::Personalize::Solution AutoMLConfig": { - "MetricName": "", - "RecipeList": "" + "MetricName": "The metric to optimize.", + "RecipeList": "The list of candidate recipes." }, "AWS::Personalize::Solution CategoricalHyperParameterRange": { - "Name": "", - "Values": "" + "Name": "The name of the hyperparameter.", + "Values": "A list of the categories for the hyperparameter." }, "AWS::Personalize::Solution ContinuousHyperParameterRange": { - "MaxValue": "", - "MinValue": "", - "Name": "" + "MaxValue": "The maximum allowable value for the hyperparameter.", + "MinValue": "The minimum allowable value for the hyperparameter.", + "Name": "The name of the hyperparameter." }, "AWS::Personalize::Solution HpoConfig": { - "AlgorithmHyperParameterRanges": "", - "HpoObjective": "", - "HpoResourceConfig": "" + "AlgorithmHyperParameterRanges": "The hyperparameters and their allowable ranges.", + "HpoObjective": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", + "HpoResourceConfig": "Describes the resource configuration for HPO." }, "AWS::Personalize::Solution HpoObjective": { - "MetricName": "", - "MetricRegex": "", - "Type": "" + "MetricName": "The name of the metric.", + "MetricRegex": "A regular expression for finding the metric in the training job logs.", + "Type": "The type of the metric. Valid values are `Maximize` and `Minimize` ." }, "AWS::Personalize::Solution HpoResourceConfig": { - "MaxNumberOfTrainingJobs": "", - "MaxParallelTrainingJobs": "" + "MaxNumberOfTrainingJobs": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", + "MaxParallelTrainingJobs": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` ." }, "AWS::Personalize::Solution IntegerHyperParameterRange": { - "MaxValue": "", - "MinValue": "", - "Name": "" + "MaxValue": "The maximum allowable value for the hyperparameter.", + "MinValue": "The minimum allowable value for the hyperparameter.", + "Name": "The name of the hyperparameter." }, "AWS::Personalize::Solution SolutionConfig": { - "AlgorithmHyperParameters": "Lists the hyperparameter names and ranges.", + "AlgorithmHyperParameters": "Lists the algorithm hyperparameters and their values.", "AutoMLConfig": "The [AutoMLConfig](https://docs.aws.amazon.com/personalize/latest/dg/API_AutoMLConfig.html) object containing a list of recipes to search when AutoML is performed.", "EventValueThreshold": "Only events with a value greater than or equal to this threshold are used for training a model.", "FeatureTransformationParameters": "Lists the feature transformation parameters.", @@ -22293,7 +25043,7 @@ "AWS::Pinpoint::ApplicationSettings": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application.", "CampaignHook": "The settings for the Lambda function to use by default as a code hook for campaigns in the application. To override these settings for a specific campaign, use the Campaign resource to define custom Lambda function settings for the campaign.", - "CloudWatchMetricsEnabled": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "CloudWatchMetricsEnabled": "", "Limits": "The default sending limits for campaigns in the application. To override these limits for a specific campaign, use the Campaign resource to define custom limits for the campaign.", "QuietTime": "The default quiet time for campaigns in the application. Quiet time is a specific time range when campaigns don't send messages to endpoints, if all the following conditions are met:\n\n- The `EndpointDemographic.Timezone` property of the endpoint is set to a valid value.\n\n- The current time in the endpoint's time zone is later than or equal to the time specified by the `QuietTime.Start` property for the application (or a campaign that has custom quiet time settings).\n\n- The current time in the endpoint's time zone is earlier than or equal to the time specified by the `QuietTime.End` property for the application (or a campaign that has custom quiet time settings).\n\nIf any of the preceding conditions isn't met, the endpoint will receive messages from a campaign, even if quiet time is enabled.\n\nTo override the default quiet time settings for a specific campaign, use the Campaign resource to define a custom quiet time for the campaign." }, @@ -22327,20 +25077,16 @@ "HoldoutPercent": "The allocated percentage of users (segment members) who shouldn't receive messages from the campaign.", "IsPaused": "Specifies whether to pause the campaign. A paused campaign doesn't run unless you resume it by changing this value to `false` . If you restart a campaign, the campaign restarts from the beginning and not at the point you paused it. If a campaign is running it will complete and then pause. Pause only pauses or skips the next run for a recurring future scheduled campaign. A campaign scheduled for immediate can't be paused.", "Limits": "The messaging limits for the campaign.", - "MessageConfiguration": "The message configuration settings for the campaign.", + "MessageConfiguration": "The message configuration settings for the treatment.", "Name": "The name of the campaign.", "Priority": "An integer between 1 and 5, inclusive, that represents the priority of the in-app message campaign, where 1 is the highest priority and 5 is the lowest. If there are multiple messages scheduled to be displayed at the same time, the priority determines the order in which those messages are displayed.", - "Schedule": "The schedule settings for the campaign.", + "Schedule": "The schedule settings for the treatment.", "SegmentId": "The unique identifier for the segment to associate with the campaign.", "SegmentVersion": "The version of the segment to associate with the campaign.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateConfiguration": "The message template to use for the treatment.", - "TreatmentDescription": "A custom description of the default treatment for the campaign.", - "TreatmentName": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing." - }, - "AWS::Pinpoint::Campaign AttributeDimension": { - "AttributeType": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." + "TreatmentDescription": "A custom description of the treatment.", + "TreatmentName": "A custom name for the treatment." }, "AWS::Pinpoint::Campaign CampaignCustomMessage": { "Data": "The raw, JSON-formatted string to use as the payload for the message. The maximum size is 5 KB." @@ -22446,10 +25192,6 @@ "InAppMessage": "The default message for the in-app messaging channel. This message overrides the default message ( `DefaultMessage` ).", "SMSMessage": "The message that the campaign sends through the SMS channel. If specified, this message overrides the default message." }, - "AWS::Pinpoint::Campaign MetricDimension": { - "ComparisonOperator": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "Value": "The value to compare." - }, "AWS::Pinpoint::Campaign OverrideButtonConfiguration": { "ButtonAction": "The action that occurs when a recipient chooses a button in an in-app message. You can specify one of the following:\n\n- `LINK` \u2013 A link to a web destination.\n- `DEEP_LINK` \u2013 A link to a specific page in an application.\n- `CLOSE` \u2013 Dismisses the message.", "Link": "The destination (such as a URL) for a button." @@ -22570,7 +25312,7 @@ "GCM": "The message template to use for the GCM channel, which is used to send notifications through the Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM), service. This message template overrides the default template for push notification channels ( `Default` ).", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateDescription": "A custom description of the message template.", - "TemplateName": "The name of the message template." + "TemplateName": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template." }, "AWS::Pinpoint::PushTemplate APNSPushNotificationTemplate": { "Action": "The action to occur if a recipient taps a push notification that's based on the message template. Valid values are:\n\n- `OPEN_APP` \u2013 Your app opens or it becomes the foreground app if it was sent to the background. This is the default action.\n- `DEEP_LINK` \u2013 Your app opens and displays a designated user interface in the app. This setting uses the deep-linking features of the iOS platform.\n- `URL` \u2013 The default mobile browser on the recipient's device opens and loads the web page at a URL that you specify.", @@ -22605,15 +25347,11 @@ }, "AWS::Pinpoint::Segment": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the segment is associated with.", - "Dimensions": "The criteria that define the dimensions for the segment.", + "Dimensions": "An array that defines the dimensions for the segment.", "Name": "The name of the segment.\n\n> A segment must have a name otherwise it will not appear in the Amazon Pinpoint console.", "SegmentGroups": "The segment group to use and the dimensions to apply to the group's base segments in order to build the segment. A segment group can consist of zero or more base segments. Your request can include only one segment group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, - "AWS::Pinpoint::Segment AttributeDimension": { - "AttributeType": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." - }, "AWS::Pinpoint::Segment Behavior": { "Recency": "Specifies how recently segment members were active." }, @@ -22672,7 +25410,7 @@ "DefaultSubstitutions": "A JSON object that specifies the default values to use for message variables in the message template. This object is a set of key-value pairs. Each key defines a message variable in the template. The corresponding value defines the default value for that variable. When you create a message that's based on the template, you can override these defaults with message-specific and address-specific variables and values.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "TemplateDescription": "A custom description of the message template.", - "TemplateName": "The name of the message template." + "TemplateName": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template." }, "AWS::Pinpoint::VoiceChannel": { "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the voice channel applies to.", @@ -22804,7 +25542,7 @@ "Weight": "The weight value designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied." }, "AWS::Pipes::Pipe DeadLetterConfig": { - "Arn": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue." + "Arn": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN." }, "AWS::Pipes::Pipe EcsContainerOverride": { "Command": "The command to send to the container that overrides the default command from the Docker image or the task definition. You must also specify a container name.", @@ -22911,7 +25649,7 @@ "KinesisStreamParameters": "The parameters for using a Kinesis stream as a source.", "ManagedStreamingKafkaParameters": "The parameters for using an MSK stream as a source.", "RabbitMQBrokerParameters": "The parameters for using a Rabbit MQ broker as a source.", - "SelfManagedKafkaParameters": "The parameters for using a self-managed Apache Kafka stream as a source.", + "SelfManagedKafkaParameters": "The parameters for using a stream as a source.", "SqsQueueParameters": "The parameters for using a Amazon SQS stream as a source." }, "AWS::Pipes::Pipe PipeSourceRabbitMQBrokerParameters": { @@ -23038,14 +25776,22 @@ "SecurityGroup": "Specifies the security groups associated with the stream. These security groups must all be in the same VPC. You can specify as many as five security groups. If you do not specify a security group, the default security group for the VPC is used.", "Subnets": "Specifies the subnets associated with the stream. These subnets must all be in the same VPC. You can specify as many as 16 subnets." }, + "AWS::Pipes::Pipe Tag": { + "Key": "The key of the key-value pair.", + "Value": "The value of the key-value pair." + }, "AWS::Proton::EnvironmentAccountConnection": { - "CodebuildRoleArn": "The Amazon Resource Name (ARN) of an IAM service role in the environment account. AWS Proton uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", - "ComponentRoleArn": "The Amazon Resource Name (ARN) of the IAM service role that AWS Proton uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.\n\nFor more information about components, see [AWS Proton components](https://docs.aws.amazon.com/proton/latest/userguide/ag-components.html) in the *AWS Proton User Guide* .", + "CodebuildRoleArn": "The Amazon Resource Name (ARN) of an service role in the environment account. uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", + "ComponentRoleArn": "The Amazon Resource Name (ARN) of the service role that uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.", "EnvironmentAccountId": "The environment account that's connected to the environment account connection.", "EnvironmentName": "The name of the environment that's associated with the environment account connection.", "ManagementAccountId": "The ID of the management account that's connected to the environment account connection.", "RoleArn": "The IAM service role that's associated with the environment account connection.", - "Tags": "An optional list of metadata items that you can associate with the AWS Proton environment account connection. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* ." + "Tags": "An optional list of metadata items that you can associate with the environment account connection. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* ." + }, + "AWS::Proton::EnvironmentAccountConnection Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." }, "AWS::Proton::EnvironmentTemplate": { "Description": "A description of the environment template.", @@ -23053,7 +25799,11 @@ "EncryptionKey": "The customer provided encryption key for the environment template.", "Name": "The name of the environment template.", "Provisioning": "When included, indicates that the environment template is for customer provisioned and managed infrastructure.", - "Tags": "An optional list of metadata items that you can associate with the AWS Proton environment template. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* ." + "Tags": "An optional list of metadata items that you can associate with the environment template. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* ." + }, + "AWS::Proton::EnvironmentTemplate Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." }, "AWS::Proton::ServiceTemplate": { "Description": "A description of the service template.", @@ -23063,6 +25813,10 @@ "PipelineProvisioning": "If `pipelineProvisioning` is `true` , a service pipeline is included in the service template. Otherwise, a service pipeline *isn't* included in the service template.", "Tags": "An object that includes the template bundle S3 bucket path and name for the new version of a service template." }, + "AWS::Proton::ServiceTemplate Tag": { + "Key": "The key of the resource tag.", + "Value": "The value of the resource tag." + }, "AWS::QLDB::Ledger": { "DeletionProtection": "Specifies whether the ledger is protected from being deleted by any user. If not defined during ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set this parameter to `false` .", "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified symmetric encryption KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", @@ -23070,6 +25824,10 @@ "PermissionsMode": "The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:\n\n- `ALLOW_ALL` : A legacy permissions mode that enables access control with API-level granularity for ledgers.\n\nThis mode allows users who have the `SendCommand` API permission for this ledger to run all PartiQL commands (hence, `ALLOW_ALL` ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.\n- `STANDARD` : ( *Recommended* ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.\n\nBy default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to the `SendCommand` API permission for the ledger. For information, see [Getting started with the standard permissions mode](https://docs.aws.amazon.com/qldb/latest/developerguide/getting-started-standard-mode.html) in the *Amazon QLDB Developer Guide* .\n\n> We strongly recommend using the `STANDARD` permissions mode to maximize the security of your ledger data.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::QLDB::Ledger Tag": { + "Key": "", + "Value": "" + }, "AWS::QLDB::Stream": { "ExclusiveEndTime": "The exclusive date and time that specifies when the stream ends. If you don't define this parameter, the stream runs indefinitely until you cancel it.\n\nThe `ExclusiveEndTime` must be in `ISO 8601` date and time format and in Universal Coordinated Time (UTC). For example: `2019-06-13T21:36:34Z` .", "InclusiveStartTime": "The inclusive start date and time from which to start streaming journal data. This parameter must be in `ISO 8601` date and time format and in Universal Coordinated Time (UTC). For example: `2019-06-13T21:36:34Z` .\n\nThe `InclusiveStartTime` cannot be in the future and must be before `ExclusiveEndTime` .\n\nIf you provide an `InclusiveStartTime` that is before the ledger's `CreationDateTime` , QLDB effectively defaults it to the ledger's `CreationDateTime` .", @@ -23083,6 +25841,10 @@ "AggregationEnabled": "Enables QLDB to publish multiple data records in a single Kinesis Data Streams record, increasing the number of records sent per API call.\n\nDefault: `True`\n\n> Record aggregation has important implications for processing records and requires de-aggregation in your stream consumer. To learn more, see [KPL Key Concepts](https://docs.aws.amazon.com/streams/latest/dev/kinesis-kpl-concepts.html) and [Consumer De-aggregation](https://docs.aws.amazon.com/streams/latest/dev/kinesis-kpl-consumer-deaggregation.html) in the *Amazon Kinesis Data Streams Developer Guide* .", "StreamArn": "The Amazon Resource Name (ARN) of the Kinesis Data Streams resource." }, + "AWS::QLDB::Stream Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Analysis": { "AnalysisId": "The ID for the analysis that you're creating. This ID displays in the URL of the analysis.", "AwsAccountId": "The ID of the AWS account where you are creating an analysis.", @@ -23093,9 +25855,11 @@ "SourceEntity": "A source entity to use for the analysis that you're creating. This metadata structure contains details that describe a source template and one or more datasets.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", "Status": "Status associated with the analysis.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the analysis.", - "ThemeArn": "The ARN for the theme to apply to the analysis that you're creating. To see the theme in the Amazon QuickSight console, make sure that you have access to it." + "ThemeArn": "The ARN for the theme to apply to the analysis that you're creating. To see the theme in the Amazon QuickSight console, make sure that you have access to it.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors." }, "AWS::QuickSight::Analysis AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -23148,6 +25912,10 @@ "AWS::QuickSight::Analysis ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Analysis AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Analysis AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -23349,7 +26117,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Analysis ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Analysis ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -23496,6 +26268,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Analysis CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Analysis CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -23583,7 +26360,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Analysis DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Analysis DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -23638,6 +26419,7 @@ }, "AWS::QuickSight::Analysis DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Analysis DateTimeValueWhenUnsetConfiguration": { @@ -23712,6 +26494,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Analysis DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -23846,6 +26629,7 @@ "AWS::QuickSight::Analysis FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Analysis FilterListControl": { @@ -23872,6 +26656,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Analysis FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Analysis FilterSelectableValues": { @@ -24242,10 +27027,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Analysis KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Analysis KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Analysis KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Analysis KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -24266,7 +27061,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Analysis KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -24278,6 +27075,12 @@ "AWS::QuickSight::Analysis KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Analysis KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Analysis KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -24287,6 +27090,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Analysis KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Analysis KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Analysis LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -24378,6 +27187,7 @@ "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, "AWS::QuickSight::Analysis ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -24725,10 +27535,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -24736,6 +27549,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Analysis PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Analysis PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -24763,6 +27580,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -24833,8 +27651,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Analysis ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Analysis ReferenceLineDynamicDataConfiguration": { @@ -24863,6 +27682,7 @@ }, "AWS::QuickSight::Analysis RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Analysis RelativeDatesFilter": { @@ -24888,7 +27708,8 @@ }, "AWS::QuickSight::Analysis RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Analysis SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -25008,6 +27829,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Analysis SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Analysis SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -25051,12 +27876,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Analysis SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Analysis SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Analysis SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Analysis Spacing": { "Bottom": "Define the bottom spacing.", @@ -25092,6 +27924,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -25164,8 +27997,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Analysis TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Analysis TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -25188,6 +28022,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Analysis TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Analysis TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -25204,6 +28041,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Analysis TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Analysis TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -25215,7 +28055,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Analysis Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Analysis TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -25228,6 +28073,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Analysis TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -25246,9 +28092,10 @@ "AWS::QuickSight::Analysis TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Analysis TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -25312,10 +28159,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Analysis TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Analysis TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Analysis TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -25363,6 +28218,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Analysis ValidationStrategy": { + "Mode": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Analysis VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -25504,12 +28362,14 @@ "SourceEntity": "The entity that you are using as a source when you create the dashboard. In `SourceEntity` , you specify the type of object that you want to use. You can only create a dashboard from a template, so you use a `SourceTemplate` entity. If you need to create a dashboard from an analysis, first convert the analysis to a template by using the `CreateTemplate` API operation. For `SourceTemplate` , specify the Amazon Resource Name (ARN) of the source template. The `SourceTemplate` ARN can contain any AWS account; and any QuickSight-supported AWS Region .\n\nUse the `DataSetReferences` entity within `SourceTemplate` to list the replacement datasets for the placeholders listed in the original. The schema in each dataset must match its placeholder.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the dashboard.", "ThemeArn": "The Amazon Resource Name (ARN) of the theme that is being used for this dashboard. If you add a value for this field, it overrides the value that is used in the source entity. The theme ARN must exist in the same AWS account where you create the dashboard.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", "VersionDescription": "A description for the first version of the dashboard being created." }, "AWS::QuickSight::Dashboard AdHocFilteringOption": { "AvailabilityStatus": "Availability status." }, "AWS::QuickSight::Dashboard AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -25541,6 +28401,10 @@ "AWS::QuickSight::Dashboard ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Dashboard AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Dashboard AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -25742,7 +28606,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Dashboard ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Dashboard ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -25889,6 +28757,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Dashboard CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Dashboard CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -26025,7 +28898,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Dashboard DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Dashboard DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -26089,6 +28966,7 @@ }, "AWS::QuickSight::Dashboard DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Dashboard DateTimeValueWhenUnsetConfiguration": { @@ -26163,6 +29041,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Dashboard DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -26306,6 +29185,7 @@ "AWS::QuickSight::Dashboard FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Dashboard FilterListControl": { @@ -26332,6 +29212,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Dashboard FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Dashboard FilterSelectableValues": { @@ -26702,10 +29583,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Dashboard KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Dashboard KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Dashboard KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Dashboard KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -26726,7 +29617,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Dashboard KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -26738,6 +29631,12 @@ "AWS::QuickSight::Dashboard KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Dashboard KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Dashboard KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -26747,6 +29646,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Dashboard KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Dashboard KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Dashboard LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -26838,6 +29743,7 @@ "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, "AWS::QuickSight::Dashboard ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -27185,10 +30091,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -27196,6 +30105,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Dashboard PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Dashboard PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -27223,6 +30136,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -27293,8 +30207,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Dashboard ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Dashboard ReferenceLineDynamicDataConfiguration": { @@ -27323,6 +30238,7 @@ }, "AWS::QuickSight::Dashboard RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Dashboard RelativeDatesFilter": { @@ -27348,7 +30264,8 @@ }, "AWS::QuickSight::Dashboard RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Dashboard SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -27468,6 +30385,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Dashboard SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Dashboard SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -27517,12 +30438,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Dashboard SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Dashboard SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Dashboard SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Dashboard Spacing": { "Bottom": "Define the bottom spacing.", @@ -27558,6 +30486,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -27630,8 +30559,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Dashboard TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Dashboard TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -27654,6 +30584,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Dashboard TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Dashboard TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -27670,6 +30603,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Dashboard TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Dashboard TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -27681,7 +30617,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Dashboard Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Dashboard TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -27694,6 +30635,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Dashboard TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -27712,9 +30654,10 @@ "AWS::QuickSight::Dashboard TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Dashboard TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -27778,10 +30721,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Dashboard TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Dashboard TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Dashboard TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -27829,6 +30780,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Dashboard ValidationStrategy": { + "Mode": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Dashboard VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -27970,9 +30924,9 @@ "ColumnGroups": "Groupings of columns that work together in certain Amazon QuickSight features. Currently, only geospatial hierarchy is supported.", "ColumnLevelPermissionRules": "A set of one or more definitions of a `ColumnLevelPermissionRule` .", "DataSetId": "An ID for the dataset that you want to create. This ID is unique per AWS Region for each AWS account.", - "DataSetRefreshProperties": "", + "DataSetRefreshProperties": "The refresh properties of a dataset.", "DataSetUsageConfiguration": "The usage configuration to apply to child datasets that reference this dataset as a source.", - "DatasetParameters": "", + "DatasetParameters": "The parameters that are declared in a dataset.", "FieldFolders": "The folder that contains fields and nested subfolders for your dataset.", "ImportMode": "Indicates whether you want to import the data into SPICE.", "IngestionWaitPolicy": "The wait policy to use when creating or updating a Dataset. The default is to wait for SPICE ingestion to finish with timeout of 36 hours.", @@ -28025,29 +30979,29 @@ "DisableUseAsImportedSource": "An option that controls whether a child dataset that's stored in QuickSight can use this dataset as a source." }, "AWS::QuickSight::DataSet DatasetParameter": { - "DateTimeDatasetParameter": "", - "DecimalDatasetParameter": "", - "IntegerDatasetParameter": "", - "StringDatasetParameter": "" + "DateTimeDatasetParameter": "A date time parameter that is created in the dataset.", + "DecimalDatasetParameter": "A decimal parameter that is created in the dataset.", + "IntegerDatasetParameter": "An integer parameter that is created in the dataset.", + "StringDatasetParameter": "A string parameter that is created in the dataset." }, "AWS::QuickSight::DataSet DateTimeDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "TimeGranularity": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given date time parameter. This structure only accepts static values.", + "Id": "An identifier for the parameter that is created in the dataset.", + "Name": "The name of the date time parameter that is created in the dataset.", + "TimeGranularity": "The time granularity of the date time parameter.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet DateTimeDatasetParameterDefaultValues": { "StaticValues": "A list of static default values for a given date time parameter. The valid format for this property is `yyyy-MM-dd\u2019T\u2019HH:mm:ss\u2019Z\u2019` ." }, "AWS::QuickSight::DataSet DecimalDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given decimal parameter. This structure only accepts static values.", + "Id": "An identifier for the decimal parameter created in the dataset.", + "Name": "The name of the decimal parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet DecimalDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given decimal parameter." }, "AWS::QuickSight::DataSet FieldFolder": { "Columns": "A folder has a list of columns. A column can only be in one folder.", @@ -28073,13 +31027,13 @@ "Type": "The data type of the column." }, "AWS::QuickSight::DataSet IntegerDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given integer parameter. This structure only accepts static values.", + "Id": "An identifier for the integer parameter created in the dataset.", + "Name": "The name of the integer parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet IntegerDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given integer parameter." }, "AWS::QuickSight::DataSet JoinInstruction": { "LeftJoinKeyProperties": "Join key properties of the left operand.", @@ -28109,9 +31063,9 @@ }, "AWS::QuickSight::DataSet NewDefaultValues": { "DateTimeStaticValues": "A list of static default values for a given date time parameter. The valid format for this property is `yyyy-MM-dd\u2019T\u2019HH:mm:ss\u2019Z\u2019` .", - "DecimalStaticValues": "", - "IntegerStaticValues": "", - "StringStaticValues": "" + "DecimalStaticValues": "A list of static default values for a given decimal parameter.", + "IntegerStaticValues": "A list of static default values for a given integer parameter.", + "StringStaticValues": "A list of static default values for a given string parameter." }, "AWS::QuickSight::DataSet OutputColumn": { "Description": "A description for a column.", @@ -28121,7 +31075,7 @@ "AWS::QuickSight::DataSet OverrideDatasetParameterOperation": { "NewDefaultValues": "The new default values for the parameter.", "NewParameterName": "The new name for the parameter.", - "ParameterName": "" + "ParameterName": "The name of the parameter to be overridden with different values." }, "AWS::QuickSight::DataSet PhysicalTable": { "CustomSql": "A physical table type built from the results of the custom SQL query.", @@ -28135,7 +31089,7 @@ "IncrementalRefresh": "The incremental refresh for the dataset." }, "AWS::QuickSight::DataSet RelationalTable": { - "Catalog": "", + "Catalog": "The catalog associated with a table.", "DataSourceArn": "The Amazon Resource Name (ARN) for the data source.", "InputColumns": "The column schema of the table.", "Name": "The name of the relational table.", @@ -28157,15 +31111,15 @@ "Status": "The status of the row-level security permission dataset. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` ." }, "AWS::QuickSight::DataSet RowLevelPermissionTagConfiguration": { - "Status": "", - "TagRuleConfigurations": "", - "TagRules": "" + "Status": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", + "TagRuleConfigurations": "The configuration of tags on a dataset to set row-level security.", + "TagRules": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to." }, "AWS::QuickSight::DataSet RowLevelPermissionTagRule": { - "ColumnName": "", - "MatchAllValue": "", - "TagKey": "", - "TagMultiValueDelimiter": "" + "ColumnName": "The column name that a tag key is assigned to.", + "MatchAllValue": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", + "TagKey": "The unique key for a tag.", + "TagMultiValueDelimiter": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma." }, "AWS::QuickSight::DataSet S3Source": { "DataSourceArn": "The Amazon Resource Name (ARN) for the data source.", @@ -28173,13 +31127,17 @@ "UploadSettings": "Information about the format for the S3 source file or files." }, "AWS::QuickSight::DataSet StringDatasetParameter": { - "DefaultValues": "", - "Id": "", - "Name": "", - "ValueType": "" + "DefaultValues": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", + "Id": "An identifier for the string parameter that is created in the dataset.", + "Name": "The name of the string parameter that is created in the dataset.", + "ValueType": "The value type of the dataset parameter. Valid values are `single value` or `multi value` ." }, "AWS::QuickSight::DataSet StringDatasetParameterDefaultValues": { - "StaticValues": "" + "StaticValues": "A list of static default values for a given string parameter." + }, + "AWS::QuickSight::DataSet Tag": { + "Key": "", + "Value": "" }, "AWS::QuickSight::DataSet TagColumnOperation": { "ColumnName": "The column that this operation acts on.", @@ -28338,6 +31296,10 @@ "AWS::QuickSight::DataSource SslProperties": { "DisableSsl": "A Boolean option to control whether SSL should be disabled." }, + "AWS::QuickSight::DataSource Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::DataSource TeradataParameters": { "Database": "Database.", "Host": "Host.", @@ -28375,9 +31337,11 @@ "SourceEntity": "The entity that you are using as a source when you create the template. In `SourceEntity` , you specify the type of object you're using as source: `SourceTemplate` for a template or `SourceAnalysis` for an analysis. Both of these require an Amazon Resource Name (ARN). For `SourceTemplate` , specify the ARN of the source template. For `SourceAnalysis` , specify the ARN of the source analysis. The `SourceTemplate` ARN can contain any AWS account and any Amazon QuickSight-supported AWS Region .\n\nUse the `DataSetReferences` entity within `SourceTemplate` or `SourceAnalysis` to list the replacement datasets for the placeholders listed in the original. The schema in each dataset must match its placeholder.\n\nEither a `SourceEntity` or a `Definition` must be provided in order for the request to be valid.", "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the resource.", "TemplateId": "An ID for the template that you want to create. This template is unique per AWS Region ; in each AWS account.", + "ValidationStrategy": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", "VersionDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field." }, "AWS::QuickSight::Template AggregationFunction": { + "AttributeAggregationFunction": "Aggregation for attributes.", "CategoricalAggregationFunction": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", "DateAggregationFunction": "Aggregation for date values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.\n- `MIN` : Select the smallest date value.\n- `MAX` : Select the largest date value.", "NumericalAggregationFunction": "Aggregation for numerical values." @@ -28409,6 +31373,10 @@ "AWS::QuickSight::Template ArcOptions": { "ArcThickness": "The arc thickness of a `GaugeChartVisual` ." }, + "AWS::QuickSight::Template AttributeAggregationFunction": { + "SimpleAttributeAggregation": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "ValueForMultipleValues": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'." + }, "AWS::QuickSight::Template AxisDataOptions": { "DateAxisOptions": "The options for an axis with a date field.", "NumericAxisOptions": "The options for an axis with a numeric field." @@ -28610,7 +31578,11 @@ "Colors": "Determines the list of colors that are applied to the visual.", "NullValueColor": "Determines the color that is applied to null values." }, + "AWS::QuickSight::Template ColorsConfiguration": { + "CustomColors": "A list of up to 50 custom colors." + }, "AWS::QuickSight::Template ColumnConfiguration": { + "ColorsConfiguration": "The color configurations of the column.", "Column": "The column.", "FormatConfiguration": "The format configuration of a column.", "Role": "The role of the column." @@ -28769,6 +31741,11 @@ "URLTarget": "The target of the `CustomActionURLOperation` .\n\nValid values are defined as follows:\n\n- `NEW_TAB` : Opens the target URL in a new browser tab.\n- `NEW_WINDOW` : Opens the target URL in a new browser window.\n- `SAME_TAB` : Opens the target URL in the same browser tab.", "URLTemplate": "THe URL link of the `CustomActionURLOperation` ." }, + "AWS::QuickSight::Template CustomColor": { + "Color": "The color that is applied to the data value.", + "FieldValue": "The data value that the color is applied to.", + "SpecialValue": "The value of a special data value." + }, "AWS::QuickSight::Template CustomContentConfiguration": { "ContentType": "The content type of the custom content visual. You can use this to have the visual render as an image.", "ContentUrl": "The input URL that links to the custom content that you want in the custom visual.", @@ -28856,7 +31833,11 @@ "Direction": "Determines the sort direction.", "SortPaths": "The list of data paths that need to be sorted." }, + "AWS::QuickSight::Template DataPathType": { + "PivotTableDataPathType": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` ." + }, "AWS::QuickSight::Template DataPathValue": { + "DataPathType": "The type configuration of the field.", "FieldId": "The field ID of the field that needs to be sorted.", "FieldValue": "The actual value of the field that needs to be sorted." }, @@ -28911,6 +31892,7 @@ }, "AWS::QuickSight::Template DateTimePickerControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Template DateTimeValueWhenUnsetConfiguration": { @@ -28981,6 +31963,7 @@ "TimeRangeFilter": "The time range drill down filter. This filter is used for date time columns." }, "AWS::QuickSight::Template DropDownControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SelectAllOptions": "The configuration of the `Select all` options in a dropdown control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -29115,6 +32098,7 @@ "AWS::QuickSight::Template FilterListConfiguration": { "CategoryValues": "The list of category values for the filter.", "MatchOperator": "The match operator that is used to determine if a filter should be applied.", + "NullOption": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", "SelectAllOptions": "Select all of the values. Null is not the assigned value of select all.\n\n- `FILTER_ALL_VALUES`" }, "AWS::QuickSight::Template FilterListControl": { @@ -29141,6 +32125,7 @@ "Title": "The title of the `FilterTextAreaControl` ." }, "AWS::QuickSight::Template FilterScopeConfiguration": { + "AllSheets": "The configuration for applying a filter to all sheets.", "SelectedSheets": "The configuration for applying a filter to specific sheets." }, "AWS::QuickSight::Template FilterSelectableValues": { @@ -29507,10 +32492,20 @@ "ItemsLimit": "The limit on how many items of a field are showed in the chart. For example, the number of slices that are displayed in a pie chart.", "OtherCategories": "The `Show other` of an axis in the chart. Choose one of the following options:\n\n- `INCLUDE`\n- `EXCLUDE`" }, + "AWS::QuickSight::Template KPIActualValueConditionalFormatting": { + "Icon": "The conditional formatting of the actual value's icon.", + "TextColor": "The conditional formatting of the actual value's text color." + }, + "AWS::QuickSight::Template KPIComparisonValueConditionalFormatting": { + "Icon": "The conditional formatting of the comparison value's icon.", + "TextColor": "The conditional formatting of the comparison value's text color." + }, "AWS::QuickSight::Template KPIConditionalFormatting": { "ConditionalFormattingOptions": "The conditional formatting options of a KPI visual." }, "AWS::QuickSight::Template KPIConditionalFormattingOption": { + "ActualValue": "The conditional formatting for the actual value of a KPI visual.", + "ComparisonValue": "The conditional formatting for the comparison value of a KPI visual.", "PrimaryValue": "The conditional formatting for the primary value of a KPI visual.", "ProgressBar": "The conditional formatting for the progress bar of a KPI visual." }, @@ -29531,7 +32526,9 @@ "ProgressBar": "The options that determine the presentation of the progress bar of a KPI visual.", "SecondaryValue": "The options that determine the presentation of the secondary value of a KPI visual.", "SecondaryValueFontConfiguration": "The options that determine the secondary value font configuration.", - "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual." + "Sparkline": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "TrendArrows": "The options that determine the presentation of trend arrows in a KPI visual.", + "VisualLayoutOptions": "The options that determine the layout a KPI visual." }, "AWS::QuickSight::Template KPIPrimaryValueConditionalFormatting": { "Icon": "The conditional formatting of the primary value's icon.", @@ -29543,6 +32540,12 @@ "AWS::QuickSight::Template KPISortConfiguration": { "TrendGroupSort": "The sort configuration of the trend group fields." }, + "AWS::QuickSight::Template KPISparklineOptions": { + "Color": "The color of the sparkline.", + "TooltipVisibility": "The tooltip visibility of the sparkline.", + "Type": "The type of the sparkline.", + "Visibility": "The visibility of the sparkline." + }, "AWS::QuickSight::Template KPIVisual": { "Actions": "The list of custom actions that are configured for a visual.", "ChartConfiguration": "The configuration of a KPI visual.", @@ -29552,6 +32555,12 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers." }, + "AWS::QuickSight::Template KPIVisualLayoutOptions": { + "StandardLayout": "The standard layout of the KPI visual." + }, + "AWS::QuickSight::Template KPIVisualStandardLayout": { + "Type": "The standard layout type." + }, "AWS::QuickSight::Template LabelOptions": { "CustomLabel": "The text for the label.", "FontConfiguration": "The font configuration of the label.", @@ -29643,6 +32652,7 @@ "MissingDataConfigurations": "The configuration options that determine how missing data is treated during the rendering of a line chart." }, "AWS::QuickSight::Template ListControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "SearchOptions": "The configuration of the search options in a list control.", "SelectAllOptions": "The configuration of the `Select all` options in a list control.", "TitleOptions": "The options to configure the title visibility, name, and font size." @@ -29984,10 +32994,13 @@ "CollapsedRowDimensionsVisibility": "The visibility setting of a pivot table's collapsed row dimension fields. If the value of this structure is `HIDDEN` , all collapsed columns in a pivot table are automatically hidden. The default value is `VISIBLE` .", "ColumnHeaderStyle": "The table cell style of the column header.", "ColumnNamesVisibility": "The visibility of the column names.", + "DefaultCellWidth": "The default cell width of the pivot table.", "MetricPlacement": "The metric placement (row, column) options.", "RowAlternateColorOptions": "The row alternate color options (widget status, row alternate colors).", "RowFieldNamesStyle": "The table cell style of row field names.", "RowHeaderStyle": "The table cell style of the row headers.", + "RowsLabelOptions": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "RowsLayout": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", "SingleMetricVisibility": "The visibility of the single metric options.", "ToggleButtonsVisibility": "Determines the visibility of the pivot table." }, @@ -29995,6 +33008,10 @@ "OverflowColumnHeaderVisibility": "The visibility of the repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of the printing table overflow across pages." }, + "AWS::QuickSight::Template PivotTableRowsLabelOptions": { + "CustomLabel": "The custom label string for the rows label.", + "Visibility": "The visibility of the rows label." + }, "AWS::QuickSight::Template PivotTableSortBy": { "Column": "The column sort (field id, direction) for the pivot table sort by options.", "DataPath": "The data path sort (data path value, direction) for the pivot table sort by options.", @@ -30022,6 +33039,7 @@ "MetricHeaderCellStyle": "The cell styling options for the total of header cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation options for each value field.", "TotalCellStyle": "The cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells.", "ValueCellStyle": "The cell styling options for the totals of value cells." @@ -30092,8 +33110,9 @@ "CustomLabel": "The string text of the custom label." }, "AWS::QuickSight::Template ReferenceLineDataConfiguration": { - "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "AxisBinding": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "DynamicConfiguration": "The dynamic configuration of the reference line data configuration.", + "SeriesType": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", "StaticConfiguration": "The static data configuration of the reference line data configuration." }, "AWS::QuickSight::Template ReferenceLineDynamicDataConfiguration": { @@ -30122,6 +33141,7 @@ }, "AWS::QuickSight::Template RelativeDateTimeControlDisplayOptions": { "DateTimeFormat": "Customize how dates are formatted in controls.", + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, "AWS::QuickSight::Template RelativeDatesFilter": { @@ -30147,7 +33167,8 @@ }, "AWS::QuickSight::Template RowAlternateColorOptions": { "RowAlternateColors": "Determines the list of row alternate colors.", - "Status": "Determines the widget status." + "Status": "Determines the widget status.", + "UsePrimaryBackgroundColor": "The primary background color options for alternate rows." }, "AWS::QuickSight::Template SameSheetTargetVisualConfiguration": { "TargetVisualOptions": "The options that choose the target visual in the same sheet.\n\nValid values are defined as follows:\n\n- `ALL_VISUALS` : Applies the filter operation to all visuals in the same sheet.", @@ -30267,6 +33288,10 @@ "Name": "The name of a sheet. This name is displayed on the sheet's tab in the Amazon QuickSight console.", "SheetId": "The unique identifier associated with a sheet." }, + "AWS::QuickSight::Template SheetControlInfoIconLabelOptions": { + "InfoIconText": "The text content of info icon.", + "Visibility": "The visibility configuration of info icon label options." + }, "AWS::QuickSight::Template SheetControlLayout": { "Configuration": "The configuration that determines the elements and canvas size options of sheet control." }, @@ -30310,12 +33335,19 @@ "Color": "The color of the simple cluster marker." }, "AWS::QuickSight::Template SliderControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, + "AWS::QuickSight::Template SmallMultiplesAxisProperties": { + "Placement": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "Scale": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` ." + }, "AWS::QuickSight::Template SmallMultiplesOptions": { "MaxVisibleColumns": "Sets the maximum number of visible columns to display in the grid of small multiples panels.\n\nThe default is `Auto` , which automatically adjusts the columns in the grid to fit the overall layout and size of the given chart.", "MaxVisibleRows": "Sets the maximum number of visible rows to display in the grid of small multiples panels.\n\nThe default value is `Auto` , which automatically adjusts the rows in the grid to fit the overall layout and size of the given chart.", - "PanelConfiguration": "Configures the display options for each small multiples panel." + "PanelConfiguration": "Configures the display options for each small multiples panel.", + "XAxis": "The properties of a small multiples X axis.", + "YAxis": "The properties of a small multiples Y axis." }, "AWS::QuickSight::Template Spacing": { "Bottom": "Define the bottom spacing.", @@ -30347,6 +33379,7 @@ "FieldLevel": "The field level (all, custom, last) for the subtotal cells.", "FieldLevelOptions": "The optional configuration of subtotal cells.", "MetricHeaderCellStyle": "The cell styling options for the subtotals of header cells.", + "StyleTargets": "The style targets options for subtotals.", "TotalCellStyle": "The cell styling options for the subtotal cells.", "TotalsVisibility": "The visibility configuration for the subtotal cells.", "ValueCellStyle": "The cell styling options for the subtotals of value cells." @@ -30419,8 +33452,9 @@ "Width": "The width for a table field." }, "AWS::QuickSight::Template TableFieldOptions": { - "Order": "The order of field IDs of the field options for a table visual.", - "SelectedFieldOptions": "The selected field options for the table field options." + "Order": "The order of the field IDs that are configured as field options for a table visual.", + "PinnedFieldOptions": "The settings for the pinned columns of a table visual.", + "SelectedFieldOptions": "The field options to be configured to a table." }, "AWS::QuickSight::Template TableFieldURLConfiguration": { "ImageConfiguration": "The image configuration of a table field URL.", @@ -30443,6 +33477,9 @@ "OverflowColumnHeaderVisibility": "The visibility of repeating header rows on each page.", "VerticalOverflowVisibility": "The visibility of printing table overflow across pages." }, + "AWS::QuickSight::Template TablePinnedFieldOptions": { + "PinnedLeftFields": "A list of columns to be pinned to the left of a table visual." + }, "AWS::QuickSight::Template TableRowConditionalFormatting": { "BackgroundColor": "The conditional formatting color (solid, gradient) of the background for a table row.", "TextColor": "The conditional formatting color (solid, gradient) of the text for a table row." @@ -30459,6 +33496,9 @@ "PaginationConfiguration": "The pagination configuration (page size, page number) for the table.", "RowSort": "The field sort options for rows in the table." }, + "AWS::QuickSight::Template TableStyleTarget": { + "CellType": "The cell type of the table style target." + }, "AWS::QuickSight::Template TableUnaggregatedFieldWells": { "Values": "The values field well for a pivot table. Values are unaggregated for an unaggregated table." }, @@ -30470,6 +33510,10 @@ "Title": "The title that is displayed on the visual.", "VisualId": "The unique identifier of a visual. This identifier must be unique within the context of a dashboard, template, or analysis. Two dashboards, analyses, or templates can have visuals with the same identifiers.." }, + "AWS::QuickSight::Template Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Template TemplateError": { "Message": "Description of the error type.", "Type": "Type of error.", @@ -30507,6 +33551,7 @@ "Sheets": "An array of sheet definitions for a template." }, "AWS::QuickSight::Template TextAreaControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text area control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -30519,6 +33564,7 @@ "Visibility": "The visibility configuration of the placeholder options in a text control." }, "AWS::QuickSight::Template TextFieldControlDisplayOptions": { + "InfoIconLabelOptions": "The configuration of info icon label options.", "PlaceholderOptions": "The configuration of the placeholder options in a text field control.", "TitleOptions": "The options to configure the title visibility, name, and font size." }, @@ -30537,9 +33583,10 @@ "AWS::QuickSight::Template TimeEqualityFilter": { "Column": "The column that the filter is applied to.", "FilterId": "An identifier that uniquely identifies a filter within a dashboard, analysis, or template.", - "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "ParameterName": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", + "RollingDate": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values.", - "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` ." + "Value": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` ." }, "AWS::QuickSight::Template TimeRangeDrillDownFilter": { "Column": "The column that the filter is applied to.", @@ -30603,10 +33650,18 @@ "Name": "The name of a computation.", "Value": "The value field that is used in a computation." }, + "AWS::QuickSight::Template TotalAggregationFunction": { + "SimpleTotalAggregationFunction": "A built in aggregation function for total values." + }, + "AWS::QuickSight::Template TotalAggregationOption": { + "FieldId": "The field id that's associated with the total aggregation option.", + "TotalAggregationFunction": "The total aggregation function that you want to set for a specified field id." + }, "AWS::QuickSight::Template TotalOptions": { "CustomLabel": "The custom label string for the total cells.", "Placement": "The placement (start, end) for the total cells.", "ScrollStatus": "The scroll status (pinned, scrolled) for the total cells.", + "TotalAggregationOptions": "The total aggregation settings for each value field.", "TotalCellStyle": "Cell styling options for the total cells.", "TotalsVisibility": "The visibility configuration for the total cells." }, @@ -30654,6 +33709,9 @@ "ComputationId": "The ID for a computation.", "Name": "The name of a computation." }, + "AWS::QuickSight::Template ValidationStrategy": { + "Mode": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors." + }, "AWS::QuickSight::Template VisibleRangeOptions": { "PercentRange": "The percent range in the visible range." }, @@ -30803,7 +33861,7 @@ "MinMaxGradient": "The minimum and maximum hexadecimal codes that describe a color gradient." }, "AWS::QuickSight::Theme Font": { - "FontFamily": "" + "FontFamily": "Determines the font family settings." }, "AWS::QuickSight::Theme GutterStyle": { "Show": "This Boolean value controls whether to display a gutter space between sheet tiles." @@ -30820,6 +33878,10 @@ "Tile": "The display options for tiles.", "TileLayout": "The layout options for tiles." }, + "AWS::QuickSight::Theme Tag": { + "Key": "", + "Value": "" + }, "AWS::QuickSight::Theme ThemeConfiguration": { "DataColorPalette": "Color properties that apply to chart data colors.", "Sheet": "Display options related to sheets.", @@ -30848,7 +33910,7 @@ "Border": "The border around a tile." }, "AWS::QuickSight::Theme Typography": { - "FontFamilies": "" + "FontFamilies": "Determines the list of font families." }, "AWS::QuickSight::Theme UIColorPalette": { "Accent": "This color is that applies to selected states and buttons.", @@ -30965,6 +34027,7 @@ "Expression": "The calculated field expression.", "IsIncludedInTopic": "A boolean value that indicates if a calculated field is included in the topic.", "NeverAggregateInFilter": "A Boolean value that indicates whether to never aggregate calculated field in filters.", + "NonAdditive": "The non additive for the table style target.", "NotAllowedAggregations": "The list of aggregation types that are not allowed for the calculated field. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "SemanticType": "The semantic type.", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values." @@ -30981,7 +34044,7 @@ "SingularConstant": "A singular constant used in a category filter. This element is used to specify a single value for the constant." }, "AWS::QuickSight::Topic TopicColumn": { - "Aggregation": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "Aggregation": "The type of aggregation that is performed on the column data when it's queried.", "AllowedAggregations": "The list of aggregation types that are allowed for the column. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "CellValueSynonyms": "The other names or aliases for the column cell value.", "ColumnDataRole": "The role of the column in the data. Valid values are `DIMENSION` and `MEASURE` .", @@ -30993,6 +34056,7 @@ "DefaultFormatting": "The default formatting used for values in the column.", "IsIncludedInTopic": "A Boolean value that indicates whether the column is included in the query results.", "NeverAggregateInFilter": "A Boolean value that indicates whether to aggregate the column data when it's used in a filter context.", + "NonAdditive": "The non additive value for the column.", "NotAllowedAggregations": "The list of aggregation types that are not allowed for the column. Valid values for this structure are `COUNT` , `DISTINCT_COUNT` , `MIN` , `MAX` , `MEDIAN` , `SUM` , `AVERAGE` , `STDEV` , `STDEVP` , `VAR` , `VARP` , and `PERCENTILE` .", "SemanticType": "The semantic type of data contained in the column.", "TimeGranularity": "The level of time precision that is used to aggregate `DateTime` values." @@ -31061,20 +34125,33 @@ "Status": "The status of the network interface.", "SubnetId": "The subnet ID associated with the network interface." }, + "AWS::QuickSight::VPCConnection Tag": { + "Key": "", + "Value": "" + }, "AWS::RAM::Permission": { "Name": "Specifies the name of the customer managed permission. The name must be unique within the AWS Region .", "PolicyTemplate": "A string in JSON format string that contains the following elements of a resource-based policy:\n\n- *Effect* : must be set to `ALLOW` .\n- *Action* : specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *AWS Identity and Access Management User Guide* .\n- *Condition* : (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see [IAM policies: Condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *AWS Identity and Access Management User Guide* .\n\nThis template can't include either the `Resource` or `Principal` elements. Those are both filled in by AWS RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The `Resource` comes from the ARN of the specific resource that you are sharing. The `Principal` comes from the list of identities added to the resource share.", "ResourceType": "Specifies the name of the resource type that this customer managed permission applies to.\n\nThe format is `** : **` and is not case sensitive. For example, to specify an Amazon EC2 Subnet, you can use the string `ec2:subnet` . To see the list of valid values for this parameter, query the [ListResourceTypes](https://docs.aws.amazon.com/ram/latest/APIReference/API_ListResourceTypes.html) operation.", "Tags": "Specifies a list of one or more tag key and value pairs to attach to the permission." }, + "AWS::RAM::Permission Tag": { + "Key": "The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.", + "Value": "The string value attached to the tag. The value can be an empty string. Key values are case sensitive." + }, "AWS::RAM::ResourceShare": { "AllowExternalPrincipals": "Specifies whether principals outside your organization in AWS Organizations can be associated with a resource share. A value of `true` lets you share with individual AWS accounts that are *not* in your organization. A value of `false` only has meaning if your account is a member of an AWS Organization. The default value is `true` .", "Name": "Specifies the name of the resource share.", "PermissionArns": "Specifies the [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the AWS RAM permission to associate with the resource share. If you do not specify an ARN for the permission, AWS RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.", "Principals": "Specifies the principals to associate with the resource share. The possible values are:\n\n- An AWS account ID\n- An Amazon Resource Name (ARN) of an organization in AWS Organizations\n- An ARN of an organizational unit (OU) in AWS Organizations\n- An ARN of an IAM role\n- An ARN of an IAM user\n\n> Not all resource types can be shared with IAM roles and users. For more information, see the column *Can share with IAM roles and users* in the tables on [Shareable AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html) in the *AWS Resource Access Manager User Guide* .", "ResourceArns": "Specifies a list of one or more ARNs of the resources to associate with the resource share.", + "Sources": "", "Tags": "Specifies one or more tags to attach to the resource share itself. It doesn't attach the tags to the resources associated with the resource share." }, + "AWS::RAM::ResourceShare Tag": { + "Key": "The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.", + "Value": "The string value attached to the tag. The value can be an empty string. Key values are case sensitive." + }, "AWS::RDS::CustomDBEngineVersion": { "DatabaseInstallationFilesS3BucketName": "The name of an Amazon S3 bucket that contains database installation files for your CEV. For example, a valid bucket name is `my-custom-installation-files` .", "DatabaseInstallationFilesS3Prefix": "The Amazon S3 directory that contains the database installation files for your CEV. For example, a valid bucket name is `123456789012/cev1` . If this setting isn't specified, no prefix is assumed.", @@ -31086,6 +34163,10 @@ "Status": "A value that indicates the status of a custom engine version (CEV).", "Tags": "A list of tags. For more information, see [Tagging Amazon RDS Resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide.*" }, + "AWS::RDS::CustomDBEngineVersion Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBCluster": { "AllocatedStorage": "The amount of storage in gibibytes (GiB) to allocate to each DB instance in the Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nThis setting is required to create a Multi-AZ DB cluster.", "AssociatedRoles": "Provides a list of the AWS Identity and Access Management (IAM) roles that are associated with the DB cluster. IAM roles that are associated with a DB cluster grant permission for the DB cluster to access other Amazon Web Services on your behalf.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", @@ -31112,7 +34193,7 @@ "EngineVersion": "The version number of the database engine to use.\n\nTo list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (8.0-compatible), use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nYou can supply either `5.7` or `8.0` to use the default engine version for Aurora MySQL version 2 or version 3, respectively.\n\nTo list all of the available engine versions for Aurora PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for MySQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"`\n\nTo list all of the available engine versions for RDS for PostgreSQL, use the following command:\n\n`aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"`\n\n*Aurora MySQL*\n\nFor information, see [Database engine updates for Amazon Aurora MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Updates.html) in the *Amazon Aurora User Guide* .\n\n*Aurora PostgreSQL*\n\nFor information, see [Amazon Aurora PostgreSQL releases and engine versions](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html) in the *Amazon Aurora User Guide* .\n\n*MySQL*\n\nFor information, see [Amazon RDS for MySQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt) in the *Amazon RDS User Guide* .\n\n*PostgreSQL*\n\nFor information, see [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts) in the *Amazon RDS User Guide* .\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "GlobalClusterIdentifier": "If you are configuring an Aurora global database cluster and want your Aurora DB cluster to be a secondary member in the global database cluster, specify the global cluster ID of the global database cluster. To define the primary database cluster of the global cluster, use the [AWS::RDS::GlobalCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html) resource.\n\nIf you aren't configuring a global database cluster, don't specify this property.\n\n> To remove the DB cluster from a global database cluster, specify an empty value for the `GlobalClusterIdentifier` property. \n\nFor information about Aurora global databases, see [Working with Amazon Aurora Global Databases](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) in the *Amazon Aurora User Guide* .\n\nValid for: Aurora DB clusters only", "Iops": "The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster.\n\nFor information about valid IOPS values, see [Provisioned IOPS storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS) in the *Amazon RDS User Guide* .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nConstraints:\n\n- Must be a multiple between .5 and 50 of the storage amount for the DB cluster.", - "KmsKeyId": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "KmsKeyId": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "ManageMasterUserPassword": "Specifies whether to manage the master user password with AWS Secrets Manager.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Amazon Aurora User Guide.*\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nConstraints:\n\n- Can't manage the master user password with AWS Secrets Manager if `MasterUserPassword` is specified.", "MasterUserPassword": "The master password for the DB instance.\n\n> If you specify the `SourceDBClusterIdentifier` , `SnapshotIdentifier` , or `GlobalClusterIdentifier` property, don't specify this property. The value is inherited from the source DB cluster, the snapshot, or the primary DB cluster for the global database cluster, respectively. \n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "MasterUserSecret": "The secret managed by RDS in AWS Secrets Manager for the master user password.\n\nFor more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Amazon Aurora User Guide.*", @@ -31127,8 +34208,9 @@ "PreferredBackupWindow": "The daily time range during which automated backups are created. For more information, see [Backup Window](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) in the *Amazon Aurora User Guide.*\n\nConstraints:\n\n- Must be in the format `hh24:mi-hh24:mi` .\n- Must be in Universal Coordinated Time (UTC).\n- Must not conflict with the preferred maintenance window.\n- Must be at least 30 minutes.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PreferredMaintenanceWindow": "The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).\n\nFormat: `ddd:hh24:mi-ddd:hh24:mi`\n\nThe default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see [Adjusting the Preferred DB Cluster Maintenance Window](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) in the *Amazon Aurora User Guide.*\n\nValid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.\n\nConstraints: Minimum 30-minute window.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "PubliclyAccessible": "Specifies whether the DB cluster is publicly accessible.\n\nWhen the DB cluster is publicly accessible, its Domain Name System (DNS) endpoint resolves to the private IP address from within the DB cluster's virtual private cloud (VPC). It resolves to the public IP address from outside of the DB cluster's VPC. Access to the DB cluster is ultimately controlled by the security group it uses. That public access isn't permitted if the security group assigned to the DB cluster doesn't permit it.\n\nWhen the DB cluster isn't publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address.\n\nValid for Cluster Type: Multi-AZ DB clusters only\n\nDefault: The default behavior varies depending on whether `DBSubnetGroupName` is specified.\n\nIf `DBSubnetGroupName` isn't specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the default VPC in the target Region doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the default VPC in the target Region has an internet gateway attached to it, the DB cluster is public.\n\nIf `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn't specified, the following applies:\n\n- If the subnets are part of a VPC that doesn\u2019t have an internet gateway attached to it, the DB cluster is private.\n- If the subnets are part of a VPC that has an internet gateway attached to it, the DB cluster is public.", + "ReadEndpoint": "This data type represents the information you need to connect to an Amazon RDS DB instance. This data type is used as a response element in the following actions:\n\n- `CreateDBInstance`\n- `DescribeDBInstances`\n- `DeleteDBInstance`\n\nFor the data structure that represents Amazon Aurora DB cluster endpoints, see `DBClusterEndpoint` .", "ReplicationSourceIdentifier": "The Amazon Resource Name (ARN) of the source DB instance or DB cluster if this DB cluster is created as a read replica.\n\nValid for: Aurora DB clusters only", - "RestoreToTime": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "RestoreToTime": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "RestoreType": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "ScalingConfiguration": "The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless DB cluster.\n\nThis property is only supported for Aurora Serverless v1. For Aurora Serverless v2, use `ServerlessV2ScalingConfiguration` property.\n\nValid for: Aurora DB clusters only", "ServerlessV2ScalingConfiguration": "The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster.\n\nThis property is only supported for Aurora Serverless v2. For Aurora Serverless v1, use `ScalingConfiguration` property.\n\nValid for: Aurora DB clusters only", @@ -31136,7 +34218,7 @@ "SourceDBClusterIdentifier": "When restoring a DB cluster to a point in time, the identifier of the source DB cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing DBCluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "SourceRegion": "The AWS Region which contains the source DB cluster when replicating a DB cluster. For example, `us-east-1` .\n\nValid for: Aurora DB clusters only", "StorageEncrypted": "Indicates whether the DB cluster is encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBClusterIdentifier` property, don't specify this property. The value is inherited from the source DB cluster, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB cluster is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB cluster to be encrypted, then don't set this property or set it to `false` .\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", - "StorageType": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "StorageType": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "Tags": "An optional array of key-value pairs to apply to this DB cluster.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "UseLatestRestorableTime": "A value that indicates whether to restore the DB cluster to the latest restorable backup time. By default, the DB cluster is not restored to the latest restorable backup time.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "VpcSecurityGroupIds": "A list of EC2 VPC security groups to associate with this DB cluster.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters" @@ -31157,7 +34239,7 @@ "Address": "The host address of the reader endpoint." }, "AWS::RDS::DBCluster ScalingConfiguration": { - "AutoPause": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "AutoPause": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "MaxCapacity": "The maximum capacity for an Aurora DB cluster in `serverless` DB engine mode.\n\nFor Aurora MySQL, valid capacity values are `1` , `2` , `4` , `8` , `16` , `32` , `64` , `128` , and `256` .\n\nFor Aurora PostgreSQL, valid capacity values are `2` , `4` , `8` , `16` , `32` , `64` , `192` , and `384` .\n\nThe maximum capacity must be greater than or equal to the minimum capacity.", "MinCapacity": "The minimum capacity for an Aurora DB cluster in `serverless` DB engine mode.\n\nFor Aurora MySQL, valid capacity values are `1` , `2` , `4` , `8` , `16` , `32` , `64` , `128` , and `256` .\n\nFor Aurora PostgreSQL, valid capacity values are `2` , `4` , `8` , `16` , `32` , `64` , `192` , and `384` .\n\nThe minimum capacity must be less than or equal to the maximum capacity.", "SecondsBeforeTimeout": "The amount of time, in seconds, that Aurora Serverless v1 tries to find a scaling point to perform seamless scaling before enforcing the timeout action. The default is 300.\n\nSpecify a value between 60 and 600 seconds.", @@ -31168,6 +34250,10 @@ "MaxCapacity": "The maximum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. You can specify ACU values in half-step increments, such as 40, 40.5, 41, and so on. The largest value that you can use is 128.\n\nThe maximum capacity must be higher than 0.5 ACUs. For more information, see [Choosing the maximum Aurora Serverless v2 capacity setting for a cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.setting-capacity.html#aurora-serverless-v2.max_capacity_considerations) in the *Amazon Aurora User Guide* .", "MinCapacity": "The minimum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. You can specify ACU values in half-step increments, such as 8, 8.5, 9, and so on. The smallest value that you can use is 0.5." }, + "AWS::RDS::DBCluster Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBClusterParameterGroup": { "DBClusterParameterGroupName": "The name of the DB cluster parameter group.\n\nConstraints:\n\n- Must not match the name of an existing DB cluster parameter group.\n\nIf you don't specify a value for `DBClusterParameterGroupName` property, a name is automatically created for the DB cluster parameter group.\n\n> This value is stored as a lowercase string.", "Description": "A friendly description for this DB cluster parameter group.", @@ -31175,11 +34261,16 @@ "Parameters": "Provides a list of parameters for the DB cluster parameter group.", "Tags": "An optional array of key-value pairs to apply to this DB cluster parameter group." }, + "AWS::RDS::DBClusterParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBInstance": { "AllocatedStorage": "The amount of storage in gibibytes (GiB) to be initially allocated for the database instance.\n\n> If any value is set in the `Iops` parameter, `AllocatedStorage` must be at least 100 GiB, which corresponds to the minimum Iops value of 1,000. If you increase the `Iops` value (in 1,000 IOPS increments), then you must also increase the `AllocatedStorage` value (in 100-GiB increments). \n\n*Amazon Aurora*\n\nNot applicable. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.\n\n*MySQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*MariaDB*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*PostgreSQL*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 5 to 3072.\n\n*Oracle*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536.\n- Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.\n- Magnetic storage (standard): Must be an integer from 10 to 3072.\n\n*SQL Server*\n\nConstraints to the amount of storage for each storage type are the following:\n\n- General Purpose (SSD) storage (gp2):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Provisioned IOPS storage (io1):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 16384.\n- Web and Express editions: Must be an integer from 20 to 16384.\n- Magnetic storage (standard):\n\n- Enterprise and Standard editions: Must be an integer from 20 to 1024.\n- Web and Express editions: Must be an integer from 20 to 1024.", "AllowMajorVersionUpgrade": "A value that indicates whether major version upgrades are allowed. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible.\n\nConstraints: Major version upgrades must be allowed when specifying a value for the `EngineVersion` parameter that is a different major version than the DB instance's current version.", "AssociatedRoles": "The AWS Identity and Access Management (IAM) roles associated with the DB instance.\n\n*Amazon Aurora*\n\nNot applicable. The associated roles are managed by the DB cluster.", "AutoMinorVersionUpgrade": "A value that indicates whether minor engine upgrades are applied automatically to the DB instance during the maintenance window. By default, minor engine upgrades are applied automatically.", + "AutomaticBackupReplicationRegion": "", "AvailabilityZone": "The Availability Zone (AZ) where the database will be created. For information on AWS Regions and Availability Zones, see [Regions and Availability Zones](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) .\n\nFor Amazon Aurora, each Aurora DB cluster hosts copies of its storage in three separate Availability Zones. Specify one of these Availability Zones. Aurora automatically chooses an appropriate Availability Zone if you don't specify one.\n\nDefault: A random, system-chosen Availability Zone in the endpoint's AWS Region .\n\nConstraints:\n\n- The `AvailabilityZone` parameter can't be specified if the DB instance is a Multi-AZ deployment.\n- The specified Availability Zone must be in the same AWS Region as the current endpoint.\n\nExample: `us-east-1d`", "BackupRetentionPeriod": "The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.\n\n*Amazon Aurora*\n\nNot applicable. The retention period for automated backups is managed by the DB cluster.\n\nDefault: 1\n\nConstraints:\n\n- Must be a value from 0 to 35\n- Can't be set to 0 if the DB instance is a source to read replicas", "CACertificateIdentifier": "The identifier of the CA certificate for this DB instance.\n\n> Specifying or updating this property triggers a reboot. \n\nFor more information about CA certificate identifiers for RDS DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon RDS User Guide* .\n\nFor more information about CA certificate identifiers for Aurora DB engines, see [Rotating Your SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html) in the *Amazon Aurora User Guide* .", @@ -31197,11 +34288,16 @@ "DBSecurityGroups": "A list of the DB security groups to assign to the DB instance. The list can include both the name of existing DB security groups or references to AWS::RDS::DBSecurityGroup resources created in the template.\n\nIf you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice versa. Also, note that the DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups.\n\n> If you specify this property, AWS CloudFormation sends only the following properties (if specified) to Amazon RDS during create operations:\n> \n> - `AllocatedStorage`\n> - `AutoMinorVersionUpgrade`\n> - `AvailabilityZone`\n> - `BackupRetentionPeriod`\n> - `CharacterSetName`\n> - `DBInstanceClass`\n> - `DBName`\n> - `DBParameterGroupName`\n> - `DBSecurityGroups`\n> - `DBSubnetGroupName`\n> - `Engine`\n> - `EngineVersion`\n> - `Iops`\n> - `LicenseModel`\n> - `MasterUsername`\n> - `MasterUserPassword`\n> - `MultiAZ`\n> - `OptionGroupName`\n> - `PreferredBackupWindow`\n> - `PreferredMaintenanceWindow`\n> \n> All other properties are ignored. Specify a virtual private cloud (VPC) security group if you want to submit other properties, such as `StorageType` , `StorageEncrypted` , or `KmsKeyId` . If you're already using the `DBSecurityGroups` property, you can't use these other properties by updating your DB instance to use a VPC security group. You must recreate the DB instance.", "DBSnapshotIdentifier": "The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the snapshot.\n\nBy specifying this property, you can create a DB instance from the specified DB snapshot. If the `DBSnapshotIdentifier` property is an empty string or the `AWS::RDS::DBInstance` declaration has no `DBSnapshotIdentifier` property, AWS CloudFormation creates a new database. If the property contains a value (other than an empty string), AWS CloudFormation creates a database from the specified snapshot. If a snapshot with the specified name doesn't exist, AWS CloudFormation can't create the database and it rolls back the stack.\n\nSome DB instance properties aren't valid when you restore from a snapshot, such as the `MasterUsername` and `MasterUserPassword` properties. For information about the properties that you can specify, see the `RestoreDBInstanceFromDBSnapshot` action in the *Amazon RDS API Reference* .\n\nAfter you restore a DB instance with a `DBSnapshotIdentifier` property, you must specify the same `DBSnapshotIdentifier` property for any future updates to the DB instance. When you specify this property for an update, the DB instance is not restored from the DB snapshot again, and the data in the database is not changed. However, if you don't specify the `DBSnapshotIdentifier` property, an empty DB instance is created, and the original DB instance is deleted. If you specify a property that is different from the previous snapshot restore property, a new DB instance is restored from the specified `DBSnapshotIdentifier` property, and the original DB instance is deleted.\n\nIf you specify the `DBSnapshotIdentifier` property to restore a DB instance (as opposed to specifying it for DB instance updates), then don't specify the following properties:\n\n- `CharacterSetName`\n- `DBClusterIdentifier`\n- `DBName`\n- `DeleteAutomatedBackups`\n- `EnablePerformanceInsights`\n- `KmsKeyId`\n- `MasterUsername`\n- `MasterUserPassword`\n- `PerformanceInsightsKMSKeyId`\n- `PerformanceInsightsRetentionPeriod`\n- `PromotionTier`\n- `SourceDBInstanceIdentifier`\n- `SourceRegion`\n- `StorageEncrypted` (for an encrypted snapshot)\n- `Timezone`\n\n*Amazon Aurora*\n\nNot applicable. Snapshot restore is managed by the DB cluster.", "DBSubnetGroupName": "A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC.\n\nIf there's no DB subnet group, then the DB instance isn't a VPC DB instance.\n\nFor more information about using Amazon RDS in a VPC, see [Using Amazon RDS with Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. The DB subnet group is managed by the DB cluster. If specified, the setting must match the DB cluster setting.", + "DBSystemId": "The Oracle system identifier (SID), which is the name of the Oracle database instance that manages your database files. In this context, the term \"Oracle database instance\" refers exclusively to the system global area (SGA) and Oracle background processes. If you don't specify a SID, the value defaults to `RDSCDB` . The Oracle SID is also the name of your CDB.", "DeleteAutomatedBackups": "A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn't case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted.\n\n*Amazon Aurora*\n\nNot applicable. When you delete a DB cluster, all automated backups for that DB cluster are deleted and can't be recovered. Manual DB cluster snapshots of the DB cluster are not deleted.", "DeletionProtection": "A value that indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see [Deleting a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html) .\n\n*Amazon Aurora*\n\nNot applicable. You can enable or disable deletion protection for the DB cluster. For more information, see `CreateDBCluster` . DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.", "Domain": "The Active Directory directory ID to create the DB instance in. Currently, only Microsoft SQL Server, Oracle, and PostgreSQL DB instances can be created in an Active Directory Domain.\n\nFor more information, see [Kerberos Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/kerberos-authentication.html) in the *Amazon RDS User Guide* .", + "DomainAuthSecretArn": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "DomainDnsIps": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "DomainFqdn": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", "DomainIAMRoleName": "The name of the IAM role to use when making API calls to the Directory Service.\n\nThis setting doesn't apply to the following DB instances:\n\n- Amazon Aurora (The domain is managed by the DB cluster.)\n- RDS Custom", - "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "DomainOu": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "EnableCloudwatchLogsExports": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "EnableIAMDatabaseAuthentication": "A value that indicates whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. By default, mapping is disabled.\n\nThis property is supported for RDS for MariaDB, RDS for MySQL, and RDS for PostgreSQL. For more information, see [IAM Database Authentication for MariaDB, MySQL, and PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon RDS User Guide.*\n\n*Amazon Aurora*\n\nNot applicable. Mapping AWS IAM accounts to database accounts is managed by the DB cluster.", "EnablePerformanceInsights": "Specifies whether to enable Performance Insights for the DB instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html) in the *Amazon RDS User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.", "Endpoint": "The connection endpoint for the DB instance.\n\n> The endpoint might not be shown for instances with the status of `creating` .", @@ -31230,19 +34326,19 @@ "PromotionTier": "The order of priority in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. For more information, see [Fault Tolerance for an Aurora DB Cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html#Aurora.Managing.FaultTolerance) in the *Amazon Aurora User Guide* .\n\nThis setting doesn't apply to RDS Custom DB instances.\n\nDefault: `1`\n\nValid Values: `0 - 15`", "PubliclyAccessible": "Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name that resolves to a private IP address.\n\nThe default behavior value depends on your VPC setup and the database subnet group. For more information, see the `PubliclyAccessible` parameter in the [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) in the *Amazon RDS API Reference* .", "ReplicaMode": "The open mode of an Oracle read replica. For more information, see [Working with Oracle Read Replicas for Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-read-replicas.html) in the *Amazon RDS User Guide* .\n\nThis setting is only supported in RDS for Oracle.\n\nDefault: `open-read-only`\n\nValid Values: `open-read-only` or `mounted`", - "RestoreTime": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "RestoreTime": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "SourceDBClusterIdentifier": "The identifier of the Multi-AZ DB cluster that will act as the source for the read replica. Each DB cluster can have up to 15 read replicas.\n\nConstraints:\n\n- Must be the identifier of an existing Multi-AZ DB cluster.\n- Can't be specified if the `SourceDBInstanceIdentifier` parameter is also specified.\n- The specified DB cluster must have automatic backups enabled, that is, its backup retention period must be greater than 0.\n- The source DB cluster must be in the same AWS Region as the read replica. Cross-Region replication isn't supported.", - "SourceDBInstanceAutomatedBackupsArn": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "SourceDBInstanceAutomatedBackupsArn": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "SourceDBInstanceIdentifier": "If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB instance can have a limited number of read replicas. For more information, see [Working with Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/DeveloperGuide/USER_ReadRepl.html) in the *Amazon RDS User Guide* .\n\nFor information about constraints that apply to DB instance identifiers, see [Naming constraints in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.Constraints) in the *Amazon RDS User Guide* .\n\nThe `SourceDBInstanceIdentifier` property determines whether a DB instance is a read replica. If you remove the `SourceDBInstanceIdentifier` property from your template and then update your stack, AWS CloudFormation promotes the Read Replica to a standalone DB instance.\n\n> - If you specify a source DB instance that uses VPC security groups, we recommend that you specify the `VPCSecurityGroups` property. If you don't specify the property, the read replica inherits the value of the `VPCSecurityGroups` property from the source DB when you create the replica. However, if you update the stack, AWS CloudFormation reverts the replica's `VPCSecurityGroups` property to the default value because it's not defined in the stack's template. This change might cause unexpected issues.\n> - Read replicas don't support deletion policies. AWS CloudFormation ignores any deletion policy that's associated with a read replica.\n> - If you specify `SourceDBInstanceIdentifier` , don't specify the `DBSnapshotIdentifier` property. You can't create a read replica from a snapshot.\n> - Don't set the `BackupRetentionPeriod` , `DBName` , `MasterUsername` , `MasterUserPassword` , and `PreferredBackupWindow` properties. The database attributes are inherited from the source DB instance, and backups are disabled for read replicas.\n> - If the source DB instance is in a different region than the read replica, specify the source region in `SourceRegion` , and specify an ARN for a valid DB instance in `SourceDBInstanceIdentifier` . For more information, see [Constructing a Amazon RDS Amazon Resource Name (ARN)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.ARN) in the *Amazon RDS User Guide* .\n> - For DB instances in Amazon Aurora clusters, don't specify this property. Amazon RDS automatically assigns writer and reader DB instances.", "SourceDbiResourceId": "The resource ID of the source DB instance from which to restore.", "SourceRegion": "The ID of the region that contains the source DB instance for the read replica.", - "StorageEncrypted": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "StorageEncrypted": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "StorageThroughput": "Specifies the storage throughput value for the DB instance. This setting applies only to the `gp3` storage type.\n\nThis setting doesn't apply to RDS Custom or Amazon Aurora.", "StorageType": "Specifies the storage type to be associated with the DB instance.\n\nValid values: `gp2 | gp3 | io1 | standard`\n\nThe `standard` value is also known as magnetic.\n\nIf you specify `io1` or `gp3` , you must also include a value for the `Iops` parameter.\n\nDefault: `io1` if the `Iops` parameter is specified, otherwise `gp2`\n\nFor more information, see [Amazon RDS DB Instance Storage](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html) in the *Amazon RDS User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. Aurora data is stored in the cluster volume, which is a single, virtual volume that uses solid state drives (SSDs).", "Tags": "An optional array of key-value pairs to apply to this DB instance.", "Timezone": "The time zone of the DB instance. The time zone parameter is currently supported only by [Microsoft SQL Server](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone) .", "UseDefaultProcessorFeatures": "Specifies whether the DB instance class of the DB instance uses its default processor features.\n\nThis setting doesn't apply to RDS Custom DB instances.", - "UseLatestRestorableTime": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "UseLatestRestorableTime": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "VPCSecurityGroups": "A list of the VPC security group IDs to assign to the DB instance. The list can include both the physical IDs of existing VPC security groups and references to [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) resources created in the template.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.\n\nIf you set `VPCSecurityGroups` , you must not set [`DBSecurityGroups`](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups) , and vice versa.\n\n> You can migrate a DB instance in your stack from an RDS DB security group to a VPC security group, but keep the following in mind:\n> \n> - You can't revert to using an RDS security group after you establish a VPC security group membership.\n> - When you migrate your DB instance to VPC security groups, if your stack update rolls back because the DB instance update fails or because an update fails in another AWS CloudFormation resource, the rollback fails because it can't revert to an RDS security group.\n> - To use the properties that are available when you use a VPC security group, you must recreate the DB instance. If you don't, AWS CloudFormation submits only the property values that are listed in the [`DBSecurityGroups`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsecuritygroups) property. \n\nTo avoid this situation, migrate your DB instance to using VPC security groups only when that is the only change in your stack template.\n\n*Amazon Aurora*\n\nNot applicable. The associated list of EC2 VPC security groups is managed by the DB cluster. If specified, the setting must match the DB cluster setting." }, "AWS::RDS::DBInstance CertificateDetails": { @@ -31266,6 +34362,10 @@ "Name": "The name of the processor feature. Valid names are `coreCount` and `threadsPerCore` .", "Value": "The value of a processor feature name." }, + "AWS::RDS::DBInstance Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBParameterGroup": { "DBParameterGroupName": "The name of the DB parameter group.\n\nConstraints:\n\n- Must be 1 to 255 letters, numbers, or hyphens.\n- First character must be a letter\n- Can't end with a hyphen or contain two consecutive hyphens\n\nIf you don't specify a value for `DBParameterGroupName` property, a name is automatically created for the DB parameter group.\n\n> This value is stored as a lowercase string.", "Description": "Provides the customer-specified description for this DB parameter group.", @@ -31273,13 +34373,17 @@ "Parameters": "An array of parameter names and values for the parameter update. At least one parameter name and value must be supplied. Subsequent arguments are optional.\n\nFor more information about DB parameters and DB parameter groups for Amazon RDS DB engines, see [Working with DB Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html) in the *Amazon RDS User Guide* .\n\nFor more information about DB cluster and DB instance parameters and parameter groups for Amazon Aurora DB engines, see [Working with DB Parameter Groups and DB Cluster Parameter Groups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_WorkingWithParamGroups.html) in the *Amazon Aurora User Guide* .\n\n> AWS CloudFormation doesn't support specifying an apply method for each individual parameter. The default apply method for each parameter is used.", "Tags": "An optional array of key-value pairs to apply to this DB parameter group.\n\n> Currently, this is the only property that supports drift detection." }, + "AWS::RDS::DBParameterGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBProxy": { "Auth": "The authorization mechanism that the proxy uses.", "DBProxyName": "The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region . An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens.", - "DebugLogging": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "DebugLogging": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", "EngineFamily": "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL` . For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL` . For RDS for Microsoft SQL Server, specify `SQLSERVER` .\n\n*Valid values* : `MYSQL` | `POSTGRESQL` | `SQLSERVER`", "IdleClientTimeout": "The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.", - "RequireTLS": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "RequireTLS": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "RoleArn": "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager.", "Tags": "An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.", "VpcSecurityGroupIds": "One or more VPC security group IDs to associate with the new proxy.\n\nIf you plan to update the resource, don't specify VPC security groups in a shared VPC.", @@ -31316,10 +34420,10 @@ "TargetGroupName": "The identifier for the target group.\n\n> Currently, this property must be set to `default` ." }, "AWS::RDS::DBProxyTargetGroup ConnectionPoolConfigurationInfoFormat": { - "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "ConnectionBorrowTimeout": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "InitQuery": "One or more SQL statements for the proxy to run when opening each new database connection. Typically used with `SET` statements to make sure that each connection has identical settings such as time zone and character set. For multiple statements, use semicolons as the separator. You can also include multiple variables in a single `SET` statement, such as `SET x=1, y=2` .\n\nDefault: no initialization query", - "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", - "MaxIdleConnectionsPercent": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "MaxConnectionsPercent": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", + "MaxIdleConnectionsPercent": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "SessionPinningFilters": "Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. Including an item in the list exempts that class of SQL operations from the pinning behavior.\n\nDefault: no session pinning filters" }, "AWS::RDS::DBSecurityGroup": { @@ -31334,6 +34438,10 @@ "EC2SecurityGroupName": "Name of the EC2 security group to authorize. For VPC DB security groups, `EC2SecurityGroupId` must be provided. Otherwise, `EC2SecurityGroupOwnerId` and either `EC2SecurityGroupName` or `EC2SecurityGroupId` must be provided.", "EC2SecurityGroupOwnerId": "AWS account number of the owner of the EC2 security group specified in the `EC2SecurityGroupName` parameter. The AWS access key ID isn't an acceptable value. For VPC DB security groups, `EC2SecurityGroupId` must be provided. Otherwise, `EC2SecurityGroupOwnerId` and either `EC2SecurityGroupName` or `EC2SecurityGroupId` must be provided." }, + "AWS::RDS::DBSecurityGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::DBSecurityGroupIngress": { "CIDRIP": "The IP range to authorize.", "DBSecurityGroupName": "The name of the DB security group to add authorization to.", @@ -31347,8 +34455,12 @@ "SubnetIds": "The EC2 Subnet IDs for the DB subnet group.", "Tags": "An optional array of key-value pairs to apply to this DB subnet group." }, + "AWS::RDS::DBSubnetGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::EventSubscription": { - "Enabled": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "Enabled": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "EventCategories": "A list of event categories for a particular source type ( `SourceType` ) that you want to subscribe to. You can see a list of the categories for a given source type in the \"Amazon RDS event categories and event messages\" section of the [*Amazon RDS User Guide*](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Messages.html) or the [*Amazon Aurora User Guide*](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Events.Messages.html) . You can also see this list by using the `DescribeEventCategories` operation.", "SnsTopicArn": "The Amazon Resource Name (ARN) of the SNS topic created for event notification. The ARN is created by Amazon SNS when you create a topic and subscribe to it.", "SourceIds": "The list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.\n\nConstraints:\n\n- If a `SourceIds` value is supplied, `SourceType` must also be provided.\n- If the source type is a DB instance, a `DBInstanceIdentifier` value must be supplied.\n- If the source type is a DB cluster, a `DBClusterIdentifier` value must be supplied.\n- If the source type is a DB parameter group, a `DBParameterGroupName` value must be supplied.\n- If the source type is a DB security group, a `DBSecurityGroupName` value must be supplied.\n- If the source type is a DB snapshot, a `DBSnapshotIdentifier` value must be supplied.\n- If the source type is a DB cluster snapshot, a `DBClusterSnapshotIdentifier` value must be supplied.", @@ -31356,6 +34468,10 @@ "SubscriptionName": "The name of the subscription.\n\nConstraints: The name must be less than 255 characters.", "Tags": "An optional array of key-value pairs to apply to this subscription." }, + "AWS::RDS::EventSubscription Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RDS::GlobalCluster": { "DeletionProtection": "Specifies whether to enable deletion protection for the new global database cluster. The global database can't be deleted when deletion protection is enabled.", "Engine": "The database engine to use for this global database cluster.\n\nValid Values: `aurora-mysql | aurora-postgresql`\n\nConstraints:\n\n- Can't be specified if `SourceDBClusterIdentifier` is specified. In this case, Amazon Aurora uses the engine of the source DB cluster.", @@ -31384,6 +34500,10 @@ "Name": "The name of the option that has settings that you can set.", "Value": "The current value of the option setting." }, + "AWS::RDS::OptionGroup Tag": { + "Key": "A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\").", + "Value": "A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and can't be prefixed with `aws:` or `rds:` . The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', ':', '/', '=', '+', '-', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-@]*)$\")." + }, "AWS::RUM::AppMonitor": { "AppMonitorConfiguration": "A structure that contains much of the configuration data for the app monitor. If you are using Amazon Cognito for authorization, you must include this structure in your request, and it must include the ID of the Amazon Cognito identity pool to use for authorization. If you don't include `AppMonitorConfiguration` , you must set up your own authorization method. For more information, see [Authorize your application to send data to AWS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-get-started-authorization.html) .\n\nIf you omit this argument, the sample rate used for CloudWatch RUM is set to 10% of the user sessions.", "CustomEvents": "Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are `DISABLED` .", @@ -31421,6 +34541,10 @@ "IamRoleArn": "This parameter is required if `Destination` is `Evidently` . If `Destination` is `CloudWatch` , do not use this parameter.\n\nThis parameter specifies the ARN of an IAM role that RUM will assume to write to the Evidently experiment that you are sending metrics to. This role must have permission to write to that experiment.", "MetricDefinitions": "An array of structures which define the metrics that you want to send." }, + "AWS::RUM::AppMonitor Tag": { + "Key": "", + "Value": "" + }, "AWS::Redshift::Cluster": { "AllowVersionUpgrade": "If `true` , major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster.\n\nWhen a new major version of the Amazon Redshift engine is released, you can request that the service automatically apply upgrades during the maintenance window to the Amazon Redshift engine that is running on your cluster.\n\nDefault: `true`", "AquaConfigurationStatus": "This parameter is retired. It does not set the AQUA configuration status. Amazon Redshift automatically determines whether to use AQUA (Advanced Query Accelerator).", @@ -31452,7 +34576,7 @@ "LoggingProperties": "Specifies logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster.", "MaintenanceTrackName": "An optional parameter for the name of the maintenance track for the cluster. If you don't provide a maintenance track name, the cluster is assigned to the `current` track.", "ManualSnapshotRetentionPeriod": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.\n\nThe value must be either -1 or an integer between 1 and 3,653.", - "MasterUserPassword": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "MasterUserPassword": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "MasterUsername": "The user name associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be 1 - 128 alphanumeric characters or hyphens. The user name can't be `PUBLIC` .\n- Must contain only lowercase letters, numbers, underscore, plus sign, period (dot), at symbol (@), or hyphen.\n- The first character must be a letter.\n- Must not contain a colon (:) or a slash (/).\n- Cannot be a reserved word. A list of reserved words can be found in [Reserved Words](https://docs.aws.amazon.com/redshift/latest/dg/r_pg_keywords.html) in the Amazon Redshift Database Developer Guide.", "NodeType": "The node type to be provisioned for the cluster. For information about node types, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nValid Values: `ds2.xlarge` | `ds2.8xlarge` | `dc1.large` | `dc1.8xlarge` | `dc2.large` | `dc2.8xlarge` | `ra3.xlplus` | `ra3.4xlarge` | `ra3.16xlarge`", "NumberOfNodes": "The number of compute nodes in the cluster. This parameter is required when the *ClusterType* parameter is specified as `multi-node` .\n\nFor information about determining how many nodes you need, go to [Working with Clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#how-many-nodes) in the *Amazon Redshift Cluster Management Guide* .\n\nIf you don't specify this parameter, you get a single-node cluster. When requesting a multi-node cluster, you must specify the number of nodes that you want in the cluster.\n\nDefault: `1`\n\nConstraints: Value must be at least 1 and no more than 100.", @@ -31479,6 +34603,10 @@ "BucketName": "The name of an existing S3 bucket where the log files are to be stored.\n\nConstraints:\n\n- Must be in the same region as the cluster\n- The cluster must have read bucket and put object permissions", "S3KeyPrefix": "The prefix applied to the log file names.\n\nConstraints:\n\n- Cannot exceed 512 characters\n- Cannot contain spaces( ), double quotes (\"), single quotes ('), a backslash (\\), or control characters. The hexadecimal codes for invalid characters are:\n\n- x00 to x20\n- x22\n- x27\n- x5c\n- x7f or larger" }, + "AWS::Redshift::Cluster Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterParameterGroup": { "Description": "The description of the parameter group.", "ParameterGroupFamily": "The name of the cluster parameter group family that this cluster parameter group is compatible with. You can create a custom parameter group and then associate your cluster with it. For more information, see [Amazon Redshift parameter groups](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-parameter-groups.html) .", @@ -31490,10 +34618,18 @@ "ParameterName": "The name of the parameter.", "ParameterValue": "The value of the parameter. If `ParameterName` is `wlm_json_configuration` , then the maximum size of `ParameterValue` is 8000 characters." }, + "AWS::Redshift::ClusterParameterGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterSecurityGroup": { "Description": "A description for the security group.", "Tags": "Specifies an arbitrary set of tags (key\u2013value pairs) to associate with this security group. Use tags to manage your resources." }, + "AWS::Redshift::ClusterSecurityGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ClusterSecurityGroupIngress": { "CIDRIP": "The IP range to be added the Amazon Redshift security group.", "ClusterSecurityGroupName": "The name of the security group to which the ingress rule is added.", @@ -31505,6 +34641,10 @@ "SubnetIds": "An array of VPC subnet IDs. A maximum of 20 subnets can be modified in a single request.", "Tags": "Specifies an arbitrary set of tags (key\u2013value pairs) to associate with this subnet group. Use tags to manage your resources." }, + "AWS::Redshift::ClusterSubnetGroup Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::EndpointAccess": { "ClusterIdentifier": "The cluster identifier of the cluster associated with the endpoint.", "EndpointName": "The name of the endpoint.", @@ -31543,6 +34683,10 @@ "SubscriptionName": "The name of the event subscription to be created.\n\nConstraints:\n\n- Cannot be null, empty, or blank.\n- Must contain from 1 to 255 alphanumeric characters or hyphens.\n- First character must be a letter.\n- Cannot end with a hyphen or contain two consecutive hyphens.", "Tags": "A list of tag instances." }, + "AWS::Redshift::EventSubscription Tag": { + "Key": "The key, or name, for the resource tag.", + "Value": "The value for the resource tag." + }, "AWS::Redshift::ScheduledAction": { "Enable": "If true, the schedule is enabled. If false, the scheduled action does not trigger. For more information about `state` of the scheduled action, see `ScheduledAction` .", "EndTime": "The end time in UTC when the schedule is no longer active. After this time, the scheduled action does not trigger.", @@ -31597,6 +34741,10 @@ "NamespaceName": "The name of the namespace. Must be between 3-64 alphanumeric characters in lowercase, and it cannot be a reserved word. A list of reserved words can be found in [Reserved Words](https://docs.aws.amazon.com//redshift/latest/dg/r_pg_keywords.html) in the Amazon Redshift Database Developer Guide.", "Status": "The status of the namespace." }, + "AWS::RedshiftServerless::Namespace Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." + }, "AWS::RedshiftServerless::Workgroup": { "BaseCapacity": "The base compute capacity of the workgroup in Redshift Processing Units (RPUs).", "ConfigParameters": "A list of parameters to set for finer control over a database. Available options are `datestyle` , `enable_user_activity_logging` , `query_group` , `search_path` , and `max_query_execution_time` .", @@ -31624,6 +34772,10 @@ "PrivateIpAddress": "The IPv4 address of the network interface within the subnet.", "SubnetId": "The unique identifier of the subnet." }, + "AWS::RedshiftServerless::Workgroup Tag": { + "Key": "The key to use in the tag.", + "Value": "The value of the tag." + }, "AWS::RedshiftServerless::Workgroup VpcEndpoint": { "NetworkInterfaces": "One or more network interfaces of the endpoint. Also known as an interface endpoint.", "VpcEndpointId": "The connection endpoint ID for connecting to Amazon Redshift Serverless.", @@ -31656,12 +34808,20 @@ "EndpointType": "The type of endpoint to use for the API Gateway proxy. If no value is specified in the request, the value is set to `REGIONAL` by default.\n\nIf the value is set to `PRIVATE` in the request, this creates a private API endpoint that is isolated from the public internet. The private endpoint can only be accessed by using Amazon Virtual Private Cloud ( Amazon VPC ) interface endpoints for the Amazon API Gateway that has been granted access. For more information about creating a private connection with Refactor Spaces and interface endpoint ( AWS PrivateLink ) availability, see [Access Refactor Spaces using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/vpc-interface-endpoints.html) .", "StageName": "The name of the API Gateway stage. The name defaults to `prod` ." }, + "AWS::RefactorSpaces::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Environment": { "Description": "A description of the environment.", "Name": "The name of the environment.", "NetworkFabricType": "The network fabric type of the environment.", "Tags": "The tags assigned to the environment." }, + "AWS::RefactorSpaces::Environment Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Route": { "ApplicationIdentifier": "The unique identifier of the application.", "DefaultRoute": "Configuration for the default route type.", @@ -31674,6 +34834,10 @@ "AWS::RefactorSpaces::Route DefaultRouteInput": { "ActivationState": "If set to `ACTIVE` , traffic is forwarded to this route\u2019s service after the route is created." }, + "AWS::RefactorSpaces::Route Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Route UriPathRouteInput": { "ActivationState": "If set to `ACTIVE` , traffic is forwarded to this route\u2019s service after the route is created.", "AppendSourcePath": "If set to `true` , this option appends the source path to the service URL endpoint.", @@ -31695,6 +34859,10 @@ "AWS::RefactorSpaces::Service LambdaEndpointInput": { "Arn": "The Amazon Resource Name (ARN) of the Lambda function or alias." }, + "AWS::RefactorSpaces::Service Tag": { + "Key": "", + "Value": "" + }, "AWS::RefactorSpaces::Service UrlEndpointInput": { "HealthUrl": "The health check URL of the URL endpoint type. If the URL is a public endpoint, the `HealthUrl` must also be a public endpoint. If the URL is a private endpoint inside a virtual private cloud (VPC), the health URL must also be a private endpoint, and the host must be the same as the URL.", "Url": "The URL to route traffic to. The URL must be an [rfc3986-formatted URL](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc3986) . If the host is a domain name, the name must be resolvable over the public internet. If the scheme is `https` , the top level domain of the host must be listed in the [IANA root zone database](https://docs.aws.amazon.com/https://www.iana.org/domains/root/db) ." @@ -31703,6 +34871,10 @@ "CollectionId": "ID for the collection that you are creating.", "Tags": "A set of tags (key-value pairs) that you want to attach to the collection." }, + "AWS::Rekognition::Collection Tag": { + "Key": "", + "Value": "" + }, "AWS::Rekognition::Project": { "ProjectName": "The name of the project to create." }, @@ -31747,31 +34919,51 @@ "AWS::Rekognition::StreamProcessor NotificationChannel": { "Arn": "The ARN of the SNS topic that receives notifications." }, + "AWS::Rekognition::StreamProcessor Point": { + "X": "The value of the X coordinate for a point on a `Polygon` .", + "Y": "The value of the Y coordinate for a point on a `Polygon` ." + }, "AWS::Rekognition::StreamProcessor S3Destination": { "BucketName": "Describes the destination Amazon Simple Storage Service (Amazon S3) bucket name of a stream processor's exports.", "ObjectKeyPrefix": "Describes the destination Amazon Simple Storage Service (Amazon S3) object keys of a stream processor's exports." }, + "AWS::Rekognition::StreamProcessor Tag": { + "Key": "", + "Value": "" + }, "AWS::ResilienceHub::App": { "AppAssessmentSchedule": "Assessment execution schedule with 'Daily' or 'Disabled' values.", - "AppTemplateBody": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", - "Description": "The optional description for an app.", - "Name": "The name for the application.", + "AppTemplateBody": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "Description": "Optional description for an application.", + "EventSubscriptions": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "Name": "Name for the application.", + "PermissionModel": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", "ResiliencyPolicyArn": "The Amazon Resource Name (ARN) of the resiliency policy.", - "ResourceMappings": "An array of ResourceMapping objects.", - "Tags": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair." + "ResourceMappings": "An array of `ResourceMapping` objects.", + "Tags": "" + }, + "AWS::ResilienceHub::App EventSubscription": { + "EventType": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "Name": "Unique name to identify an event subscription.", + "SnsTopicArn": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` ." + }, + "AWS::ResilienceHub::App PermissionModel": { + "CrossAccountRoleArns": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "InvokerRoleName": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> You must have `iam:passRole` permission for this role while creating or updating the application.", + "Type": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user." }, "AWS::ResilienceHub::App PhysicalResourceId": { - "AwsAccountId": "The AWS account that owns the physical resource.", - "AwsRegion": "The AWS Region that the physical resource is located in.", - "Identifier": "The identifier of the physical resource.", + "AwsAccountId": "The account that owns the physical resource.", + "AwsRegion": "The that the physical resource is located in.", + "Identifier": "Identifier of the physical resource.", "Type": "Specifies the type of physical resource identifier.\n\n- **Arn** - The resource identifier is an Amazon Resource Name (ARN) and it can identify the following list of resources:\n\n- `AWS::ECS::Service`\n- `AWS::EFS::FileSystem`\n- `AWS::ElasticLoadBalancingV2::LoadBalancer`\n- `AWS::Lambda::Function`\n- `AWS::SNS::Topic`\n- **Native** - The resource identifier is an AWS Resilience Hub -native identifier and it can identify the following list of resources:\n\n- `AWS::ApiGateway::RestApi`\n- `AWS::ApiGatewayV2::Api`\n- `AWS::AutoScaling::AutoScalingGroup`\n- `AWS::DocDB::DBCluster`\n- `AWS::DocDB::DBGlobalCluster`\n- `AWS::DocDB::DBInstance`\n- `AWS::DynamoDB::GlobalTable`\n- `AWS::DynamoDB::Table`\n- `AWS::EC2::EC2Fleet`\n- `AWS::EC2::Instance`\n- `AWS::EC2::NatGateway`\n- `AWS::EC2::Volume`\n- `AWS::ElasticLoadBalancing::LoadBalancer`\n- `AWS::RDS::DBCluster`\n- `AWS::RDS::DBInstance`\n- `AWS::RDS::GlobalCluster`\n- `AWS::Route53::RecordSet`\n- `AWS::S3::Bucket`\n- `AWS::SQS::Queue`" }, "AWS::ResilienceHub::App ResourceMapping": { "EksSourceName": "", - "LogicalStackName": "The name of the CloudFormation stack this resource is mapped to.", - "MappingType": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", - "PhysicalResourceId": "The identifier of this resource.", - "ResourceName": "The name of the resource this resource is mapped to.", + "LogicalStackName": "The name of the AWS CloudFormation stack this resource is mapped to.", + "MappingType": "Specifies the type of resource mapping.\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a AWS CloudFormation stack. The name of the AWS CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to AWS Resource Groups . The name of the resource group is contained in the `resourceGroupName` property.", + "PhysicalResourceId": "Identifier of the physical resource.", + "ResourceName": "Name of the resource that the resource is mapped to.", "TerraformSourceName": "The short name of the Terraform source." }, "AWS::ResilienceHub::ResiliencyPolicy": { @@ -31779,12 +34971,12 @@ "Policy": "The resiliency policy.", "PolicyDescription": "The description for the policy.", "PolicyName": "The name of the policy", - "Tags": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "Tags": "", "Tier": "The tier for this resiliency policy, ranging from the highest severity ( `MissionCritical` ) to lowest ( `NonCritical` )." }, "AWS::ResilienceHub::ResiliencyPolicy FailurePolicy": { - "RpoInSecs": "The Recovery Point Objective (RPO), in seconds.", - "RtoInSecs": "The Recovery Time Objective (RTO), in seconds." + "RpoInSecs": "Recovery Point Objective (RPO) in seconds.", + "RtoInSecs": "Recovery Time Objective (RTO) in seconds." }, "AWS::ResourceExplorer2::DefaultViewAssociation": { "ViewArn": "The ARN of the view to set as the default for the AWS Region and AWS account in which you call this operation. The specified view must already exist in the specified Region." @@ -31830,6 +35022,10 @@ "Query": "The query that defines the membership of the group. This is a structure with properties that depend on the `Type` .\n\nThe `Query` structure must be included in the following scenarios:\n\n- When the `Type` is `TAG_FILTERS_1_0` , you must specify a `Query` structure that contains a `TagFilters` list of tags. Resources with tags that match those in the `TagFilter` list become members of the resource group.\n- When the `Type` is `CLOUDFORMATION_STACK_1_0` then this field is required only when you must specify a CloudFormation stack other than the one you are defining. To do this, the `Query` structure must contain the `StackIdentifier` property. If you don't specify either a `Query` structure or a `StackIdentifier` within that `Query` , then it defaults to the CloudFormation stack that you're currently constructing.", "Type": "Specifies the type of resource query that determines this group's membership. There are two valid query types:\n\n- `TAG_FILTERS_1_0` indicates that the group is a tag-based group. To complete the group membership, you must include the `TagFilters` property to specify the tag filters to use in the query.\n- `CLOUDFORMATION_STACK_1_0` , the default, indicates that the group is a CloudFormation stack-based group. Group membership is based on the CloudFormation stack. You must specify the `StackIdentifier` property in the query to define which stack to associate the group with, or leave it empty to default to the stack where the group is defined." }, + "AWS::ResourceGroups::Group Tag": { + "Key": "", + "Value": "" + }, "AWS::ResourceGroups::Group TagFilter": { "Key": "A string that defines a tag key. Only resources in the account that are tagged with a specified tag key are members of the tag-based resource group.\n\nThis field is required when the `ResourceQuery` structure's `Type` property is `TAG_FILTERS_1_0` . You must specify at least one tag key.", "Values": "A list of tag values that can be included in the tag-based resource group. This is optional. If you don't specify a value or values for a key, then an AWS resource with any value for that key is a member." @@ -31898,36 +35094,55 @@ "CurrentRevisionId": "The current revision id for the simulation application. If you provide a value and it matches the latest revision ID, a new version will be created." }, "AWS::RolesAnywhere::CRL": { - "CrlData": "The x509 v3 specified certificate revocation list (CRL).", - "Enabled": "Specifies whether the certificate revocation list (CRL) is enabled.", - "Name": "The name of the certificate revocation list (CRL).", - "Tags": "A list of tags to attach to the certificate revocation list (CRL).", + "CrlData": "", + "Enabled": "", + "Name": "", + "Tags": "", "TrustAnchorArn": "The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for." }, + "AWS::RolesAnywhere::CRL Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::RolesAnywhere::Profile": { - "DurationSeconds": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", - "Enabled": "Indicates whether the profile is enabled.", - "ManagedPolicyArns": "A list of managed policy ARNs that apply to the vended session credentials.", - "Name": "The name of the profile.", - "RequireInstanceProperties": "Specifies whether instance properties are required in temporary credential requests with this profile.", - "RoleArns": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", - "SessionPolicy": "A session policy that applies to the trust boundary of the vended session credentials.", - "Tags": "The tags to attach to the profile." + "DurationSeconds": "The number of seconds vended session credentials will be valid for", + "Enabled": "The enabled status of the resource.", + "ManagedPolicyArns": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", + "Name": "The customer specified name of the resource.", + "RequireInstanceProperties": "Specifies whether instance properties are required in CreateSession requests with this profile.", + "RoleArns": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", + "SessionPolicy": "A session policy that will applied to the trust boundary of the vended session credentials.", + "Tags": "A list of Tags." + }, + "AWS::RolesAnywhere::Profile Tag": { + "Key": "The tag key.", + "Value": "The tag value." }, "AWS::RolesAnywhere::TrustAnchor": { "Enabled": "Indicates whether the trust anchor is enabled.", "Name": "The name of the trust anchor.", + "NotificationSettings": "A list of notification settings to be associated to the trust anchor.", "Source": "The trust anchor type and its related certificate data.", "Tags": "The tags to attach to the trust anchor." }, + "AWS::RolesAnywhere::TrustAnchor NotificationSetting": { + "Channel": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "Enabled": "Indicates whether the notification setting is enabled.", + "Event": "The event to which this notification setting is applied.", + "Threshold": "The number of days before a notification event. This value is required for a notification setting that is enabled." + }, "AWS::RolesAnywhere::TrustAnchor Source": { - "SourceData": "The data field of the trust anchor depending on its type.", - "SourceType": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region." + "SourceData": "A union object representing the data field of the TrustAnchor depending on its type", + "SourceType": "The type of the TrustAnchor." }, "AWS::RolesAnywhere::TrustAnchor SourceData": { "AcmPcaArn": "The root certificate of the AWS Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type `AWS_ACM_PCA` .\n\n> This field is not supported in your region.", "X509CertificateData": "The PEM-encoded data for the certificate anchor. Included for trust anchors of type `CERTIFICATE_BUNDLE` ." }, + "AWS::RolesAnywhere::TrustAnchor Tag": { + "Key": "The tag key.", + "Value": "The tag value." + }, "AWS::Route53::CidrCollection": { "Locations": "A complex type that contains information about the list of CIDR locations.", "Name": "The name of a CIDR collection." @@ -31962,7 +35177,7 @@ "Regions": "A complex type that contains one `Region` element for each region from which you want Amazon Route 53 health checkers to check the specified endpoint.\n\nIf you don't specify any regions, Route 53 health checkers automatically performs checks from all of the regions that are listed under *Valid Values* .\n\nIf you update a health check to remove a region that has been performing health checks, Route 53 will briefly continue to perform checks from that region to ensure that some health checkers are always checking the endpoint (for example, if you replace three regions with four different regions).", "RequestInterval": "The number of seconds between the time that Amazon Route 53 gets a response from your endpoint and the time that it sends the next health check request. Each Route 53 health checker makes requests at this interval.\n\n> You can't change the value of `RequestInterval` after you create a health check. \n\nIf you don't specify a value for `RequestInterval` , the default value is `30` seconds.", "ResourcePath": "The path, if any, that you want Amazon Route 53 to request when performing health checks. The path can be any value for which your endpoint will return an HTTP status code of 2xx or 3xx when the endpoint is healthy, for example, the file /docs/route53-health-check.html. You can also include query string parameters, for example, `/welcome.html?language=jp&login=y` .", - "RoutingControlArn": "", + "RoutingControlArn": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "SearchString": "If the value of Type is `HTTP_STR_MATCH` or `HTTPS_STR_MATCH` , the string that you want Amazon Route 53 to search for in the response body from the specified resource. If the string appears in the response body, Route 53 considers the resource healthy.\n\nRoute 53 considers case when searching for `SearchString` in the response body.", "Type": "The type of health check that you want to create, which indicates how Amazon Route 53 determines whether an endpoint is healthy.\n\n> You can't change the value of `Type` after you create a health check. \n\nYou can create the following types of health checks:\n\n- *HTTP* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTP request and waits for an HTTP status code of 200 or greater and less than 400.\n- *HTTPS* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTPS request and waits for an HTTP status code of 200 or greater and less than 400.\n\n> If you specify `HTTPS` for the value of `Type` , the endpoint must support TLS v1.0 or later.\n- *HTTP_STR_MATCH* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTP request and searches the first 5,120 bytes of the response body for the string that you specify in `SearchString` .\n- *HTTPS_STR_MATCH* : Route 53 tries to establish a TCP connection. If successful, Route 53 submits an `HTTPS` request and searches the first 5,120 bytes of the response body for the string that you specify in `SearchString` .\n- *TCP* : Route 53 tries to establish a TCP connection.\n- *CLOUDWATCH_METRIC* : The health check is associated with a CloudWatch alarm. If the state of the alarm is `OK` , the health check is considered healthy. If the state is `ALARM` , the health check is considered unhealthy. If CloudWatch doesn't have sufficient data to determine whether the state is `OK` or `ALARM` , the health check status depends on the setting for `InsufficientDataHealthStatus` : `Healthy` , `Unhealthy` , or `LastKnownStatus` .\n\n> Route 53 supports CloudWatch alarms with the following features:\n> \n> - Standard-resolution metrics. High-resolution metrics aren't supported. For more information, see [High-Resolution Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html#high-resolution-metrics) in the *Amazon CloudWatch User Guide* .\n> - Statistics: Average, Minimum, Maximum, Sum, and SampleCount. Extended statistics aren't supported.\n- *CALCULATED* : For health checks that monitor the status of other health checks, Route 53 adds up the number of health checks that Route 53 health checkers consider to be healthy and compares that number with the value of `HealthThreshold` .\n- *RECOVERY_CONTROL* : The health check is assocated with a Route53 Application Recovery Controller routing control. If the routing control state is `ON` , the health check is considered healthy. If the state is `OFF` , the health check is considered unhealthy.\n\nFor more information, see [How Route 53 Determines Whether an Endpoint Is Healthy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html) in the *Amazon Route 53 Developer Guide* ." }, @@ -32007,7 +35222,7 @@ "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "HostedZoneName": "The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, `www.example.com.` ) as part of the `HostedZoneName` .\n\nWhen you create a stack using an AWS::Route53::RecordSet that specifies `HostedZoneName` , AWS CloudFormation attempts to find a hosted zone whose name matches the HostedZoneName. If AWS CloudFormation cannot find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "MultiValueAnswer": "*Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify `true` for `MultiValueAnswer` . Note the following:\n\n- If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy.\n- If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy.\n- Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records.\n- If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records.\n- When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records.\n- If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response.\n\nYou can't create multivalue answer alias records.", - "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "Region": "*Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type.\n\nWhen Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set.\n\nNote the following:\n\n- You can only specify one `ResourceRecord` per latency resource record set.\n- You can only create one latency resource record set for each Amazon EC2 Region.\n- You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for.\n- You can't create non-latency resource record sets that have the same values for the `Name` and `Type` elements as latency resource record sets.", "ResourceRecords": "One or more values that correspond with the value that you specified for the `Type` property. For example, if you specified `A` for `Type` , you specify one or more IP addresses in IPv4 format for `ResourceRecords` . For information about the format of values for each record type, see [Supported DNS Resource Record Types](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html) in the *Amazon Route 53 Developer Guide* .\n\nNote the following:\n\n- You can specify more than one value for all record types except CNAME and SOA.\n- The maximum length of a value is 4000 characters.\n- If you're creating an alias record, omit `ResourceRecords` .", "SetIdentifier": "*Resource record sets that have a routing policy other than simple:* An identifier that differentiates among multiple resource record sets that have the same combination of name and type, such as multiple weighted resource record sets named acme.example.com that have a type of A. In a group of resource record sets that have the same name and type, the value of `SetIdentifier` must be unique for each resource record set.\n\nFor information about routing policies, see [Choosing a Routing Policy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html) in the *Amazon Route 53 Developer Guide* .", @@ -32055,10 +35270,10 @@ "Failover": "*Failover resource record sets only:* To configure failover, you add the `Failover` element to two resource record sets. For one resource record set, you specify `PRIMARY` as the value for `Failover` ; for the other resource record set, you specify `SECONDARY` . In addition, you include the `HealthCheckId` element and specify the health check that you want Amazon Route 53 to perform for each resource record set.\n\nExcept where noted, the following failover behaviors assume that you have included the `HealthCheckId` element in both resource record sets:\n\n- When the primary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the secondary resource record set.\n- When the primary resource record set is unhealthy and the secondary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the secondary resource record set.\n- When the secondary resource record set is unhealthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the primary resource record set.\n- If you omit the `HealthCheckId` element for the secondary resource record set, and if the primary resource record set is unhealthy, Route 53 always responds to DNS queries with the applicable value from the secondary resource record set. This is true regardless of the health of the associated endpoint.\n\nYou can't create non-failover resource record sets that have the same values for the `Name` and `Type` elements as failover resource record sets.\n\nFor failover alias resource record sets, you must also include the `EvaluateTargetHealth` element and set the value to true.\n\nFor more information about configuring failover for Route 53, see the following topics in the *Amazon Route 53 Developer Guide* :\n\n- [Route 53 Health Checks and DNS Failover](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html)\n- [Configuring Failover in a Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html)", "GeoLocation": "*Geolocation resource record sets only:* A complex type that lets you control how Amazon Route 53 responds to DNS queries based on the geographic origin of the query. For example, if you want all queries from Africa to be routed to a web server with an IP address of `192.0.2.111` , create a resource record set with a `Type` of `A` and a `ContinentCode` of `AF` .\n\n> Although creating geolocation and geolocation alias resource record sets in a private hosted zone is allowed, it's not supported. \n\nIf you create separate resource record sets for overlapping geographic regions (for example, one resource record set for a continent and one for a country on the same continent), priority goes to the smallest geographic region. This allows you to route most queries for a continent to one resource and to route queries for a country on that continent to a different resource.\n\nYou can't create two geolocation resource record sets that specify the same geographic location.\n\nThe value `*` in the `CountryCode` element matches all geographic locations that aren't specified in other geolocation resource record sets that have the same values for the `Name` and `Type` elements.\n\n> Geolocation works by mapping IP addresses to locations. However, some IP addresses aren't mapped to geographic locations, so even if you create geolocation resource record sets that cover all seven continents, Route 53 will receive some DNS queries from locations that it can't identify. We recommend that you create a resource record set for which the value of `CountryCode` is `*` . Two groups of queries are routed to the resource that you specify in this record: queries that come from locations for which you haven't created geolocation resource record sets and queries from IP addresses that aren't mapped to a location. If you don't create a `*` resource record set, Route 53 returns a \"no answer\" response for queries from those locations. \n\nYou can't create non-geolocation resource record sets that have the same values for the `Name` and `Type` elements as geolocation resource record sets.", "HealthCheckId": "If you want Amazon Route 53 to return this resource record set in response to a DNS query only when the status of a health check is healthy, include the `HealthCheckId` element and specify the ID of the applicable health check.\n\nRoute 53 determines whether a resource record set is healthy based on one of the following:\n\n- By periodically sending a request to the endpoint that is specified in the health check\n- By aggregating the status of a specified group of health checks (calculated health checks)\n- By determining the current state of a CloudWatch alarm (CloudWatch metric health checks)\n\n> Route 53 doesn't check the health of the endpoint that is specified in the resource record set, for example, the endpoint specified by the IP address in the `Value` element. When you add a `HealthCheckId` element to a resource record set, Route 53 checks the health of the endpoint that you specified in the health check. \n\nFor more information, see the following topics in the *Amazon Route 53 Developer Guide* :\n\n- [How Amazon Route 53 Determines Whether an Endpoint Is Healthy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html)\n- [Route 53 Health Checks and DNS Failover](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html)\n- [Configuring Failover in a Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html)\n\n*When to Specify HealthCheckId*\n\nSpecifying a value for `HealthCheckId` is useful only when Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Route 53 to base the choice in part on the status of a health check. Configuring health checks makes sense only in the following configurations:\n\n- *Non-alias resource record sets* : You're checking the health of a group of non-alias resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A) and you specify health check IDs for all the resource record sets.\n\nIf the health check status for a resource record set is healthy, Route 53 includes the record among the records that it responds to DNS queries with.\n\nIf the health check status for a resource record set is unhealthy, Route 53 stops responding to DNS queries using the value for that resource record set.\n\nIf the health check status for all resource record sets in the group is unhealthy, Route 53 considers all resource record sets in the group healthy and responds to DNS queries accordingly.\n- *Alias resource record sets* : You specify the following settings:\n\n- You set `EvaluateTargetHealth` to true for an alias resource record set in a group of resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A).\n- You configure the alias resource record set to route traffic to a non-alias resource record set in the same hosted zone.\n- You specify a health check ID for the non-alias resource record set.\n\nIf the health check status is healthy, Route 53 considers the alias resource record set to be healthy and includes the alias record among the records that it responds to DNS queries with.\n\nIf the health check status is unhealthy, Route 53 stops responding to DNS queries using the alias resource record set.\n\n> The alias resource record set can also route traffic to a *group* of non-alias resource record sets that have the same routing policy, name, and type. In that configuration, associate health checks with all of the resource record sets in the group of non-alias resource record sets.\n\n*Geolocation Routing*\n\nFor geolocation resource record sets, if an endpoint is unhealthy, Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the entire United States, for North America, and a resource record set that has `*` for `CountryCode` is `*` , which applies to all locations. If the endpoint for the state resource record set is unhealthy, Route 53 checks for healthy resource record sets in the following order until it finds a resource record set for which the endpoint is healthy:\n\n- The United States\n- North America\n- The default resource record set\n\n*Specifying the Health Check Endpoint by Domain Name*\n\nIf your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each `HTTP` server that is serving content for `www.example.com` . For the value of `FullyQualifiedDomainName` , specify the domain name of the server (such as `us-east-2-www.example.com` ), not the name of the resource record sets ( `www.example.com` ).\n\n> Health check results will be unpredictable if you do the following:\n> \n> - Create a health check that has the same value for `FullyQualifiedDomainName` as the name of a resource record set.\n> - Associate that health check with the resource record set.", - "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "HostedZoneId": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "HostedZoneName": "The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, `www.example.com.` ) as part of the `HostedZoneName` .\n\nWhen you create a stack using an `AWS::Route53::RecordSet` that specifies `HostedZoneName` , AWS CloudFormation attempts to find a hosted zone whose name matches the `HostedZoneName` . If AWS CloudFormation can't find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", "MultiValueAnswer": "*Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify `true` for `MultiValueAnswer` . Note the following:\n\n- If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy.\n- If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy.\n- Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records.\n- If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records.\n- When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records.\n- If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response.\n\nYou can't create multivalue answer alias records.", - "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "Name": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "Region": "*Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type.\n\nWhen Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set.\n\nNote the following:\n\n- You can only specify one `ResourceRecord` per latency resource record set.\n- You can only create one latency resource record set for each Amazon EC2 Region.\n- You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for.\n- You can't create non-latency resource record sets that have the same values for the `Name` and `Type` elements as latency resource record sets.", "ResourceRecords": "Information about the records that you want to create. Each record should be in the format appropriate for the record type specified by the `Type` property. For information about different record types and their record formats, see [Values That You Specify When You Create or Edit Amazon Route 53 Records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values.html) in the *Amazon Route 53 Developer Guide* .", "SetIdentifier": "*Resource record sets that have a routing policy other than simple:* An identifier that differentiates among multiple resource record sets that have the same combination of name and type, such as multiple weighted resource record sets named acme.example.com that have a type of A. In a group of resource record sets that have the same name and type, the value of `SetIdentifier` must be unique for each resource record set.\n\nFor information about routing policies, see [Choosing a Routing Policy](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html) in the *Amazon Route 53 Developer Guide* .", @@ -32068,16 +35283,24 @@ }, "AWS::Route53RecoveryControl::Cluster": { "Name": "Name of the cluster. You can use any non-white space character in the name except the following: & > < ' (single quote) \" (double quote) ; (semicolon).", - "Tags": "The value for a tag." + "Tags": "The tags associated with the cluster." }, "AWS::Route53RecoveryControl::Cluster ClusterEndpoint": { "Endpoint": "A cluster endpoint URL for one of the five redundant clusters that you specify to set or retrieve a routing control state.", "Region": "The AWS Region for a cluster endpoint." }, + "AWS::Route53RecoveryControl::Cluster Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." + }, "AWS::Route53RecoveryControl::ControlPanel": { "ClusterArn": "The Amazon Resource Name (ARN) of the cluster for the control panel.", "Name": "The name of the control panel. You can use any non-white space character in the name.", - "Tags": "The value for a tag." + "Tags": "The tags associated with the control panel." + }, + "AWS::Route53RecoveryControl::ControlPanel Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." }, "AWS::Route53RecoveryControl::RoutingControl": { "ClusterArn": "The Amazon Resource Name (ARN) of the cluster that hosts the routing control.", @@ -32086,11 +35309,11 @@ }, "AWS::Route53RecoveryControl::SafetyRule": { "AssertionRule": "An assertion rule enforces that, when you change a routing control state, that the criteria that you set in the rule configuration is met. Otherwise, the change to the routing control is not accepted. For example, the criteria might be that at least one routing control state is `On` after the transaction so that traffic continues to flow to at least one cell for the application. This ensures that you avoid a fail-open scenario.", - "ControlPanelArn": "The Amazon Resource Name (ARN) for the control panel.", + "ControlPanelArn": "The Amazon Resource Name (ARN) of the control panel.", "GatingRule": "A gating rule verifies that a gating routing control or set of gating routing controls, evaluates as true, based on a rule configuration that you specify, which allows a set of routing control state changes to complete.\n\nFor example, if you specify one gating routing control and you set the `Type` in the rule configuration to `OR` , that indicates that you must set the gating routing control to `On` for the rule to evaluate as true; that is, for the gating control switch to be On. When you do that, then you can update the routing control states for the target routing controls that you specify in the gating rule.", "Name": "The name of the assertion rule. The name must be unique within a control panel. You can use any non-white space character in the name except the following: & > < ' (single quote) \" (double quote) ; (semicolon)", "RuleConfig": "The criteria that you set for specific assertion controls (routing controls) that designate how many control states must be `ON` as the result of a transaction. For example, if you have three assertion controls, you might specify `ATLEAST 2` for your rule configuration. This means that at least two assertion controls must be `ON` , so that at least two AWS Regions have traffic flowing to them.", - "Tags": "The value for a tag." + "Tags": "The tags associated with the safety rule." }, "AWS::Route53RecoveryControl::SafetyRule AssertionRule": { "AssertedControls": "The routing controls that are part of transactions that are evaluated to determine if a request to change a routing control state is allowed. For example, you might include three routing controls, one for each of three AWS Regions.", @@ -32106,21 +35329,37 @@ "Threshold": "The value of N, when you specify an `ATLEAST` rule type. That is, `Threshold` is the number of controls that must be set when you specify an `ATLEAST` type.", "Type": "A rule can be one of the following: `ATLEAST` , `AND` , or `OR` ." }, + "AWS::Route53RecoveryControl::SafetyRule Tag": { + "Key": "The key for a tag.", + "Value": "The value for a tag." + }, "AWS::Route53RecoveryReadiness::Cell": { "CellName": "The name of the cell to create.", "Cells": "A list of cell Amazon Resource Names (ARNs) contained within this cell, for use in nested cells. For example, Availability Zones within specific AWS Regions .", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::Cell Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ReadinessCheck": { "ReadinessCheckName": "The name of the readiness check to create.", "ResourceSetName": "The name of the resource set to check.", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::ReadinessCheck Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::RecoveryGroup": { "Cells": "A list of the cell Amazon Resource Names (ARNs) in the recovery group.", "RecoveryGroupName": "The name of the recovery group to create.", "Tags": "A collection of tags associated with a resource." }, + "AWS::Route53RecoveryReadiness::RecoveryGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ResourceSet": { "ResourceSetName": "The name of the resource set to create.", "ResourceSetType": "The resource type of the resources in the resource set. Enter one of the following values for resource type:\n\nAWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage, AWS::AutoScaling::AutoScalingGroup, AWS::CloudWatch::Alarm, AWS::EC2::CustomerGateway, AWS::DynamoDB::Table, AWS::EC2::Volume, AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::Lambda::Function, AWS::MSK::Cluster, AWS::RDS::DBCluster, AWS::Route53::HealthCheck, AWS::SQS::Queue, AWS::SNS::Topic, AWS::SNS::Subscription, AWS::EC2::VPC, AWS::EC2::VPNConnection, AWS::EC2::VPNGateway, AWS::Route53RecoveryReadiness::DNSTargetResource.\n\nNote that AWS::Route53RecoveryReadiness::DNSTargetResource is only used for this setting. It isn't an actual AWS CloudFormation resource type.", @@ -32147,6 +35386,10 @@ "ReadinessScopes": "The recovery group Amazon Resource Name (ARN) or the cell ARN that the readiness checks for this resource set are scoped to.", "ResourceArn": "The Amazon Resource Name (ARN) of the AWS resource. This is a required setting for all `ResourceSet` `ResourceSetType` settings except `AWS::Route53RecoveryReadiness::DNSTargetResource` . Do not set this when `ResourceSetType` is set to `AWS::Route53RecoveryReadiness::DNSTargetResource` ." }, + "AWS::Route53RecoveryReadiness::ResourceSet Tag": { + "Key": "", + "Value": "" + }, "AWS::Route53RecoveryReadiness::ResourceSet TargetResource": { "NLBResource": "The Network Load Balancer resource that a DNS target resource points to.", "R53Resource": "The Route 53 resource that a DNS target resource record points to." @@ -32157,6 +35400,10 @@ "Name": "The name of the domain list.", "Tags": "A list of the tag keys and values that you want to associate with the domain list." }, + "AWS::Route53Resolver::FirewallDomainList Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::FirewallRuleGroup": { "FirewallRules": "A list of the rules that you have defined.", "Name": "The name of the rule group.", @@ -32171,6 +35418,10 @@ "FirewallDomainListId": "The ID of the domain list that's used in the rule.", "Priority": "The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting." }, + "AWS::Route53Resolver::FirewallRuleGroup Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::FirewallRuleGroupAssociation": { "FirewallRuleGroupId": "The unique identifier of the firewall rule group.", "MutationProtection": "If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.", @@ -32179,6 +35430,21 @@ "Tags": "A list of the tag keys and values that you want to associate with the rule group.", "VpcId": "The unique identifier of the VPC that is associated with the rule group." }, + "AWS::Route53Resolver::FirewallRuleGroupAssociation Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, + "AWS::Route53Resolver::OutpostResolver": { + "InstanceCount": "Amazon EC2 instance count for the Resolver on the Outpost.", + "Name": "Name of the Resolver.", + "OutpostArn": "The ARN (Amazon Resource Name) for the Outpost.", + "PreferredInstanceType": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "Tags": "A key value pair that helps you identify a Route\u00a053 Resolver ." + }, + "AWS::Route53Resolver::OutpostResolver Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverConfig": { "AutodefinedReverseFlag": "Represents the desired status of `AutodefinedReverse` . The only supported value on creation is `DISABLE` . Deletion of this resource will return `AutodefinedReverse` to its default value of `ENABLED` .", "ResourceId": "The ID of the Amazon Virtual Private Cloud VPC that you're configuring Resolver for." @@ -32190,8 +35456,8 @@ "Direction": "Indicates whether the Resolver endpoint allows inbound or outbound DNS queries:\n\n- `INBOUND` : allows DNS queries to your VPC from your network\n- `OUTBOUND` : allows DNS queries from your VPC to your network", "IpAddresses": "The subnets and IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints). The subnet ID uniquely identifies a VPC.\n\n> Even though the minimum is 1, Route\u00a053 requires that you create at least two.", "Name": "A friendly name that lets you easily find a configuration in the Resolver dashboard in the Route 53 console.", - "OutpostArn": "", - "PreferredInstanceType": "", + "OutpostArn": "The ARN (Amazon Resource Name) for the Outpost.", + "PreferredInstanceType": "The Amazon EC2 instance type.", "ResolverEndpointType": "The Resolver endpoint IP address type.", "SecurityGroupIds": "The ID of one or more security groups that control access to this VPC. The security group must include one or more inbound rules (for inbound endpoints) or outbound rules (for outbound endpoints). Inbound and outbound rules must allow TCP and UDP access. For inbound access, open port 53. For outbound access, open the port that you're using for DNS queries on your network.", "Tags": "Route 53 Resolver doesn't support updating tags through CloudFormation." @@ -32201,6 +35467,10 @@ "Ipv6": "The IPv6 address that you want to use for DNS queries.", "SubnetId": "The ID of the subnet that contains the IP address." }, + "AWS::Route53Resolver::ResolverEndpoint Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverQueryLoggingConfig": { "DestinationArn": "The ARN of the resource that you want Resolver to send query logs: an Amazon S3 bucket, a CloudWatch Logs log group, or a Kinesis Data Firehose delivery stream.", "Name": "The name of the query logging configuration." @@ -32217,6 +35487,10 @@ "Tags": "Tags help organize and categorize your Resolver rules. Each tag consists of a key and an optional value, both of which you define.", "TargetIps": "An array that contains the IP addresses and ports that an outbound endpoint forwards DNS queries to. Typically, these are the IP addresses of DNS resolvers on your network." }, + "AWS::Route53Resolver::ResolverRule Tag": { + "Key": "The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of `Key` might be `account-id` .", + "Value": "The value for the tag. For example, if `Key` is `account-id` , then `Value` might be the ID of the customer account that you're creating the resource for." + }, "AWS::Route53Resolver::ResolverRule TargetAddress": { "Ip": "One IPv4 address that you want to forward DNS queries to.", "Ipv6": "One IPv6 address that you want to forward DNS queries to.", @@ -32246,7 +35520,7 @@ }, "AWS::S3::Bucket": { "AccelerateConfiguration": "Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html) in the *Amazon S3 User Guide* .", - "AccessControl": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "AccessControl": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "AnalyticsConfigurations": "Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.", "BucketEncryption": "Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see [Amazon S3 Default Encryption for S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html) in the *Amazon S3 User Guide* .", "BucketName": "A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html) . For more information, see [Rules for naming Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules) in the *Amazon S3 User Guide* .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", @@ -32310,7 +35584,7 @@ "AWS::S3::Bucket Destination": { "BucketAccountId": "The account ID that owns the destination S3 bucket. If no account ID is provided, the owner is not validated before exporting data.\n\n> Although this value is optional, we strongly recommend that you set it to help prevent problems if the destination bucket ownership changes.", "BucketArn": "The Amazon Resource Name (ARN) of the bucket to which data is exported.", - "Format": "Specifies the file format used when exporting data to Amazon S3.", + "Format": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "Prefix": "The prefix to use when exporting data. The prefix is prepended to all results." }, "AWS::S3::Bucket EncryptionConfiguration": { @@ -32503,6 +35777,10 @@ "AWS::S3::Bucket StorageClassAnalysis": { "DataExport": "Specifies how data related to the storage class analysis for an Amazon S3 bucket should be exported." }, + "AWS::S3::Bucket Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::S3::Bucket TagFilter": { "Key": "The tag key.", "Value": "The tag value." @@ -32637,6 +35915,10 @@ "IsEnabled": "This property contains the details of whether the Amazon S3 Storage Lens configuration is enabled.", "StorageLensArn": "This property contains the details of the ARN of the S3 Storage Lens configuration. This property is read-only." }, + "AWS::S3::StorageLens Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::S3ObjectLambda::AccessPoint": { "Name": "The name of this access point.", "ObjectLambdaConfiguration": "A configuration used when creating an Object Lambda Access Point." @@ -32658,9 +35940,6 @@ "SupportingAccessPoint": "Standard access point associated with the Object Lambda Access Point.", "TransformationConfigurations": "A container for transformation configurations for an Object Lambda Access Point." }, - "AWS::S3ObjectLambda::AccessPoint PolicyStatus": { - "IsPublic": "" - }, "AWS::S3ObjectLambda::AccessPoint PublicAccessBlockConfiguration": { "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. Setting this element to `TRUE` causes the following behavior:\n\n- `PutBucketAcl` and `PutObjectAcl` calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.\n\nThis property is not supported for Amazon S3 on Outposts.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for buckets in this account. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.\n\nThis property is not supported for Amazon S3 on Outposts.", @@ -32682,12 +35961,12 @@ "VpcConfiguration": "The virtual private cloud (VPC) configuration for this access point, if one exists." }, "AWS::S3Outposts::AccessPoint VpcConfiguration": { - "VpcId": "The ID of the VPC configuration." + "VpcId": "" }, "AWS::S3Outposts::Bucket": { "BucketName": "A name for the S3 on Outposts bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow [Amazon S3 bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) . For more information, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html#bucketnamingrules) .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.", "LifecycleConfiguration": "Creates a new lifecycle configuration for the S3 on Outposts bucket or replaces an existing lifecycle configuration. Outposts buckets only support lifecycle configurations that delete/expire objects after a certain period of time and abort incomplete multipart uploads.", - "OutpostId": "The ID of the Outpost of the specified bucket.", + "OutpostId": "", "Tags": "Sets the tags for an S3 on Outposts bucket. For more information, see [Using Amazon S3 on Outposts](https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html) .\n\nUse tags to organize your AWS bill to reflect your own cost structure. To do this, sign up to get your AWS account bill with tag key values included. Then, to see the cost of combined resources, organize your billing information according to resources with the same tag key values. For example, you can tag several resources with a specific application name, and then organize your billing information to see the total cost of that application across several services. For more information, see [Cost allocation and tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) .\n\n> Within a bucket, if you add a tag that has the same key as an existing tag, the new value overwrites the old value. For more information, see [Using cost allocation and bucket tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CostAllocTagging.html) . \n\nTo use this resource, you must have permissions to perform the `s3-outposts:PutBucketTagging` . The S3 on Outposts bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see [Permissions Related to Bucket Subresource Operations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources) and [Managing access permissions to your Amazon S3 resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html) ." }, "AWS::S3Outposts::Bucket AbortIncompleteMultipartUpload": { @@ -32714,9 +35993,13 @@ "ExpirationDate": "Specifies the expiration for the lifecycle of the object by specifying an expiry date.", "ExpirationInDays": "Specifies the expiration for the lifecycle of the object in the form of days that the object has been in the S3 on Outposts bucket.", "Filter": "The container for the filter of the lifecycle rule.", - "Id": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "Id": "", "Status": "If `Enabled` , the rule is currently being applied. If `Disabled` , the rule is not currently being applied." }, + "AWS::S3Outposts::Bucket Tag": { + "Key": "", + "Value": "" + }, "AWS::S3Outposts::BucketPolicy": { "Bucket": "The name of the Amazon S3 Outposts bucket to which the policy applies.", "PolicyDocument": "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument) resource description in this guide and [Access Policy Language Overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) ." @@ -32724,14 +36007,14 @@ "AWS::S3Outposts::Endpoint": { "AccessType": "The container for the type of connectivity used to access the Amazon S3 on Outposts endpoint. To use the Amazon VPC , choose `Private` . To use the endpoint with an on-premises network, choose `CustomerOwnedIp` . If you choose `CustomerOwnedIp` , you must also provide the customer-owned IP address pool (CoIP pool).\n\n> `Private` is the default access type value.", "CustomerOwnedIpv4Pool": "The ID of the customer-owned IPv4 address pool (CoIP pool) for the endpoint. IP addresses are allocated from this pool for the endpoint.", - "FailedReason": "", - "OutpostId": "The ID of the Outpost.", - "SecurityGroupId": "The ID of the security group to use with the endpoint.", - "SubnetId": "The ID of the subnet." + "FailedReason": "The failure reason, if any, for a create or delete endpoint operation.", + "OutpostId": "", + "SecurityGroupId": "The ID of the security group used for the endpoint.", + "SubnetId": "The ID of the subnet used for the endpoint." }, "AWS::S3Outposts::Endpoint FailedReason": { - "ErrorCode": "", - "Message": "" + "ErrorCode": "The failure code, if any, for a create or delete endpoint operation.", + "Message": "Additional error details describing the endpoint failure and recommended action." }, "AWS::S3Outposts::Endpoint NetworkInterface": { "NetworkInterfaceId": "The ID for the network interface." @@ -32807,6 +36090,10 @@ "Tags": "The tags associated with a contact list.", "Topics": "An interest group, theme, or label within a list. A contact list can have multiple topics." }, + "AWS::SES::ContactList Tag": { + "Key": "", + "Value": "" + }, "AWS::SES::ContactList Topic": { "DefaultSubscriptionStatus": "The default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic.", "Description": "A description of what the topic is about, which the contact will see.", @@ -32945,6 +36232,7 @@ "TopicArn": "The ARN of the topic to subscribe to." }, "AWS::SNS::Topic": { + "ArchivePolicy": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", "ContentBasedDeduplication": "Enables content-based deduplication for FIFO topics.\n\n- By default, `ContentBasedDeduplication` is set to `false` . If you create a FIFO topic and this attribute is `false` , you must specify a value for the `MessageDeduplicationId` parameter for the [Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) action.\n- When you set `ContentBasedDeduplication` to `true` , Amazon SNS uses a SHA-256 hash to generate the `MessageDeduplicationId` using the body of the message (but not the attributes of the message).\n\n(Optional) To override the generated value, you can specify a value for the the `MessageDeduplicationId` parameter for the `Publish` action.", "DataProtectionPolicy": "The body of the policy document you want to use for this topic.\n\nYou can only add one policy per topic.\n\nThe policy must be in JSON string format.\n\nLength Constraints: Maximum length of 30,720.", "DisplayName": "The display name to use for an Amazon SNS topic with SMS subscriptions. The display name must be maximum 100 characters long, including hyphens (-), underscores (_), spaces, and tabs.", @@ -32954,12 +36242,20 @@ "Subscription": "The Amazon SNS subscriptions (endpoints) for this topic.\n\n> If you specify the `Subscription` property in the `AWS::SNS::Topic` resource and it creates an associated subscription resource, the associated subscription is not deleted when the `AWS::SNS::Topic` resource is deleted.", "Tags": "The list of tags to add to a new topic.\n\n> To be able to tag a topic on creation, you must have the `sns:CreateTopic` and `sns:TagResource` permissions.", "TopicName": "The name of the topic you want to create. Topic names must include only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 256 characters long. FIFO topic names must end with `.fifo` .\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the topic name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", - "TracingConfig": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics." + "TracingConfig": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics." }, "AWS::SNS::Topic Subscription": { "Endpoint": "The endpoint that receives notifications from the Amazon SNS topic. The endpoint value depends on the protocol that you specify. For more information, see the `Endpoint` parameter of the `[Subscribe](https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html)` action in the *Amazon SNS API Reference* .", "Protocol": "The subscription's protocol. For more information, see the `Protocol` parameter of the `[Subscribe](https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html)` action in the *Amazon SNS API Reference* ." }, + "AWS::SNS::Topic Tag": { + "Key": "The required key portion of the tag.", + "Value": "The optional value portion of the tag." + }, + "AWS::SNS::TopicInlinePolicy": { + "PolicyDocument": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "TopicArn": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy." + }, "AWS::SNS::TopicPolicy": { "PolicyDocument": "A policy document that contains permissions to add to the specified SNS topics.", "Topics": "The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)` resource." @@ -32978,10 +36274,18 @@ "ReceiveMessageWaitTimeSeconds": "Specifies the duration, in seconds, that the ReceiveMessage action call waits until a message is in the queue in order to include it in the response, rather than returning an empty response if a message isn't yet available. You can specify an integer from 1 to 20. Short polling is used as the default or when you specify 0 for this property. For more information, see [Consuming messages using long polling](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-short-and-long-polling.html#sqs-long-polling) in the *Amazon SQS Developer Guide* .", "RedriveAllowPolicy": "The string that includes the parameters for the permissions for the dead-letter queue redrive permission and which source queues can specify dead-letter queues as a JSON object. The parameters are as follows:\n\n- `redrivePermission` : The permission type that defines which source queues can specify the current queue as the dead-letter queue. Valid values are:\n\n- `allowAll` : (Default) Any source queues in this AWS account in the same Region can specify this queue as the dead-letter queue.\n- `denyAll` : No source queues can specify this queue as the dead-letter queue.\n- `byQueue` : Only queues specified by the `sourceQueueArns` parameter can specify this queue as the dead-letter queue.\n- `sourceQueueArns` : The Amazon Resource Names (ARN)s of the source queues that can specify this queue as the dead-letter queue and redrive messages. You can specify this parameter only when the `redrivePermission` parameter is set to `byQueue` . You can specify up to 10 source queue ARNs. To allow more than 10 source queues to specify dead-letter queues, set the `redrivePermission` parameter to `allowAll` .", "RedrivePolicy": "The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. The parameters are as follows:\n\n- `deadLetterTargetArn` : The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of `maxReceiveCount` is exceeded.\n- `maxReceiveCount` : The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the `ReceiveCount` for a message exceeds the `maxReceiveCount` for a queue, Amazon SQS moves the message to the dead-letter-queue.\n\n> The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue. \n\n*JSON*\n\n`{ \"deadLetterTargetArn\" : *String* , \"maxReceiveCount\" : *Integer* }`\n\n*YAML*\n\n`deadLetterTargetArn : *String*`\n\n`maxReceiveCount : *Integer*`", - "SqsManagedSseEnabled": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", + "SqsManagedSseEnabled": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", "Tags": "The tags that you attach to this queue. For more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) in the *AWS CloudFormation User Guide* .", "VisibilityTimeout": "The length of time during which a message will be unavailable after a message is delivered from the queue. This blocks other components from receiving the same message and gives the initial component time to process and delete the message from the queue.\n\nValues must be from 0 to 43,200 seconds (12 hours). If you don't specify a value, AWS CloudFormation uses the default value of 30 seconds.\n\nFor more information about Amazon SQS queue visibility timeouts, see [Visibility timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html) in the *Amazon SQS Developer Guide* ." }, + "AWS::SQS::Queue Tag": { + "Key": "", + "Value": "" + }, + "AWS::SQS::QueueInlinePolicy": { + "PolicyDocument": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", + "Queue": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource." + }, "AWS::SQS::QueuePolicy": { "PolicyDocument": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", "Queues": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource." @@ -32998,12 +36302,12 @@ "MaxErrors": "The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set `MaxError` to 10%, then the system stops sending the request when the sixth error is received.\n\nExecutions that are already running an association when `MaxErrors` is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set `MaxConcurrency` to 1 so that executions proceed one at a time.", "Name": "The name of the SSM document that contains the configuration information for the instance. You can specify `Command` or `Automation` documents. The documents can be AWS -predefined documents, documents you created, or a document that is shared with you from another account. For SSM documents that are shared with you from other AWS accounts , you must specify the complete SSM document ARN, in the following format:\n\n`arn:partition:ssm:region:account-id:document/document-name`\n\nFor example: `arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document`\n\nFor AWS -predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, `AWS -ApplyPatchBaseline` or `My-Document` .", "OutputLocation": "An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.", - "Parameters": "The parameters for the runtime configuration of the document.", + "ParameterValues": "A description of the parameters for a document.", "ScheduleExpression": "A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).", "ScheduleOffset": "Number of days to wait after the scheduled day to run an association.", "SyncCompliance": "The mode for generating association compliance. You can specify `AUTO` or `MANUAL` . In `AUTO` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is `COMPLIANT` . If the association execution doesn't run successfully, the association is `NON-COMPLIANT` .\n\nIn `MANUAL` mode, you must specify the `AssociationId` as a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action.\n\nBy default, all associations use `AUTO` mode.", "Targets": "The targets for the association. You must specify the `InstanceId` or `Targets` property. You can target all instances in an AWS account by specifying the `InstanceIds` key with a value of `*` . To view a JSON and a YAML example that targets all instances, see \"Create an association for all managed instances in an AWS account \" on the Examples page.", - "WaitForSuccessTimeoutSeconds": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails." + "WaitForSuccessTimeoutSeconds": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template." }, "AWS::SSM::Association InstanceAssociationOutputLocation": { "S3Location": "`S3OutputLocation` is a property of the [InstanceAssociationOutputLocation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-association-instanceassociationoutputlocation.html) property that specifies an Amazon S3 bucket where you want to store the results of this request." @@ -33021,7 +36325,7 @@ "Attachments": "A list of key-value pairs that describe attachments to a version of a document.", "Content": "The content for the new SSM document in JSON or YAML. For more information about the schemas for SSM document content, see [SSM document schema features and examples](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) in the *AWS Systems Manager User Guide* .\n\n> This parameter also supports `String` data types.", "DocumentFormat": "Specify the document format for the request. JSON is the default format.", - "DocumentType": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "DocumentType": "The type of document to create.", "Name": "A name for the SSM document.\n\n> You can't use the following strings as document name prefixes. These are reserved by AWS for use as document name prefixes:\n> \n> - `aws`\n> - `amazon`\n> - `amzn`", "Requires": "A list of SSM documents required by a document. This parameter is used exclusively by AWS AppConfig . When a user creates an AWS AppConfig configuration in an SSM document, the user must also specify a required document for validation purposes. In this case, an `ApplicationConfiguration` document requires an `ApplicationConfigurationSchema` document for validation purposes. For more information, see [What is AWS AppConfig ?](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) in the *AWS AppConfig User Guide* .", "Tags": "AWS CloudFormation resource tags to apply to the document. Use tags to help you identify and categorize resources.", @@ -33038,6 +36342,10 @@ "Name": "The name of the required SSM document. The name can be an Amazon Resource Name (ARN).", "Version": "The document version required by the current document." }, + "AWS::SSM::Document Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::MaintenanceWindow": { "AllowUnassociatedTargets": "Enables a maintenance window task to run on managed instances, even if you have not registered those instances as targets. If enabled, then you must specify the unregistered instances (by instance ID) when you register a task with the maintenance window.", "Cutoff": "The number of hours before the end of the maintenance window that AWS Systems Manager stops scheduling new tasks for execution.", @@ -33051,6 +36359,10 @@ "StartDate": "The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. StartDate allows you to delay activation of the Maintenance Window until the specified future date.", "Tags": "Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in." }, + "AWS::SSM::MaintenanceWindow Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::MaintenanceWindowTarget": { "Description": "A description for the target.", "Name": "The name for the maintenance window target.", @@ -33167,7 +36479,6 @@ "Name": "The name specified to identify the patch source.", "Products": "The specific operating system versions a patch repository applies to, such as \"Ubuntu16.04\", \"AmazonLinux2016.09\", \"RedhatEnterpriseLinux7.2\" or \"Suse12.7\". For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) in the *AWS Systems Manager API Reference* ." }, - "AWS::SSM::PatchBaseline PatchStringDate": {}, "AWS::SSM::PatchBaseline Rule": { "ApproveAfterDays": "The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of `7` means that patches are approved seven days after they are released.\n\nYou must specify a value for `ApproveAfterDays` .\n\nException: Not supported on Debian Server or Ubuntu Server.", "ApproveUntilDate": "The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Not supported on Debian Server or Ubuntu Server.\n\nEnter dates in the format `YYYY-MM-DD` . For example, `2021-12-31` .", @@ -33178,6 +36489,10 @@ "AWS::SSM::PatchBaseline RuleGroup": { "PatchRules": "The rules that make up the rule group." }, + "AWS::SSM::PatchBaseline Tag": { + "Key": "The name of the tag.", + "Value": "The value of the tag." + }, "AWS::SSM::ResourceDataSync": { "BucketName": "The name of the S3 bucket where the aggregated data is stored.", "BucketPrefix": "An Amazon S3 prefix for the bucket.", @@ -33185,7 +36500,6 @@ "KMSKeyArn": "The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same region as the destination Amazon S3 bucket.", "S3Destination": "Configuration information for the target S3 bucket.", "SyncFormat": "A supported sync format. The following format is currently supported: JsonSerDe", - "SyncName": "A name for the resource data sync.", "SyncSource": "Information about the source where the data was synchronized.", "SyncType": "The type of resource data sync. If `SyncType` is `SyncToDestination` , then the resource data sync synchronizes data to an S3 bucket. If the `SyncType` is `SyncFromSource` then the resource data sync synchronizes data from AWS Organizations or from multiple AWS Regions ." }, @@ -33289,6 +36603,10 @@ "CoverageTimes": "The start and end times of the shift.", "DayOfWeek": "A list of days on which the schedule is active." }, + "AWS::SSMContacts::Rotation Tag": { + "Key": "Name of the object key.", + "Value": "Value of the tag." + }, "AWS::SSMContacts::Rotation WeeklySetting": { "DayOfWeek": "The day of the week when weekly recurring on-call shift rotations begins.", "HandOffTime": "The time of day when a weekly recurring on-call shift rotation begins." @@ -33305,6 +36623,10 @@ "RegionConfiguration": "Specifies the Region configuration.", "RegionName": "Specifies the region name to add to the replication set." }, + "AWS::SSMIncidents::ReplicationSet Tag": { + "Key": "", + "Value": "" + }, "AWS::SSMIncidents::ResponsePlan": { "Actions": "The actions that the response plan starts at the beginning of an incident.", "ChatChannel": "The AWS Chatbot chat channel used for collaboration during an incident.", @@ -33362,6 +36684,10 @@ "Key": "The key parameter to use when running the automation document.", "Values": "The value parameter to use when running the automation document." }, + "AWS::SSMIncidents::ResponsePlan Tag": { + "Key": "", + "Value": "" + }, "AWS::SSO::Assignment": { "InstanceArn": "The ARN of the IAM Identity Center instance under which the operation will be executed. For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "PermissionSetArn": "The ARN of the permission set.", @@ -33401,9 +36727,13 @@ "CustomerManagedPolicyReference": "Specifies the name and path of a customer managed policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your permission set.", "ManagedPolicyArn": "The AWS managed policy ARN that you want to attach to a permission set as a permissions boundary." }, + "AWS::SSO::PermissionSet Tag": { + "Key": "The key for the tag.", + "Value": "The value of the tag." + }, "AWS::SageMaker::App": { "AppName": "The name of the app.", - "AppType": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "AppType": "The type of app.", "DomainId": "The domain ID.", "ResourceSpec": "Specifies the ARNs of a SageMaker image and SageMaker image version, and the instance type that the version runs on.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", @@ -33414,6 +36744,10 @@ "SageMakerImageArn": "The ARN of the SageMaker image that the image version belongs to.", "SageMakerImageVersionArn": "The ARN of the image version created on the instance." }, + "AWS::SageMaker::App Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::AppImageConfig": { "AppImageConfigName": "The name of the AppImageConfig. Must be unique to your account.", "KernelGatewayImageConfig": "The configuration for the file system and kernels in the SageMaker image.", @@ -33432,6 +36766,10 @@ "DisplayName": "The display name of the kernel.", "Name": "The name of the Jupyter kernel in the image. This value is case sensitive." }, + "AWS::SageMaker::AppImageConfig Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::CodeRepository": { "CodeRepositoryName": "The name of the Git repository.", "GitConfig": "Configuration details for the Git repository, including the URL where it is located and the ARN of the AWS Secrets Manager secret that contains the credentials used to access the repository.", @@ -33442,6 +36780,10 @@ "RepositoryUrl": "The URL where the Git repository is located.", "SecretArn": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the credentials used to access the git repository. The secret must have a staging label of `AWSCURRENT` and must be in the following format:\n\n`{\"username\": *UserName* , \"password\": *Password* }`" }, + "AWS::SageMaker::CodeRepository Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DataQualityJobDefinition": { "DataQualityAppSpecification": "Specifies the container that runs the monitoring job.", "DataQualityBaselineConfig": "Configures the constraints and baselines for the monitoring job.", @@ -33456,11 +36798,12 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::DataQualityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "LocalPath": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::DataQualityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -33480,7 +36823,7 @@ "Environment": "Sets the environment variables in the container that the monitoring job runs.", "ImageUri": "The container image that the data quality monitoring job runs.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::DataQualityJobDefinition DataQualityBaselineConfig": { "BaseliningJobName": "The name of the job that performs baselining for the data quality monitoring job.", @@ -33488,7 +36831,7 @@ "StatisticsResource": "Configuration for monitoring constraints and monitoring statistics. These baseline resources are compared against the results of the current job from the series of jobs scheduled to collect data periodically." }, "AWS::SageMaker::DataQualityJobDefinition DataQualityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint" }, "AWS::SageMaker::DataQualityJobDefinition DatasetFormat": { @@ -33498,8 +36841,9 @@ }, "AWS::SageMaker::DataQualityJobDefinition EndpointInput": { "EndpointName": "An endpoint in customer's account which has enabled `DataCaptureConfig` enabled.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::DataQualityJobDefinition Json": { @@ -33509,7 +36853,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::DataQualityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::DataQualityJobDefinition MonitoringResources": { @@ -33531,6 +36875,10 @@ "AWS::SageMaker::DataQualityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::DataQualityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DataQualityJobDefinition VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -33545,6 +36893,10 @@ "DeviceName": "The name of the device.", "IotThingName": "AWS Internet of Things (IoT) object name." }, + "AWS::SageMaker::Device Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::DeviceFleet": { "Description": "A description of the fleet.", "DeviceFleetName": "Name of the device fleet.", @@ -33556,11 +36908,15 @@ "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume after compilation job. If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account.", "S3OutputLocation": "The Amazon Simple Storage (S3) bucket URI." }, + "AWS::SageMaker::DeviceFleet Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Domain": { "AppNetworkAccessType": "Specifies the VPC used for non-EFS traffic. The default value is `PublicInternetOnly` .\n\n- `PublicInternetOnly` - Non-EFS traffic is through a VPC managed by Amazon SageMaker , which allows direct internet access\n- `VpcOnly` - All Studio traffic is through the specified VPC and subnets\n\n*Valid Values* : `PublicInternetOnly | VpcOnly`", "AppSecurityGroupManagement": "The entity that creates and manages the required security groups for inter-app communication in `VpcOnly` mode. Required when `CreateDomain.AppNetworkAccessType` is `VpcOnly` and `DomainSettings.RStudioServerProDomainSettings.DomainExecutionRoleArn` is provided. If setting up the domain for use with RStudio, this value must be set to `Service` .\n\n*Allowed Values* : `Service` | `Customer`", "AuthMode": "The mode of authentication that members use to access the Domain.\n\n*Valid Values* : `SSO | IAM`", - "DefaultSpaceSettings": "", + "DefaultSpaceSettings": "A collection of settings that apply to spaces created in the Domain.", "DefaultUserSettings": "The default user settings.", "DomainName": "The domain name.", "DomainSettings": "A collection of settings that apply to the `SageMaker Domain` . These settings are specified through the `CreateDomain` API call.", @@ -33616,6 +36972,10 @@ "S3KmsKeyId": "When `NotebookOutputOption` is `Allowed` , the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.", "S3OutputPath": "When `NotebookOutputOption` is `Allowed` , the Amazon S3 bucket used to store the shared notebook snapshots." }, + "AWS::SageMaker::Domain Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Domain UserSettings": { "ExecutionRole": "The execution role for the user.", "JupyterServerAppSettings": "The Jupyter server's app settings.", @@ -33651,7 +37011,18 @@ }, "AWS::SageMaker::Endpoint DeploymentConfig": { "AutoRollbackConfiguration": "Automatic rollback configuration for handling endpoint deployment failures and recovery.", - "BlueGreenUpdatePolicy": "Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default." + "BlueGreenUpdatePolicy": "Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default.", + "RollingUpdatePolicy": "Specifies a rolling deployment strategy for updating a SageMaker endpoint." + }, + "AWS::SageMaker::Endpoint RollingUpdatePolicy": { + "MaximumBatchSize": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "MaximumExecutionTimeoutInSeconds": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "RollbackMaximumBatchSize": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "WaitIntervalInSeconds": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet." + }, + "AWS::SageMaker::Endpoint Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::Endpoint TrafficRoutingConfig": { "CanarySize": "Batch size for the first step to turn on traffic on the new endpoint fleet. `Value` must be less than or equal to 50% of the variant's total instance count.", @@ -33666,7 +37037,7 @@ "AsyncInferenceConfig": "Specifies configuration for how an endpoint performs asynchronous inference.", "DataCaptureConfig": "Specifies how to capture endpoint data for model monitor. The data capture configuration applies to all production variants hosted at the endpoint.", "EndpointConfigName": "The name of the endpoint configuration.", - "ExplainerConfig": "", + "ExplainerConfig": "A parameter to activate explainers.", "KmsKeyId": "The Amazon Resource Name (ARN) of an AWS Key Management Service key that Amazon SageMaker uses to encrypt data on the storage volume attached to the ML compute instance that hosts the endpoint.\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias name ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`\n\nThe KMS key policy must grant permission to the IAM role that you specify in your `CreateEndpoint` , `UpdateEndpoint` requests. For more information, refer to the AWS Key Management Service section [Using Key Policies in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/key-policies.html)\n\n> Certain Nitro-based instances include local storage, dependent on the instance type. Local storage volumes are encrypted using a hardware module on the instance. You can't request a `KmsKeyId` when using an instance type with local storage. If any of the models that you specify in the `ProductionVariants` parameter use nitro-based instances with local storage, do not specify a value for the `KmsKeyId` parameter. If you specify a value for `KmsKeyId` when using any nitro-based instances with local storage, the call to `CreateEndpointConfig` fails.\n> \n> For a list of instance types that support local instance storage, see [Instance Store Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#instance-store-volumes) .\n> \n> For more information about local instance storage encryption, see [SSD Instance Store Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssd-instance-store.html) .", "ProductionVariants": "A list of `ProductionVariant` objects, one for each model that you want to host at this endpoint.", "ShadowProductionVariants": "Array of `ProductionVariant` objects. There is one for each model that you want to host at this endpoint in shadow mode with production traffic replicated from the model specified on `ProductionVariants` . If you use this field, you can only specify one variant for `ProductionVariants` and one variant for `ShadowProductionVariants` .", @@ -33681,13 +37052,13 @@ }, "AWS::SageMaker::EndpointConfig AsyncInferenceNotificationConfig": { "ErrorTopic": "Amazon SNS topic to post a notification to when an inference fails. If no topic is provided, no notification is sent on failure.", - "IncludeInferenceResponseIn": "", + "IncludeInferenceResponseIn": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "SuccessTopic": "Amazon SNS topic to post a notification to when an inference completes successfully. If no topic is provided, no notification is sent on success." }, "AWS::SageMaker::EndpointConfig AsyncInferenceOutputConfig": { "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the asynchronous inference output in Amazon S3.", "NotificationConfig": "Specifies the configuration for notifications of inference results for asynchronous inference.", - "S3FailurePath": "", + "S3FailurePath": "The Amazon S3 location to upload failure inference responses to.", "S3OutputPath": "The Amazon S3 location to upload inference responses to." }, "AWS::SageMaker::EndpointConfig CaptureContentTypeHeader": { @@ -33698,40 +37069,38 @@ "CaptureMode": "Specifies whether the endpoint captures input data or output data." }, "AWS::SageMaker::EndpointConfig ClarifyExplainerConfig": { - "EnableExplanations": "", - "InferenceConfig": "", - "ShapConfig": "" + "EnableExplanations": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", + "InferenceConfig": "The inference configuration parameter for the model container.", + "ShapConfig": "The configuration for SHAP analysis." }, - "AWS::SageMaker::EndpointConfig ClarifyFeatureType": {}, - "AWS::SageMaker::EndpointConfig ClarifyHeader": {}, "AWS::SageMaker::EndpointConfig ClarifyInferenceConfig": { - "ContentTemplate": "", - "FeatureHeaders": "", - "FeatureTypes": "", - "FeaturesAttribute": "", - "LabelAttribute": "", - "LabelHeaders": "", - "LabelIndex": "", - "MaxPayloadInMB": "", - "MaxRecordCount": "", - "ProbabilityAttribute": "", - "ProbabilityIndex": "" + "ContentTemplate": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", + "FeatureHeaders": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", + "FeatureTypes": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", + "FeaturesAttribute": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", + "LabelAttribute": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", + "LabelHeaders": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", + "LabelIndex": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", + "MaxPayloadInMB": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", + "MaxRecordCount": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", + "ProbabilityAttribute": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", + "ProbabilityIndex": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` ." }, "AWS::SageMaker::EndpointConfig ClarifyShapBaselineConfig": { - "MimeType": "", - "ShapBaseline": "", - "ShapBaselineUri": "" + "MimeType": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", + "ShapBaseline": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", + "ShapBaselineUri": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) ." }, "AWS::SageMaker::EndpointConfig ClarifyShapConfig": { - "NumberOfSamples": "", - "Seed": "", - "ShapBaselineConfig": "", - "TextConfig": "", - "UseLogit": "" + "NumberOfSamples": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", + "Seed": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", + "ShapBaselineConfig": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", + "TextConfig": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", + "UseLogit": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false." }, "AWS::SageMaker::EndpointConfig ClarifyTextConfig": { - "Granularity": "", - "Language": "" + "Granularity": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", + "Language": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` ." }, "AWS::SageMaker::EndpointConfig DataCaptureConfig": { "CaptureContentTypeHeader": "A list of the JSON and CSV content type that the endpoint captures.", @@ -33742,26 +37111,30 @@ "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the captured data at rest using Amazon S3 server-side encryption. The KmsKeyId can be any of the following formats: Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab Key ARN: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab Alias name: alias/ExampleAlias Alias name ARN: arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account. For more information, see KMS-Managed Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) in the Amazon Simple Storage Service Developer Guide. The KMS key policy must grant permission to the IAM role that you specify in your CreateModel (https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateModel.html) request. For more information, see Using Key Policies in AWS KMS (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the AWS Key Management Service Developer Guide." }, "AWS::SageMaker::EndpointConfig ExplainerConfig": { - "ClarifyExplainerConfig": "" + "ClarifyExplainerConfig": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer." }, "AWS::SageMaker::EndpointConfig ProductionVariant": { "AcceleratorType": "The size of the Elastic Inference (EI) instance to use for the production variant. EI instances provide on-demand GPU computing for inference. For more information, see [Using Elastic Inference in Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/ei.html) . For more information, see [Using Elastic Inference in Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/ei.html) .", - "ContainerStartupHealthCheckTimeoutInSeconds": "", - "EnableSSMAccess": "", + "ContainerStartupHealthCheckTimeoutInSeconds": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", + "EnableSSMAccess": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "InitialInstanceCount": "Number of instances to launch initially.", "InitialVariantWeight": "Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. The traffic to a production variant is determined by the ratio of the `VariantWeight` to the sum of all `VariantWeight` values across all ProductionVariants. If unspecified, it defaults to 1.0.", "InstanceType": "The ML compute instance type.", - "ModelDataDownloadTimeoutInSeconds": "", + "ModelDataDownloadTimeoutInSeconds": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "ModelName": "The name of the model that you want to host. This is the name that you specified when creating the model.", "ServerlessConfig": "The serverless configuration for an endpoint. Specifies a serverless endpoint configuration instead of an instance-based endpoint configuration.", "VariantName": "The name of the production variant.", - "VolumeSizeInGB": "" + "VolumeSizeInGB": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported." }, "AWS::SageMaker::EndpointConfig ServerlessConfig": { "MaxConcurrency": "The maximum number of concurrent invocations your serverless endpoint can process.", "MemorySizeInMB": "The memory size of your serverless endpoint. Valid values are in 1 GB increments: 1024 MB, 2048 MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.", "ProvisionedConcurrency": "" }, + "AWS::SageMaker::EndpointConfig Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::FeatureGroup": { "Description": "A free form description of a `FeatureGroup` .", "EventTimeFeatureName": "The name of the feature that stores the `EventTime` of a Record in a `FeatureGroup` .\n\nA `EventTime` is point in time when a new event occurs that corresponds to the creation or update of a `Record` in `FeatureGroup` . All `Records` in the `FeatureGroup` must have a corresponding `EventTime` .", @@ -33786,7 +37159,7 @@ "DataCatalogConfig": "The meta data of the Glue table that is autogenerated when an `OfflineStore` is created.", "DisableGlueTableCreation": "Set to `True` to disable the automatic creation of an AWS Glue table when configuring an `OfflineStore` . If set to `False` , Feature Store will name the `OfflineStore` Glue table following [Athena's naming recommendations](https://docs.aws.amazon.com/athena/latest/ug/tables-databases-columns-names.html) .\n\nThe default value is `False` .", "S3StorageConfig": "The Amazon Simple Storage (Amazon S3) location of `OfflineStore` .", - "TableFormat": "" + "TableFormat": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) ." }, "AWS::SageMaker::FeatureGroup OnlineStoreConfig": { "EnableOnlineStore": "Turn `OnlineStore` off by specifying `False` for the `EnableOnlineStore` flag. Turn `OnlineStore` on by specifying `True` for the `EnableOnlineStore` flag.\n\nThe default value is `False` .", @@ -33799,16 +37172,33 @@ "KmsKeyId": "The AWS Key Management Service (KMS) key ARN of the key used to encrypt any objects written into the `OfflineStore` S3 location.\n\nThe IAM `roleARN` that is passed as a parameter to `CreateFeatureGroup` must have below permissions to the `KmsKeyId` :\n\n- `\"kms:GenerateDataKey\"`", "S3Uri": "The S3 URI, or location in Amazon S3, of `OfflineStore` .\n\nS3 URIs have a format similar to the following: `s3://example-bucket/prefix/` ." }, + "AWS::SageMaker::FeatureGroup Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Image": { - "ImageDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", + "ImageDescription": "The description of the image.", "ImageDisplayName": "The display name of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 128.\n\n*Pattern* : `^\\S(.*\\S)?$`", "ImageName": "The name of the Image. Must be unique by region in your account.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", "ImageRoleArn": "The Amazon Resource Name (ARN) of an IAM role that enables Amazon SageMaker to perform tasks on your behalf.\n\n*Length Constraints* : Minimum length of 20. Maximum length of 2048.\n\n*Pattern* : `^arn:aws[a-z\\-]*:iam::\\d{12}:role/?[a-zA-Z_0-9+=,.@\\-_/]+$`", "Tags": "A list of key-value pairs to apply to this resource.\n\n*Array Members* : Minimum number of 0 items. Maximum number of 50 items." }, + "AWS::SageMaker::Image Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ImageVersion": { - "BaseImage": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", - "ImageName": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`" + "Alias": "", + "Aliases": "", + "BaseImage": "The container image that the SageMaker image version is based on.", + "Horovod": "", + "ImageName": "The name of the parent image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 63.\n\n*Pattern* : `^[a-zA-Z0-9]([-.]?[a-zA-Z0-9]){0,62}$`", + "JobType": "", + "MLFramework": "", + "Processor": "", + "ProgrammingLang": "", + "ReleaseNotes": "", + "VendorGuidance": "" }, "AWS::SageMaker::InferenceExperiment": { "DataStorageConfig": "The Amazon S3 location and configuration for storing inference request and response data.", @@ -33826,7 +37216,7 @@ "Type": "The type of the inference experiment." }, "AWS::SageMaker::InferenceExperiment CaptureContentTypeHeader": { - "CsvContentTypes": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "CsvContentTypes": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "JsonContentTypes": "The list of all content type headers that SageMaker will treat as JSON and capture accordingly." }, "AWS::SageMaker::InferenceExperiment DataStorageConfig": { @@ -33864,6 +37254,10 @@ "SamplingPercentage": "The percentage of inference requests that Amazon SageMaker replicates from the production variant to the shadow variant.", "ShadowModelVariantName": "The name of the shadow variant." }, + "AWS::SageMaker::InferenceExperiment Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Model": { "Containers": "Specifies the containers in the inference pipeline.", "EnableNetworkIsolation": "Isolates the model container. No inbound or outbound network calls can be made to or from the model container.", @@ -33898,6 +37292,10 @@ "AWS::SageMaker::Model RepositoryAuthConfig": { "RepositoryCredentialsProviderArn": "The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the *AWS Lambda Developer Guide* ." }, + "AWS::SageMaker::Model Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Model VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -33916,17 +37314,17 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelBiasJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "EndTimeOffset": "", - "FeaturesAttribute": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "ProbabilityThresholdAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "", - "StartTimeOffset": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "EndTimeOffset": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", + "FeaturesAttribute": "The attributes of the input data that are the input features.", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", + "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, "AWS::SageMaker::ModelBiasJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -33953,7 +37351,7 @@ "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, @@ -33970,7 +37368,7 @@ "ConstraintsResource": "The constraints resource for a monitoring job." }, "AWS::SageMaker::ModelBiasJobDefinition ModelBiasJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint", "GroundTruthS3Input": "Location of ground truth labels to use in model bias job." }, @@ -33981,7 +37379,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelBiasJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelBiasJobDefinition MonitoringResources": { @@ -34000,6 +37398,10 @@ "AWS::SageMaker::ModelBiasJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelBiasJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelBiasJobDefinition VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -34054,7 +37456,7 @@ "ContainerImage": "The container used to run the inference environment." }, "AWS::SageMaker::ModelCard InferenceSpecification": { - "Containers": "" + "Containers": "The Amazon ECR registry path of the Docker image that contains the inference code." }, "AWS::SageMaker::ModelCard IntendedUses": { "ExplanationsForRiskRating": "An explanation of why your organization categorizes the model with its risk rating.", @@ -34064,12 +37466,7 @@ "RiskRating": "Your organization's risk rating. You can specify one the following values as the risk rating:\n\n- High\n- Medium\n- Low\n- Unknown" }, "AWS::SageMaker::ModelCard MetricDataItems": { - "Name": "The names of the metrics.", - "Notes": "Any notes to add to the metric.", - "Type": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "Value": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "XAxisName": "The name of the x axis.", - "YAxisName": "The name of the y axis." + "MetricDataItems": "" }, "AWS::SageMaker::ModelCard MetricGroup": { "MetricData": "A list of metric objects. The `MetricDataItems` list can have one of the following values:\n\n- `bar_chart_metric`\n- `matrix_metric`\n- `simple_metric`\n- `linear_graph_metric`\n\nFor more information about the metric schema, see the definition section of the [model card JSON schema](https://docs.aws.amazon.com/sagemaker/latest/dg/model-cards.html#model-cards-json-schema) .", @@ -34112,9 +37509,21 @@ "AWS::SageMaker::ModelCard SecurityConfig": { "KmsKeyId": "A AWS Key Management Service [key ID](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) used to encrypt a model card." }, + "AWS::SageMaker::ModelCard SimpleMetric": { + "Name": "", + "Notes": "", + "Type": "", + "Value": "", + "XAxisName": "", + "YAxisName": "" + }, "AWS::SageMaker::ModelCard SourceAlgorithm": { - "AlgorithmName": "", - "ModelDataUrl": "" + "AlgorithmName": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", + "ModelDataUrl": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm." + }, + "AWS::SageMaker::ModelCard Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::ModelCard TrainingDetails": { "ObjectiveFunction": "The function that is optimized during model training.", @@ -34161,14 +37570,14 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "FeaturesAttribute": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "FeaturesAttribute": "The attributes of the input data that are the input features.", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34193,14 +37602,14 @@ "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::ModelExplainabilityJobDefinition Json": { "Line": "" }, "AWS::SageMaker::ModelExplainabilityJobDefinition ModelExplainabilityAppSpecification": { - "ConfigUri": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "ConfigUri": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "Environment": "Sets the environment variables in the Docker container.", "ImageUri": "The container image to be run by the model explainability job." }, @@ -34209,14 +37618,14 @@ "ConstraintsResource": "The constraints resource for a model explainability job." }, "AWS::SageMaker::ModelExplainabilityJobDefinition ModelExplainabilityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "" }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringOutput": { "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelExplainabilityJobDefinition MonitoringResources": { @@ -34235,6 +37644,10 @@ "AWS::SageMaker::ModelExplainabilityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelExplainabilityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelExplainabilityJobDefinition VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -34259,6 +37672,7 @@ "ModelPackageStatusDetails": "Specifies the validation and image scan statuses of the model package.", "ModelPackageVersion": "The version number of a versioned model.", "SamplePayloadUrl": "The Amazon Simple Storage Service path where the sample payload are stored. This path must point to a single gzip compressed tar archive (.tar.gz suffix).", + "SkipModelValidation": "Indicates if you want to skip model validation.", "SourceAlgorithmSpecification": "A list of algorithms that were used to create a model package.", "Tags": "A list of the tags associated with the model package. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide* .", "Task": "The machine learning task your model package accomplishes. Common machine learning tasks include object detection and image classification.", @@ -34377,6 +37791,10 @@ "AWS::SageMaker::ModelPackage SourceAlgorithmSpecification": { "SourceAlgorithms": "A list of the algorithms that were used to create a model package." }, + "AWS::SageMaker::ModelPackage Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelPackage TransformInput": { "CompressionType": "If your transform data is compressed, specify the compression type. Amazon SageMaker automatically decompresses the data for the transform job accordingly. The default value is `None` .", "ContentType": "The multipurpose internet mail extension (MIME) type of the data. Amazon SageMaker uses the MIME type with each http call to transfer data to the transform job.", @@ -34417,6 +37835,10 @@ "ModelPackageGroupPolicy": "A resouce policy to control access to a model group. For information about resoure policies, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *AWS Identity and Access Management User Guide.* .", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::SageMaker::ModelPackageGroup Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelQualityJobDefinition": { "EndpointName": "", "JobDefinitionName": "The name of the monitoring job definition.", @@ -34431,16 +37853,16 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SageMaker::ModelQualityJobDefinition BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "EndTimeOffset": "", - "InferenceAttribute": "", - "LocalPath": "", - "ProbabilityAttribute": "", - "ProbabilityThresholdAttribute": "", - "S3DataDistributionType": "", - "S3InputMode": "", - "StartTimeOffset": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "EndTimeOffset": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", + "InferenceAttribute": "The attribute of the input data that represents the ground truth label.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", + "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", + "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, "AWS::SageMaker::ModelQualityJobDefinition ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34466,7 +37888,7 @@ "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", "ProbabilityAttribute": "In a classification problem, the attribute that represents the class probability.", "ProbabilityThresholdAttribute": "The threshold for the class probability to be evaluated as a positive result.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "StartTimeOffset": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) ." }, @@ -34480,14 +37902,14 @@ "ImageUri": "The address of the container image that the monitoring job runs.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", "ProblemType": "The machine learning problem type of the model that the monitoring job monitors.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::ModelQualityJobDefinition ModelQualityBaselineConfig": { "BaseliningJobName": "The name of the job that performs baselining for the monitoring job.", "ConstraintsResource": "The constraints resource for a monitoring job." }, "AWS::SageMaker::ModelQualityJobDefinition ModelQualityJobInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "Input object for the endpoint", "GroundTruthS3Input": "The ground truth label provided for the model." }, @@ -34498,7 +37920,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::ModelQualityJobDefinition MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::ModelQualityJobDefinition MonitoringResources": { @@ -34517,6 +37939,10 @@ "AWS::SageMaker::ModelQualityJobDefinition StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::ModelQualityJobDefinition Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::ModelQualityJobDefinition VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -34535,11 +37961,12 @@ "StatisticsResource": "The baseline statistics file in Amazon S3 that the current monitoring job should be validated against." }, "AWS::SageMaker::MonitoringSchedule BatchTransformInput": { - "DataCapturedDestinationS3Uri": "", - "DatasetFormat": "", - "LocalPath": "", - "S3DataDistributionType": "", - "S3InputMode": "" + "DataCapturedDestinationS3Uri": "The Amazon S3 location being used to capture the data.", + "DatasetFormat": "The dataset format for your batch transform job.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", + "LocalPath": "Path to the filesystem where the batch transform data is available to the container.", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::MonitoringSchedule ClusterConfig": { "InstanceCount": "The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. The default value is 1.", @@ -34560,8 +37987,9 @@ }, "AWS::SageMaker::MonitoringSchedule EndpointInput": { "EndpointName": "An endpoint in customer's account which has enabled `DataCaptureConfig` enabled.", + "ExcludeFeaturesAttribute": "The attributes of the input data to exclude from the analysis.", "LocalPath": "Path to the filesystem where the endpoint data is available to the container.", - "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "S3DataDistributionType": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "S3InputMode": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` ." }, "AWS::SageMaker::MonitoringSchedule Json": { @@ -34572,7 +38000,7 @@ "ContainerEntrypoint": "Specifies the entrypoint for a container used to run the monitoring job.", "ImageUri": "The container image to be run by the monitoring job.", "PostAnalyticsProcessorSourceUri": "An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers.", - "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." + "RecordPreprocessorSourceUri": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers." }, "AWS::SageMaker::MonitoringSchedule MonitoringExecutionSummary": { "CreationTime": "The time at which the monitoring job was created.", @@ -34585,7 +38013,7 @@ "ScheduledTime": "The time the monitoring job was scheduled." }, "AWS::SageMaker::MonitoringSchedule MonitoringInput": { - "BatchTransformInput": "", + "BatchTransformInput": "Input object for the batch transform job.", "EndpointInput": "The endpoint for a monitoring job." }, "AWS::SageMaker::MonitoringSchedule MonitoringJobDefinition": { @@ -34593,7 +38021,7 @@ "Environment": "Sets the environment variables in the Docker container.", "MonitoringAppSpecification": "Configures the monitoring job to run a specified Docker container image.", "MonitoringInputs": "The array of inputs for the monitoring job. Currently we support monitoring an Amazon SageMaker Endpoint.", - "MonitoringOutputConfig": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "MonitoringOutputConfig": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "MonitoringResources": "Identifies the resources, ML compute instances, and ML storage volumes to deploy for a monitoring job. In distributed processing, you specify more than one instance.", "NetworkConfig": "Specifies networking options for an monitoring job.", "RoleArn": "The Amazon Resource Name (ARN) of an IAM role that Amazon SageMaker can assume to perform tasks on your behalf.", @@ -34603,7 +38031,7 @@ "S3Output": "The Amazon S3 storage location where the results of a monitoring job are saved." }, "AWS::SageMaker::MonitoringSchedule MonitoringOutputConfig": { - "KmsKeyId": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "KmsKeyId": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "MonitoringOutputs": "Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded." }, "AWS::SageMaker::MonitoringSchedule MonitoringResources": { @@ -34626,7 +38054,9 @@ "S3Uri": "A URI that identifies the S3 storage location where SageMaker saves the results of a monitoring job." }, "AWS::SageMaker::MonitoringSchedule ScheduleConfig": { - "ScheduleExpression": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day." + "DataAnalysisEndTime": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "DataAnalysisStartTime": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "ScheduleExpression": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring." }, "AWS::SageMaker::MonitoringSchedule StatisticsResource": { "S3Uri": "The S3 URI for the statistics resource." @@ -34634,6 +38064,10 @@ "AWS::SageMaker::MonitoringSchedule StoppingCondition": { "MaxRuntimeInSeconds": "The maximum length of time, in seconds, that a training or compilation job can run before it is stopped.\n\nFor compilation jobs, if the job does not complete during this time, a `TimeOut` error is generated. We recommend starting with 900 seconds and increasing as necessary based on your model.\n\nFor all other jobs, if the job does not complete during this time, SageMaker ends the job. When `RetryStrategy` is specified in the job request, `MaxRuntimeInSeconds` specifies the maximum time for all of the attempts in total, not each individual attempt. The default value is 1 day. The maximum value is 28 days.\n\nThe maximum time that a `TrainingJob` can run in total, including any time spent publishing metrics or archiving and uploading models after it has been stopped, is 30 days." }, + "AWS::SageMaker::MonitoringSchedule Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::MonitoringSchedule VpcConfig": { "SecurityGroupIds": "The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `Subnets` field.", "Subnets": "The ID of the subnets in the VPC to which you want to connect your training job or model. For information about the availability of specific instance types, see [Supported Instance Types and Availability Zones](https://docs.aws.amazon.com/sagemaker/latest/dg/instance-types-az.html) ." @@ -34659,6 +38093,10 @@ "AWS::SageMaker::NotebookInstance InstanceMetadataServiceConfiguration": { "MinimumInstanceMetadataServiceVersion": "Indicates the minimum IMDS version that the notebook instance supports. When passed as part of `CreateNotebookInstance` , if no value is selected, then it defaults to IMDSv1. This means that both IMDSv1 and IMDSv2 are supported. If passed as part of `UpdateNotebookInstance` , there is no default." }, + "AWS::SageMaker::NotebookInstance Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::NotebookInstanceLifecycleConfig": { "NotebookInstanceLifecycleConfigName": "The name of the lifecycle configuration.", "OnCreate": "A shell script that runs only once, when you create a notebook instance. The shell script must be a base64-encoded string.", @@ -34668,7 +38106,7 @@ "Content": "A base64-encoded string that contains a shell script for a notebook instance lifecycle configuration." }, "AWS::SageMaker::Pipeline": { - "ParallelismConfiguration": "", + "ParallelismConfiguration": "The parallelism configuration applied to the pipeline.", "PipelineDefinition": "The definition of the pipeline. This can be either a JSON string or an Amazon S3 location.", "PipelineDescription": "The description of the pipeline.", "PipelineDisplayName": "The display name of the pipeline.", @@ -34680,19 +38118,23 @@ "MaxParallelExecutionSteps": "The max number of steps that can be executed in parallel." }, "AWS::SageMaker::Pipeline PipelineDefinition": { - "PipelineDefinitionBody": "", - "PipelineDefinitionS3Location": "" + "PipelineDefinitionBody": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", + "PipelineDefinitionS3Location": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location." }, "AWS::SageMaker::Pipeline S3Location": { - "Bucket": "", - "ETag": "", - "Key": "", - "Version": "" + "Bucket": "The name of the S3 bucket.", + "ETag": "A file checksum of the pipeline definition file.", + "Key": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", + "Version": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version." + }, + "AWS::SageMaker::Pipeline Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." }, "AWS::SageMaker::Project": { "ProjectDescription": "The description of the project.", "ProjectName": "The name of the project.", - "ServiceCatalogProvisionedProductDetails": "", + "ServiceCatalogProvisionedProductDetails": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "ServiceCatalogProvisioningDetails": "The product ID and provisioning artifact ID to provision a service catalog. For information, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "Tags": "A list of key-value pairs to apply to this resource.\n\nFor more information, see [Resource Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) and [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html#allocation-what) in the *AWS Billing and Cost Management User Guide* ." }, @@ -34710,6 +38152,10 @@ "ProvisioningArtifactId": "The ID of the provisioning artifact.", "ProvisioningParameters": "A list of key value pairs that you specify when you provision a product." }, + "AWS::SageMaker::Project Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::Space": { "DomainId": "The ID of the associated Domain.", "SpaceName": "The name of the space.", @@ -34737,6 +38183,10 @@ "JupyterServerAppSettings": "The JupyterServer app settings.", "KernelGatewayAppSettings": "The KernelGateway app settings." }, + "AWS::SageMaker::Space Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::UserProfile": { "DomainId": "The domain ID.", "SingleSignOnUserIdentifier": "A specifier for the type of value specified in SingleSignOnUserValue. Currently, the only supported value is \"UserName\". If the Domain's AuthMode is IAM Identity Center , this field is required. If the Domain's AuthMode is not IAM Identity Center , this field cannot be specified.", @@ -34771,6 +38221,10 @@ "S3KmsKeyId": "When `NotebookOutputOption` is `Allowed` , the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.", "S3OutputPath": "When `NotebookOutputOption` is `Allowed` , the Amazon S3 bucket used to store the shared notebook snapshots." }, + "AWS::SageMaker::UserProfile Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::SageMaker::UserProfile UserSettings": { "ExecutionRole": "The execution role for the user.", "JupyterServerAppSettings": "The Jupyter server's app settings.", @@ -34802,6 +38256,10 @@ "AWS::SageMaker::Workteam OidcMemberDefinition": { "OidcGroups": "" }, + "AWS::SageMaker::Workteam Tag": { + "Key": "The tag key. Tag keys must be unique per resource.", + "Value": "The tag value." + }, "AWS::Scheduler::Schedule": { "Description": "The description you specify for the schedule.", "EndDate": "The date, in UTC, before which the schedule can invoke its target. Depending on the schedule's recurrence expression, invocations might stop on, or before, the `EndDate` you specify.\nEventBridge Scheduler ignores `EndDate` for one-time schedules.", @@ -34850,7 +38308,7 @@ }, "AWS::Scheduler::Schedule FlexibleTimeWindow": { "MaximumWindowInMinutes": "The maximum time window during which a schedule can be invoked.\n\n*Minimum* : `1`\n\n*Maximum* : `1440`", - "Mode": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`" + "Mode": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`" }, "AWS::Scheduler::Schedule KinesisParameters": { "PartitionKey": "Specifies the shard to which EventBridge Scheduler sends the event. For more information, see [Amazon Kinesis Data Streams terminology and concepts](https://docs.aws.amazon.com/streams/latest/dev/key-concepts.html) in the *Amazon Kinesis Streams Developer Guide* ." @@ -34896,6 +38354,10 @@ "Name": "The name of the schedule group.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, + "AWS::Scheduler::ScheduleGroup Tag": { + "Key": "The key for the tag.", + "Value": "The value for the tag." + }, "AWS::SecretsManager::ResourcePolicy": { "BlockPublicPolicy": "Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.", "ResourcePolicy": "A JSON-formatted string for an AWS resource-based policy. For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) .", @@ -34951,16 +38413,20 @@ "KmsKeyId": "The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses `aws/secretsmanager` .", "Region": "(Optional) A string that represents a `Region` , for example \"us-east-1\"." }, + "AWS::SecretsManager::Secret Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value associated with the key of the tag." + }, "AWS::SecretsManager::SecretTargetAttachment": { "SecretId": "The ARN or name of the secret. To reference a secret also created in this template, use the see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID.", "TargetId": "The ID of the database or cluster.", "TargetType": "A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following:\n\n- AWS::RDS::DBInstance\n- AWS::RDS::DBCluster\n- AWS::Redshift::Cluster\n- AWS::DocDB::DBInstance\n- AWS::DocDB::DBCluster" }, "AWS::SecurityHub::AutomationRule": { - "Actions": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", - "Criteria": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "Actions": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", + "Criteria": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "Description": "A description of the rule.", - "IsTerminal": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "IsTerminal": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "RuleName": "The name of the rule.", "RuleOrder": "An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.", "RuleStatus": "Whether the rule is active after it is created. If this parameter is equal to `ENABLED` , Security Hub applies the rule to findings and finding updates after the rule is created.", @@ -34982,41 +38448,41 @@ "Workflow": "The rule action will update the `Workflow` field of a finding." }, "AWS::SecurityHub::AutomationRule AutomationRulesFindingFilters": { - "AwsAccountId": "The AWS account ID in which a finding was generated.", - "CompanyName": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", - "ComplianceAssociatedStandardsId": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", - "ComplianceSecurityControlId": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", - "ComplianceStatus": "The result of a security check. This field is only used for findings generated from controls.", - "Confidence": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", - "CreatedAt": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "Criticality": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", - "Description": "A finding's description.", - "FirstObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "GeneratorId": "The identifier for the solution-specific component that generated a finding.", - "Id": "The product-specific identifier for a finding.", - "LastObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "NoteText": "The text of a user-defined note that's added to a finding.", - "NoteUpdatedAt": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "NoteUpdatedBy": "The principal that created a note.", - "ProductArn": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", - "ProductName": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", - "RecordState": "Provides the current state of a finding.", - "RelatedFindingsId": "The product-generated identifier for a related finding.", - "RelatedFindingsProductArn": "The ARN for the product that generated a related finding.", - "ResourceDetailsOther": "Custom fields and values about the resource that a finding pertains to.", - "ResourceId": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", - "ResourcePartition": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", - "ResourceRegion": "The AWS Region where the resource that a finding pertains to is located.", - "ResourceTags": "A list of AWS tags associated with a resource at the time the finding was processed.", - "ResourceType": "A finding's title.", - "SeverityLabel": "The severity value of the finding.", - "SourceUrl": "Provides a URL that links to a page about the current finding in the finding product.", - "Title": "A finding's title.", - "Type": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", - "UpdatedAt": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", - "UserDefinedFields": "A list of user-defined name and value string pairs added to a finding.", - "VerificationState": "Provides the veracity of a finding.", - "WorkflowStatus": "Provides information about the status of the investigation into a finding." + "AwsAccountId": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "CompanyName": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceAssociatedStandardsId": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceSecurityControlId": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ComplianceStatus": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Confidence": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "CreatedAt": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Criticality": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Description": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "FirstObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "GeneratorId": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "Id": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "LastObservedAt": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteText": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteUpdatedAt": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "NoteUpdatedBy": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ProductArn": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ProductName": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RecordState": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RelatedFindingsId": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "RelatedFindingsProductArn": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceDetailsOther": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceId": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "ResourcePartition": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceRegion": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceTags": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "ResourceType": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "SeverityLabel": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "SourceUrl": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "Title": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", + "Type": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "UpdatedAt": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "UserDefinedFields": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "VerificationState": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", + "WorkflowStatus": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items." }, "AWS::SecurityHub::AutomationRule DateFilter": { "DateRange": "A date range for the date filter.", @@ -35028,9 +38494,9 @@ "Value": "A date range value for the date filter." }, "AWS::SecurityHub::AutomationRule MapFilter": { - "Comparison": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "Comparison": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "Key": "The key of the map filter. For example, for `ResourceTags` , `Key` identifies the name of the tag. For `UserDefinedFields` , `Key` is the name of the field.", - "Value": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match." + "Value": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match." }, "AWS::SecurityHub::AutomationRule NoteUpdate": { "Text": "The updated note text.", @@ -35042,7 +38508,7 @@ "Lte": "The less-than-equal condition to be applied to a single field when querying for findings." }, "AWS::SecurityHub::AutomationRule RelatedFinding": { - "Id": "The product-generated identifier for a related finding.", + "Id": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "ProductArn": "The Amazon Resource Name (ARN) for the product that generated a related finding." }, "AWS::SecurityHub::AutomationRule SeverityUpdate": { @@ -35051,8 +38517,8 @@ "Product": "The native severity as defined by the AWS service or integrated partner product that generated the finding." }, "AWS::SecurityHub::AutomationRule StringFilter": { - "Comparison": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", - "Value": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match." + "Comparison": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", + "Value": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match." }, "AWS::SecurityHub::AutomationRule WorkflowUpdate": { "Status": "The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to `SUPPRESSED` or `RESOLVED` does not prevent a new finding for the same issue.\n\nThe allowed values are the following.\n\n- `NEW` - The initial state of a finding, before it is reviewed.\n\nSecurity Hub also resets `WorkFlowStatus` from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases:\n\n- The record state changes from `ARCHIVED` to `ACTIVE` .\n- The compliance status changes from `PASSED` to either `WARNING` , `FAILED` , or `NOT_AVAILABLE` .\n- `NOTIFIED` - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.\n- `RESOLVED` - The finding was reviewed and remediated and is now considered resolved.\n- `SUPPRESSED` - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated." @@ -35064,7 +38530,7 @@ "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." }, "AWS::SecurityHub::Standard": { - "DisabledStandardsControls": "Specifies which controls are to be disabled in a standard.", + "DisabledStandardsControls": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "StandardsArn": "The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation." }, "AWS::SecurityHub::Standard StandardsControl": { @@ -35104,12 +38570,16 @@ "DisableTemplateValidation": "If set to true, AWS Service Catalog stops validating the specified provisioning artifact even if it is invalid.", "Info": "Specify the template source with one of the following options, but not both. Keys accepted: [ `LoadTemplateFromURL` , `ImportFromPhysicalId` ]\n\nThe URL of the AWS CloudFormation template in Amazon S3 in JSON format. Specify the URL in JSON format as follows:\n\n`\"LoadTemplateFromURL\": \"https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/...\"`\n\n`ImportFromPhysicalId` : The physical id of the resource that contains the template. Currently only supports AWS CloudFormation stack arn. Specify the physical id in JSON format as follows: `ImportFromPhysicalId: \u201carn:aws:cloudformation:[us-east-1]:[accountId]:stack/[StackName]/[resourceId]`", "Name": "The name of the provisioning artifact (for example, v1 v2beta). No spaces are allowed.", - "Type": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file" + "Type": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file" }, "AWS::ServiceCatalog::CloudFormationProduct SourceConnection": { "ConnectionParameters": "The connection details based on the connection `Type` .", "Type": "The only supported `SourceConnection` type is Codestar." }, + "AWS::ServiceCatalog::CloudFormationProduct Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::CloudFormationProvisionedProduct": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "NotificationArns": "Passed to AWS CloudFormation . The SNS topic ARNs to which to publish stack-related events.", @@ -35137,6 +38607,10 @@ "StackSetOperationType": "Determines what action AWS Service Catalog performs to a stack set or a stack instance represented by the provisioned product. The default value is `UPDATE` if nothing is specified.\n\nApplicable only to a `CFN_STACKSET` provisioned product type.\n\n- **CREATE** - Creates a new stack instance in the stack set represented by the provisioned product. In this case, only new stack instances are created based on accounts and Regions; if new ProductId or ProvisioningArtifactID are passed, they will be ignored.\n- **UPDATE** - Updates the stack set represented by the provisioned product and also its stack instances.\n- **DELETE** - Deletes a stack instance in the stack set represented by the provisioned product.", "StackSetRegions": "One or more AWS Regions where the provisioned product will be available.\n\nApplicable only to a `CFN_STACKSET` provisioned product type.\n\nThe specified Regions should be within the list of Regions from the `STACKSET` constraint. To get the list of Regions in the `STACKSET` constraint, use the `DescribeProvisioningParameters` operation.\n\nIf no values are specified, the default value is all Regions from the `STACKSET` constraint." }, + "AWS::ServiceCatalog::CloudFormationProvisionedProduct Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::LaunchNotificationConstraint": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "Description": "The description of the constraint.", @@ -35166,11 +38640,15 @@ "ProviderName": "The name of the portfolio provider.", "Tags": "One or more tags." }, + "AWS::ServiceCatalog::Portfolio Tag": { + "Key": "The tag key.", + "Value": "The value for this key." + }, "AWS::ServiceCatalog::PortfolioPrincipalAssociation": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", "PortfolioId": "The portfolio identifier.", "PrincipalARN": "The ARN of the principal ( IAM user, role, or group).", - "PrincipalType": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`" + "PrincipalType": "The principal type. The supported values are `IAM` and `IAM_PATTERN` ." }, "AWS::ServiceCatalog::PortfolioProductAssociation": { "AcceptLanguage": "The language code.\n\n- `jp` - Japanese\n- `zh` - Chinese", @@ -35252,9 +38730,12 @@ "Name": "The name that you want to assign to this namespace.", "Tags": "The tags for the namespace. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters." }, + "AWS::ServiceDiscovery::HttpNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::Instance": { "InstanceAttributes": "A string map that contains the following information for the service that you specify in `ServiceId` :\n\n- The attributes that apply to the records that are defined in the service.\n- For each attribute, the applicable value.\n\nSupported attribute keys include the following:\n\n- **AWS_ALIAS_DNS_NAME** - If you want AWS Cloud Map to create a Route\u00a053 alias record that routes traffic to an Elastic Load Balancing load balancer, specify the DNS name that is associated with the load balancer. For information about how to get the DNS name, see [AliasTarget->DNSName](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AliasTarget.html#Route53-Type-AliasTarget-DNSName) in the *Route\u00a053 API Reference* .\n\nNote the following:\n\n- The configuration for the service that is specified by `ServiceId` must include settings for an `A` record, an `AAAA` record, or both.\n- In the service that is specified by `ServiceId` , the value of `RoutingPolicy` must be `WEIGHTED` .\n- If the service that is specified by `ServiceId` includes `HealthCheckConfig` settings, AWS Cloud Map will create the health check, but it won't associate the health check with the alias record.\n- Auto naming currently doesn't support creating alias records that route traffic to AWS resources other than ELB load balancers.\n- If you specify a value for `AWS_ALIAS_DNS_NAME` , don't specify values for any of the `AWS_INSTANCE` attributes.\n- **AWS_EC2_INSTANCE_ID** - *HTTP namespaces only.* The Amazon EC2 instance ID for the instance. The `AWS_INSTANCE_IPV4` attribute contains the primary private IPv4 address. When creating resources with a type of [AWS::ServiceDiscovery::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-instance.html) , if the `AWS_EC2_INSTANCE_ID` attribute is specified, the only other attribute that can be specified is `AWS_INIT_HEALTH_STATUS` . After the resource has been created, the `AWS_INSTANCE_IPV4` attribute contains the primary private IPv4 address.\n- **AWS_INIT_HEALTH_STATUS** - If the service configuration includes `HealthCheckCustomConfig` , when creating resources with a type of [AWS::ServiceDiscovery::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-instance.html) you can optionally use `AWS_INIT_HEALTH_STATUS` to specify the initial status of the custom health check, `HEALTHY` or `UNHEALTHY` . If you don't specify a value for `AWS_INIT_HEALTH_STATUS` , the initial status is `HEALTHY` . This attribute can only be used when creating resources and will not be seen on existing resources.\n- **AWS_INSTANCE_CNAME** - If the service configuration includes a `CNAME` record, the domain name that you want Route\u00a053 to return in response to DNS queries, for example, `example.com` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `CNAME` record.\n- **AWS_INSTANCE_IPV4** - If the service configuration includes an `A` record, the IPv4 address that you want Route\u00a053 to return in response to DNS queries, for example, `192.0.2.44` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `A` record. If the service includes settings for an `SRV` record, you must specify a value for `AWS_INSTANCE_IPV4` , `AWS_INSTANCE_IPV6` , or both.\n- **AWS_INSTANCE_IPV6** - If the service configuration includes an `AAAA` record, the IPv6 address that you want Route\u00a053 to return in response to DNS queries, for example, `2001:0db8:85a3:0000:0000:abcd:0001:2345` .\n\nThis value is required if the service specified by `ServiceId` includes settings for an `AAAA` record. If the service includes settings for an `SRV` record, you must specify a value for `AWS_INSTANCE_IPV4` , `AWS_INSTANCE_IPV6` , or both.\n- **AWS_INSTANCE_PORT** - If the service includes an `SRV` record, the value that you want Route\u00a053 to return for the port.\n\nIf the service includes `HealthCheckConfig` , the port on the endpoint that you want Route\u00a053 to send requests to.\n\nThis value is required if you specified settings for an `SRV` record or a Route\u00a053 health check when you created the service.", - "InstanceId": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", "ServiceId": "The ID of the service that you want to use for settings for the instance." }, "AWS::ServiceDiscovery::PrivateDnsNamespace": { @@ -35273,6 +38754,10 @@ "AWS::ServiceDiscovery::PrivateDnsNamespace SOA": { "TTL": "The time to live (TTL) for purposes of negative caching." }, + "AWS::ServiceDiscovery::PrivateDnsNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::PublicDnsNamespace": { "Description": "A description for the namespace.", "Name": "The name that you want to assign to this namespace.\n\n> Do not include sensitive information in the name. The name is publicly available using DNS queries.", @@ -35288,6 +38773,10 @@ "AWS::ServiceDiscovery::PublicDnsNamespace SOA": { "TTL": "The time to live (TTL) for purposes of negative caching." }, + "AWS::ServiceDiscovery::PublicDnsNamespace Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::ServiceDiscovery::Service": { "Description": "The description of the service.", "DnsConfig": "A complex type that contains information about the Route\u00a053 DNS records that you want AWS Cloud Map to create when you register an instance.\n\n> The record types of a service can only be changed by deleting the service and recreating it with a new `Dnsconfig` .", @@ -35315,6 +38804,10 @@ "AWS::ServiceDiscovery::Service HealthCheckCustomConfig": { "FailureThreshold": "> This parameter is no longer supported and is always set to 1. AWS Cloud Map waits for approximately 30 seconds after receiving an `UpdateInstanceCustomHealthStatus` request before changing the status of the service instance. \n\nThe number of 30-second intervals that you want AWS Cloud Map to wait after receiving an `UpdateInstanceCustomHealthStatus` request before it changes the health status of a service instance.\n\nSending a second or subsequent `UpdateInstanceCustomHealthStatus` request with the same value before 30 seconds has passed doesn't accelerate the change. AWS Cloud Map still waits `30` seconds after the first request to make the change." }, + "AWS::ServiceDiscovery::Service Tag": { + "Key": "The key identifier, or name, of the tag.", + "Value": "The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null." + }, "AWS::Shield::DRTAccess": { "LogBucketList": "Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.\n\nUse this to share information with the SRT that's not available in AWS WAF logs.\n\nTo use the services of the SRT, you must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .", "RoleArn": "Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.\n\nYou can associate only one `RoleArn` with your subscription. If you submit this update for an account that already has an associated role, the new `RoleArn` will replace the existing `RoleArn` .\n\nThis change requires the following:\n\n- You must be subscribed to the [Business Support plan](https://docs.aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://docs.aws.amazon.com/premiumsupport/enterprise-support/) .\n- You must have the `iam:PassRole` permission. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) .\n- The `AWSShieldDRTAccessPolicy` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at [AWSShieldDRTAccessPolicy](https://docs.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy) . For information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) .\n- The role must trust the service principal `drt.shield.amazonaws.com` . For information, see [IAM JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) .\n\nThe SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you." @@ -35329,7 +38822,7 @@ "PhoneNumber": "The phone number for the contact." }, "AWS::Shield::Protection": { - "ApplicationLayerAutomaticResponseConfiguration": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "ApplicationLayerAutomaticResponseConfiguration": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the guidance for the `AWS::WAFv2::WebACL` resource.\n\nhello!", "HealthCheckArns": "The ARN (Amazon Resource Name) of the health check to associate with the protection. Health-based detection provides improved responsiveness and accuracy in attack detection and mitigation.\n\nYou can use this option with any resource type except for Route\u00a053 hosted zones.\n\nFor more information, see [Configuring health-based detection using health checks](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html) in the *AWS Shield Advanced Developer Guide* .", "Name": "The name of the protection. For example, `My CloudFront distributions` .\n\n> If you change the name of an existing protection, Shield Advanced deletes the protection and replaces it with a new one. While this is happening, the protection isn't available on the AWS resource.", "ResourceArn": "The ARN (Amazon Resource Name) of the AWS resource that is protected.", @@ -35343,6 +38836,10 @@ "Action": "Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.", "Status": "Indicates whether automatic application layer DDoS mitigation is enabled for the protection." }, + "AWS::Shield::Protection Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::Shield::ProtectionGroup": { "Aggregation": "Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.\n\n- Sum - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.\n- Mean - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.\n- Max - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.", "Members": "The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set `Pattern` to `ARBITRARY` and you must not set it for any other `Pattern` setting.", @@ -35351,6 +38848,10 @@ "ResourceType": "The resource type to include in the protection group. All protected resources of this type are included in the protection group. You must set this when you set `Pattern` to `BY_RESOURCE_TYPE` and you must not set it for any other `Pattern` setting.", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource." }, + "AWS::Shield::ProtectionGroup Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::Signer::ProfilePermission": { "Action": "The AWS Signer action permitted as part of cross-account permissions.", "Principal": "The AWS principal receiving cross-account permissions. This may be an IAM role or another AWS account ID.", @@ -35367,6 +38868,10 @@ "Type": "The time unit for signature validity: DAYS | MONTHS | YEARS.", "Value": "The numerical value of the time unit for signature validity." }, + "AWS::Signer::SigningProfile Tag": { + "Key": "", + "Value": "" + }, "AWS::SimSpaceWeaver::Simulation": { "MaximumDuration": "The maximum running time of the simulation, specified as a number of minutes (m or M), hours (h or H), or days (d or D). The simulation stops when it reaches this limit. The maximum value is `14D` , or its equivalent in the other units. The default value is `14D` . A value equivalent to `0` makes the simulation immediately transition to `STOPPING` as soon as it reaches `STARTED` .", "Name": "The name of the simulation.", @@ -35422,7 +38927,7 @@ "Enabled": "When set to `true` , X-Ray tracing is enabled." }, "AWS::StepFunctions::StateMachineAlias": { - "DeploymentPreference": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "DeploymentPreference": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "Description": "An optional description of the state machine alias.", "Name": "The name of the state machine alias. If you don't provide a name, it uses an automatically generated name based on the logical ID.", "RoutingConfiguration": "The routing configuration of an alias. Routing configuration splits [StartExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html) requests between one or two versions of the same state machine.\n\nUse `RoutingConfiguration` if you want to explicitly set the alias [weights](https://docs.aws.amazon.com/step-functions/latest/apireference/API_RoutingConfigurationListItem.html#StepFunctions-Type-RoutingConfigurationListItem-weight) . Weight is the percentage of traffic you want to route to a state machine version.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties." @@ -35432,7 +38937,7 @@ "Interval": "The time in minutes between each traffic shifting increment.", "Percentage": "The percentage of traffic to shift to the new version in each increment.", "StateMachineVersionArn": "The Amazon Resource Name (ARN) of the [`AWS::StepFunctions::StateMachineVersion`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachineversion.html) resource that will be the final version to which the alias points to when the traffic shifting is complete.\n\nWhile performing gradual deployments, you can only provide a single state machine version ARN. To explicitly set version weights in a CloudFormation template, use `RoutingConfiguration` instead.", - "Type": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval." + "Type": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval." }, "AWS::StepFunctions::StateMachineAlias RoutingConfigurationVersion": { "StateMachineVersionArn": "The Amazon Resource Name (ARN) that identifies one or two state machine versions defined in the routing configuration.\n\nIf you specify the ARN of a second version, it must belong to the same state machine as the first version.", @@ -35505,6 +39010,10 @@ "DurationInSeconds": "How long, in seconds, for the canary to continue making regular runs according to the schedule in the `Expression` value. If you specify 0, the canary continues making runs until you stop it. If you omit this field, the default of 0 is used.", "Expression": "A `rate` expression or a `cron` expression that defines how often the canary is to run.\n\nFor a rate expression, The syntax is `rate( *number unit* )` . *unit* can be `minute` , `minutes` , or `hour` .\n\nFor example, `rate(1 minute)` runs the canary once a minute, `rate(10 minutes)` runs it once every 10 minutes, and `rate(1 hour)` runs it once every hour. You can specify a frequency between `rate(1 minute)` and `rate(1 hour)` .\n\nSpecifying `rate(0 minute)` or `rate(0 hour)` is a special value that causes the canary to run only once when it is started.\n\nUse `cron( *expression* )` to specify a cron expression. You can't schedule a canary to wait for more than a year before running. For information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html) ." }, + "AWS::Synthetics::Canary Tag": { + "Key": "", + "Value": "" + }, "AWS::Synthetics::Canary VPCConfig": { "SecurityGroupIds": "The IDs of the security groups for this canary.", "SubnetIds": "The IDs of the subnets where this canary is to run.", @@ -35519,6 +39028,10 @@ "ResourceArns": "The ARNs of the canaries that you want to associate with this group.", "Tags": "The list of key-value pairs that are associated with the group." }, + "AWS::Synthetics::Group Tag": { + "Key": "", + "Value": "" + }, "AWS::SystemsManagerSAP::Application": { "ApplicationId": "The ID of the application.", "ApplicationType": "The type of the application.", @@ -35533,11 +39046,19 @@ "DatabaseName": "The name of the SAP HANA database.", "SecretId": "The secret ID created in AWS Secrets Manager to store the credentials of the SAP application." }, + "AWS::SystemsManagerSAP::Application Tag": { + "Key": "", + "Value": "" + }, "AWS::Timestream::Database": { "DatabaseName": "The name of the Timestream database.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "KmsKeyId": "The identifier of the AWS KMS key used to encrypt the data stored in the database.", "Tags": "The tags to add to the database." }, + "AWS::Timestream::Database Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Timestream::ScheduledQuery": { "ClientToken": "Using a ClientToken makes the call to CreateScheduledQuery idempotent, in other words, making the same request repeatedly will produce the same result. Making multiple identical CreateScheduledQuery requests has the same effect as making a single request.\n\n- If CreateScheduledQuery is called without a `ClientToken` , the Query SDK generates a `ClientToken` on your behalf.\n- After 8 hours, any request with the same `ClientToken` is treated as a new request.", "ErrorReportConfiguration": "Configuration for error reporting. Error reports will be generated when a problem is encountered when writing the query results.", @@ -35587,6 +39108,10 @@ "AWS::Timestream::ScheduledQuery SnsConfiguration": { "TopicArn": "SNS topic ARN that the scheduled query status notifications will be sent to." }, + "AWS::Timestream::ScheduledQuery Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Timestream::ScheduledQuery TargetConfiguration": { "TimestreamConfiguration": "Configuration needed to write data into the Timestream database and table." }, @@ -35603,6 +39128,7 @@ "DatabaseName": "The name of the Timestream database that contains this table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "MagneticStoreWriteProperties": "Contains properties to set on the table when enabling magnetic store writes.\n\nThis object has the following attributes:\n\n- *EnableMagneticStoreWrites* : A `boolean` flag to enable magnetic store writes.\n- *MagneticStoreRejectedDataLocation* : The location to write error reports for records rejected, asynchronously, during magnetic store writes. Only `S3Configuration` objects are allowed. The `S3Configuration` object has the following attributes:\n\n- *BucketName* : The name of the S3 bucket.\n- *EncryptionOption* : The encryption option for the S3 location. Valid values are S3 server-side encryption with an S3 managed key ( `SSE_S3` ) or AWS managed key ( `SSE_KMS` ).\n- *KmsKeyId* : The AWS KMS key ID to use when encrypting with an AWS managed key.\n- *ObjectKeyPrefix* : The prefix to use option for the objects stored in S3.\n\nBoth `BucketName` and `EncryptionOption` are *required* when `S3Configuration` is specified. If you specify `SSE_KMS` as your `EncryptionOption` then `KmsKeyId` is *required* .\n\n`EnableMagneticStoreWrites` attribute is *required* when `MagneticStoreWriteProperties` is specified. `MagneticStoreRejectedDataLocation` attribute is *required* when `EnableMagneticStoreWrites` is set to `true` .\n\nSee the following examples:\n\n*JSON*\n\n```json\n{ \"Type\" : AWS::Timestream::Table\", \"Properties\":{ \"DatabaseName\":\"TestDatabase\", \"TableName\":\"TestTable\", \"MagneticStoreWriteProperties\":{ \"EnableMagneticStoreWrites\":true, \"MagneticStoreRejectedDataLocation\":{ \"S3Configuration\":{ \"BucketName\":\"testbucket\", \"EncryptionOption\":\"SSE_KMS\", \"KmsKeyId\":\"1234abcd-12ab-34cd-56ef-1234567890ab\", \"ObjectKeyPrefix\":\"prefix\" } } } }\n}\n```\n\n*YAML*\n\n```\nType: AWS::Timestream::Table\nDependsOn: TestDatabase\nProperties: TableName: \"TestTable\" DatabaseName: \"TestDatabase\" MagneticStoreWriteProperties: EnableMagneticStoreWrites: true MagneticStoreRejectedDataLocation: S3Configuration: BucketName: \"testbucket\" EncryptionOption: \"SSE_KMS\" KmsKeyId: \"1234abcd-12ab-34cd-56ef-1234567890ab\" ObjectKeyPrefix: \"prefix\"\n```", "RetentionProperties": "The retention duration for the memory store and magnetic store. This object has the following attributes:\n\n- *MemoryStoreRetentionPeriodInHours* : Retention duration for memory store, in hours.\n- *MagneticStoreRetentionPeriodInDays* : Retention duration for magnetic store, in days.\n\nBoth attributes are of type `string` . Both attributes are *required* when `RetentionProperties` is specified.\n\nSee the following examples:\n\n*JSON*\n\n`{ \"Type\" : AWS::Timestream::Table\", \"Properties\" : { \"DatabaseName\" : \"TestDatabase\", \"TableName\" : \"TestTable\", \"RetentionProperties\" : { \"MemoryStoreRetentionPeriodInHours\": \"24\", \"MagneticStoreRetentionPeriodInDays\": \"7\" } } }` \n\n*YAML*\n\n```\nType: AWS::Timestream::Table\nDependsOn: TestDatabase\nProperties: TableName: \"TestTable\" DatabaseName: \"TestDatabase\" RetentionProperties: MemoryStoreRetentionPeriodInHours: \"24\" MagneticStoreRetentionPeriodInDays: \"7\"\n```", + "Schema": "The schema of the table.", "TableName": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", "Tags": "The tags to add to the table" }, @@ -35613,6 +39139,11 @@ "EnableMagneticStoreWrites": "A flag to enable magnetic store writes.", "MagneticStoreRejectedDataLocation": "The location to write error reports for records rejected asynchronously during magnetic store writes." }, + "AWS::Timestream::Table PartitionKey": { + "EnforcementInRecord": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "Name": "The name of the attribute used for a dimension key.", + "Type": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key)." + }, "AWS::Timestream::Table RetentionProperties": { "MagneticStoreRetentionPeriodInDays": "The duration for which data must be stored in the magnetic store.", "MemoryStoreRetentionPeriodInHours": "The duration for which data must be stored in the memory store." @@ -35623,8 +39154,15 @@ "KmsKeyId": "The AWS KMS key ID for the customer S3 location when encrypting with an AWS managed key.", "ObjectKeyPrefix": "The object key preview for the customer S3 location." }, + "AWS::Timestream::Table Schema": { + "CompositePartitionKey": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed." + }, + "AWS::Timestream::Table Tag": { + "Key": "The key of the tag. Tag keys are case sensitive.", + "Value": "The value of the tag. Tag values are case-sensitive and can be null." + }, "AWS::Transfer::Agreement": { - "AccessRole": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "AccessRole": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "BaseDirectory": "The landing directory (folder) for files that are transferred by using the AS2 protocol.", "Description": "The name or short description that's used to identify the agreement.", "LocalProfileId": "A unique identifier for the AS2 local profile.", @@ -35633,6 +39171,10 @@ "Status": "The current status of the agreement, either `ACTIVE` or `INACTIVE` .", "Tags": "Key-value pairs that can be used to group and search for agreements." }, + "AWS::Transfer::Agreement Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Certificate": { "ActiveDate": "An optional date that specifies when the certificate becomes active.", "Certificate": "The file name for the certificate.", @@ -35643,14 +39185,20 @@ "Tags": "Key-value pairs that can be used to group and search for certificates.", "Usage": "Specifies whether this certificate is used for signing or encryption." }, + "AWS::Transfer::Certificate Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Connector": { - "AccessRole": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", - "As2Config": "A structure that contains the parameters for a connector object.", + "AccessRole": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", + "As2Config": "A structure that contains the parameters for an AS2 connector object.", "LoggingRole": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.", + "SftpConfig": "A structure that contains the parameters for an SFTP connector object.", "Tags": "Key-value pairs that can be used to group and search for connectors.", - "Url": "The URL of the partner's AS2 endpoint." + "Url": "The URL of the partner's AS2 or SFTP endpoint." }, "AWS::Transfer::Connector As2Config": { + "BasicAuthSecretId": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", "Compression": "Specifies whether the AS2 file is compressed.", "EncryptionAlgorithm": "The algorithm that is used to encrypt the file.\n\n> You can only specify `NONE` if the URL for your connector uses HTTPS. This ensures that no traffic is sent in clear text.", "LocalProfileId": "A unique identifier for the AS2 local profile.", @@ -35660,17 +39208,29 @@ "PartnerProfileId": "A unique identifier for the partner profile for the connector.", "SigningAlgorithm": "The algorithm that is used to sign the AS2 messages sent with the connector." }, + "AWS::Transfer::Connector SftpConfig": { + "TrustedHostKeys": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "UserSecretId": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret." + }, + "AWS::Transfer::Connector Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Profile": { "As2Id": "The `As2Id` is the *AS2-name* , as defined in the [RFC 4130](https://docs.aws.amazon.com/https://datatracker.ietf.org/doc/html/rfc4130) . For inbound transfers, this is the `AS2-From` header for the AS2 messages sent from the partner. For outbound connectors, this is the `AS2-To` header for the AS2 messages sent to the partner using the `StartFileTransfer` API operation. This ID cannot include spaces.", "CertificateIds": "An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.", "ProfileType": "Indicates whether to list only `LOCAL` type profiles or only `PARTNER` type profiles. If not supplied in the request, the command lists all types of profiles.", "Tags": "Key-value pairs that can be used to group and search for profiles." }, + "AWS::Transfer::Profile Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Server": { "Certificate": "The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when `Protocols` is set to `FTPS` .\n\nTo request a new public certificate, see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) in the *AWS Certificate Manager User Guide* .\n\nTo import an existing certificate into ACM, see [Importing certificates into ACM](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* .\n\nTo request a private certificate to use FTPS through private IP addresses, see [Request a private certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) in the *AWS Certificate Manager User Guide* .\n\nCertificates with the following cryptographic algorithms and key sizes are supported:\n\n- 2048-bit RSA (RSA_2048)\n- 4096-bit RSA (RSA_4096)\n- Elliptic Prime Curve 256 bit (EC_prime256v1)\n- Elliptic Prime Curve 384 bit (EC_secp384r1)\n- Elliptic Prime Curve 521 bit (EC_secp521r1)\n\n> The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.", "Domain": "Specifies the domain of the storage system that is used for file transfers.", "EndpointDetails": "The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.", - "EndpointType": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "EndpointType": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "IdentityProviderDetails": "Required when `IdentityProviderType` is set to `AWS_DIRECTORY_SERVICE` , `AWS _LAMBDA` or `API_GATEWAY` . Accepts an array containing all of the information required to use a directory in `AWS_DIRECTORY_SERVICE` or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when `IdentityProviderType` is set to `SERVICE_MANAGED` .", "IdentityProviderType": "The mode of authentication for a server. The default value is `SERVICE_MANAGED` , which allows you to store and access user credentials within the AWS Transfer Family service.\n\nUse `AWS_DIRECTORY_SERVICE` to provide access to Active Directory groups in AWS Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in AWS using AD Connector. This option also requires you to provide a Directory ID by using the `IdentityProviderDetails` parameter.\n\nUse the `API_GATEWAY` value to integrate with an identity provider of your choosing. The `API_GATEWAY` setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the `IdentityProviderDetails` parameter.\n\nUse the `AWS_LAMBDA` value to directly use an AWS Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the `Function` parameter for the `IdentityProviderDetails` data type.", "LoggingRole": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.", @@ -35683,7 +39243,6 @@ "Tags": "Key-value pairs that can be used to group and search for servers.", "WorkflowDetails": "Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.\n\nIn addition to a workflow to execute when a file is uploaded completely, `WorkflowDetails` can also contain a workflow ID (and execution role) for a workflow to execute on partial upload. A partial upload occurs when a file is open when the session disconnects." }, - "AWS::Transfer::Server As2Transport": {}, "AWS::Transfer::Server EndpointDetails": { "AddressAllocationIds": "A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` and it is only valid in the `UpdateServer` API.", "SecurityGroupIds": "A list of security groups IDs that are available to attach to your server's endpoint.\n\n> This property can only be set when `EndpointType` is set to `VPC` .\n> \n> You can edit the `SecurityGroupIds` property in the [UpdateServer](https://docs.aws.amazon.com/transfer/latest/userguide/API_UpdateServer.html) API only if you are changing the `EndpointType` from `PUBLIC` or `VPC_ENDPOINT` to `VPC` . To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 [ModifyVpcEndpoint](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpcEndpoint.html) API.", @@ -35698,14 +39257,16 @@ "SftpAuthenticationMethods": "For SFTP-enabled servers, and for custom identity providers *only* , you can specify whether to authenticate using a password, SSH key pair, or both.\n\n- `PASSWORD` - users must provide their password to connect.\n- `PUBLIC_KEY` - users must provide their private key to connect.\n- `PUBLIC_KEY_OR_PASSWORD` - users can authenticate with either their password or their key. This is the default value.\n- `PUBLIC_KEY_AND_PASSWORD` - users must provide both their private key and their password to connect. The server checks the key first, and then if the key is valid, the system prompts for a password. If the private key provided does not match the public key that is stored, authentication fails.", "Url": "Provides the location of the service endpoint used to authenticate users." }, - "AWS::Transfer::Server Protocol": {}, "AWS::Transfer::Server ProtocolDetails": { "As2Transports": "List of `As2Transport` objects.", "PassiveIp": "Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:\n\n`aws transfer update-server --protocol-details PassiveIp=0.0.0.0`\n\nReplace `0.0.0.0` in the example above with the actual IP address you want to use.\n\n> If you change the `PassiveIp` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see [Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family](https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/) . \n\n*Special values*\n\nThe `AUTO` and `0.0.0.0` are special values for the `PassiveIp` parameter. The value `PassiveIp=AUTO` is assigned by default to FTP and FTPS type servers. In this case, the server automatically responds with one of the endpoint IPs within the PASV response. `PassiveIp=0.0.0.0` has a more unique application for its usage. For example, if you have a High Availability (HA) Network Load Balancer (NLB) environment, where you have 3 subnets, you can only specify a single IP address using the `PassiveIp` parameter. This reduces the effectiveness of having High Availability. In this case, you can specify `PassiveIp=0.0.0.0` . This tells the client to use the same IP address as the Control connection and utilize all AZs for their connections. Note, however, that not all FTP clients support the `PassiveIp=0.0.0.0` response. FileZilla and WinSCP do support it. If you are using other clients, check to see if your client supports the `PassiveIp=0.0.0.0` response.", "SetStatOption": "Use the `SetStatOption` to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket.\n\nSome SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as `SETSTAT` when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.\n\nSet the value to `ENABLE_NO_OP` to have the Transfer Family server ignore the `SETSTAT` command, and upload files without needing to make any changes to your SFTP client. While the `SetStatOption` `ENABLE_NO_OP` setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a `SETSTAT` call.\n\n> If you want to preserve the original timestamp for your file, and modify other file attributes using `SETSTAT` , you can use Amazon EFS as backend storage with Transfer Family.", "TlsSessionResumptionMode": "A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. `TlsSessionResumptionMode` determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during `CreateServer` and `UpdateServer` calls. If a `TlsSessionResumptionMode` value is not specified during `CreateServer` , it is set to `ENFORCED` by default.\n\n- `DISABLED` : the server does not process TLS session resumption client requests and creates a new TLS session for each request.\n- `ENABLED` : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.\n- `ENFORCED` : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to `ENFORCED` , test your clients.\n\n> Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the `ENFORCED` value, you need to test your clients." }, - "AWS::Transfer::Server StructuredLogDestination": {}, + "AWS::Transfer::Server Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Server WorkflowDetail": { "ExecutionRole": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources", "WorkflowId": "A unique identifier for the workflow." @@ -35715,9 +39276,9 @@ "OnUpload": "A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.\n\nTo remove an associated workflow from a server, you can provide an empty `OnUpload` object, as in the following example.\n\n`aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{\"OnUpload\":[]}'`" }, "AWS::Transfer::User": { - "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", - "HomeDirectoryMappings": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", - "HomeDirectoryType": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "HomeDirectory": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", + "HomeDirectoryMappings": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", + "HomeDirectoryType": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "Policy": "A session policy for your user so you can use the same IAM role across multiple users. This policy restricts user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include `${Transfer:UserName}` , `${Transfer:HomeDirectory}` , and `${Transfer:HomeBucket}` .\n\n> For session policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the `Policy` argument.\n> \n> For an example of a session policy, see [Example session policy](https://docs.aws.amazon.com/transfer/latest/userguide/session-policy.html) .\n> \n> For more information, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference* .", "PosixProfile": "Specifies the full POSIX identity, including user ID ( `Uid` ), group ID ( `Gid` ), and any secondary groups IDs ( `SecondaryGids` ), that controls your users' access to your Amazon Elastic File System (Amazon EFS) file systems. The POSIX permissions that are set on files and directories in your file system determine the level of access your users get when transferring files into and out of your Amazon EFS file systems.", "Role": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that controls your users' access to your Amazon S3 bucket or Amazon EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or Amazon EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.", @@ -35735,7 +39296,10 @@ "SecondaryGids": "The secondary POSIX group IDs used for all EFS operations by this user.", "Uid": "The POSIX user ID used for all EFS operations by this user." }, - "AWS::Transfer::User SshPublicKey": {}, + "AWS::Transfer::User Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Workflow": { "Description": "Specifies the text description for the workflow.", "OnExceptionSteps": "Specifies the steps (actions) to take if errors are encountered during execution of the workflow.", @@ -35784,6 +39348,10 @@ "Key": "The name assigned to the tag that you create.", "Value": "The value that corresponds to the key." }, + "AWS::Transfer::Workflow Tag": { + "Key": "The name assigned to the tag that you create.", + "Value": "Contains one or more values that you assigned to the key name you create." + }, "AWS::Transfer::Workflow TagStepDetails": { "Name": "The name of the step, used as an identifier.", "SourceFileLocation": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow.\n\n- To use the previous file as the input, enter `${previous.file}` . In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value.\n- To use the originally uploaded file location as input for this step, enter `${original.file}` .", @@ -35798,12 +39366,12 @@ "Type": "Currently, the following step types are supported.\n\n- *`COPY`* - Copy the file to another location.\n- *`CUSTOM`* - Perform a custom step with an AWS Lambda function target.\n- *`DECRYPT`* - Decrypt a file that was encrypted before it was uploaded.\n- *`DELETE`* - Delete the file.\n- *`TAG`* - Add a tag to the file." }, "AWS::VerifiedPermissions::IdentitySource": { - "Configuration": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", - "PolicyStoreId": "Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.", - "PrincipalEntityType": "Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source." + "Configuration": "Contains configuration information used when creating a new .\n\n> At this time, the only valid member of this structure is a user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/API_CreateIdentitySource.html) operation.", + "PolicyStoreId": "Specifies the ID of the in which you want to store this . Only policies and requests made using this can reference identities from the identity provider configured in the new .", + "PrincipalEntityType": "Specifies the namespace and data type of the principals generated for identities authenticated by the new ." }, "AWS::VerifiedPermissions::IdentitySource CognitoUserPoolConfiguration": { - "ClientIds": "The unique application client IDs that are associated with the specified Amazon Cognito user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", + "ClientIds": "The unique application client IDs that are associated with the specified user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", "UserPoolArn": "The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the Amazon Cognito user pool that contains the identities to be authorized." }, "AWS::VerifiedPermissions::IdentitySource IdentitySourceConfiguration": { @@ -35812,36 +39380,36 @@ "AWS::VerifiedPermissions::IdentitySource IdentitySourceDetails": { "ClientIds": "The application client IDs associated with the specified Amazon Cognito user pool that are enabled for this identity source.", "DiscoveryUrl": "The well-known URL that points to this user pool's OIDC discovery endpoint. This is a URL string in the following format. This URL replaces the placeholders for both the AWS Region and the user pool identifier with those appropriate for this user pool.\n\n`https://cognito-idp. ** .amazonaws.com/ ** /.well-known/openid-configuration`", - "OpenIdIssuer": "A string that identifies the type of OIDC service represented by this identity source.\n\nAt this time, the only valid value is `cognito` .", + "OpenIdIssuer": "A string that identifies the type of OIDC service represented by this .\n\nAt this time, the only valid value is `cognito` .", "UserPoolArn": "The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the Amazon Cognito user pool whose identities are accessible to this Verified Permissions policy store." }, "AWS::VerifiedPermissions::Policy": { "Definition": "Specifies the policy type and content to use for the new or updated policy. The definition structure must include either a `Static` or a `TemplateLinked` element.", - "PolicyStoreId": "Specifies the `PolicyStoreId` of the policy store you want to store the policy in." + "PolicyStoreId": "Specifies the `PolicyStoreId` of the you want to store the policy in." }, "AWS::VerifiedPermissions::Policy EntityIdentifier": { "EntityId": "The identifier of an entity.\n\n`\"entityId\":\" *identifier* \"`", "EntityType": "The type of an entity.\n\nExample: `\"entityType\":\" *typeName* \"`" }, "AWS::VerifiedPermissions::Policy PolicyDefinition": { - "Static": "A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.", - "TemplateLinked": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy." + "Static": "A structure that describes . An doesn't use a template or allow placeholders for entities.", + "TemplateLinked": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy." }, "AWS::VerifiedPermissions::Policy StaticPolicyDefinition": { - "Description": "The description of the static policy.", - "Statement": "The policy content of the static policy, written in the Cedar policy language." + "Description": "The description of the .", + "Statement": "The policy content of the , written in the ." }, "AWS::VerifiedPermissions::Policy TemplateLinkedPolicyDefinition": { "PolicyTemplateId": "The unique identifier of the policy template used to create this policy.", - "Principal": "The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the `?principal` placeholder in the policy template when it evaluates an authorization request.", - "Resource": "The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request." + "Principal": "The principal associated with this . substitutes this principal for the `?principal` placeholder in the when it evaluates an authorization request.", + "Resource": "The resource associated with this . substitutes this resource for the `?resource` placeholder in the when it evaluates an authorization request." }, "AWS::VerifiedPermissions::PolicyStore": { "Schema": "Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.", - "ValidationSettings": "Specifies the validation setting for this policy store.\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on." + "ValidationSettings": "Specifies the validation setting for this .\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on." }, "AWS::VerifiedPermissions::PolicyStore SchemaDefinition": { - "CedarJson": "A JSON string representation of the schema supported by applications that use this policy store. For more information, see [Policy store schema](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/schema.html) in the *Amazon Verified Permissions User Guide* ." + "CedarJson": "A JSON string representation of the schema supported by applications that use this . For more information, see [Policy store schema](https://docs.aws.amazon.com/schema.html) in the ** ." }, "AWS::VerifiedPermissions::PolicyStore ValidationSettings": { "Mode": "The validation mode currently configured for this policy store. The valid values are:\n\n- *OFF* \u2013 Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.\n- *STRICT* \u2013 Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.\n\n> If `Mode=STRICT` and the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.\n> \n> To submit a static policy or policy template without a schema, you must turn off validation." @@ -35849,7 +39417,7 @@ "AWS::VerifiedPermissions::PolicyTemplate": { "Description": "The description to attach to the new or updated policy template.", "PolicyStoreId": "The unique identifier of the policy store that contains the template.", - "Statement": "Specifies the content that you want to use for the new policy template, written in the Cedar policy language." + "Statement": "Specifies the content that you want to use for the new , written in the policy language." }, "AWS::VoiceID::Domain": { "Description": "The description of the domain.", @@ -35860,43 +39428,55 @@ "AWS::VoiceID::Domain ServerSideEncryptionConfiguration": { "KmsKeyId": "The identifier of the KMS key to use to encrypt data stored by Voice ID. Voice ID doesn't support asymmetric customer managed keys ." }, + "AWS::VoiceID::Domain Tag": { + "Key": "The first part of a key:value pair that forms a tag associated with a given resource. For example, in the tag 'Department':'Sales', the key is 'Department'.", + "Value": "The second part of a key:value pair that forms a tag associated with a given resource. For example, in the tag 'Department':'Sales', the value is 'Sales'." + }, "AWS::VpcLattice::AccessLogSubscription": { "DestinationArn": "The Amazon Resource Name (ARN) of the destination. The supported destination types are CloudWatch Log groups, Kinesis Data Firehose delivery streams, and Amazon S3 buckets.", "ResourceIdentifier": "The ID or Amazon Resource Name (ARN) of the service network or service.", "Tags": "The tags for the access log subscription." }, + "AWS::VpcLattice::AccessLogSubscription Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::AuthPolicy": { "Policy": "The auth policy.", "ResourceIdentifier": "The ID or Amazon Resource Name (ARN) of the service network or service for which the policy is created." }, "AWS::VpcLattice::Listener": { - "DefaultAction": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "DefaultAction": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "Name": "The name of the listener. A listener name must be unique within a service. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", - "Port": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", - "Protocol": "The listener protocol HTTP or HTTPS.", + "Port": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", + "Protocol": "The listener protocol.", "ServiceIdentifier": "The ID or Amazon Resource Name (ARN) of the service.", "Tags": "The tags for the listener." }, "AWS::VpcLattice::Listener DefaultAction": { - "FixedResponse": "Information about an action that returns a custom HTTP response.", + "FixedResponse": "Describes an action that returns a custom HTTP response.", "Forward": "Describes a forward action. You can use forward actions to route requests to one or more target groups." }, "AWS::VpcLattice::Listener FixedResponse": { "StatusCode": "The HTTP response code." }, "AWS::VpcLattice::Listener Forward": { - "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group." + "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." + }, + "AWS::VpcLattice::Listener Tag": { + "Key": "", + "Value": "" }, "AWS::VpcLattice::Listener WeightedTargetGroup": { "TargetGroupIdentifier": "The ID of the target group.", - "Weight": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." + "Weight": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." }, "AWS::VpcLattice::ResourcePolicy": { "Policy": "The Amazon Resource Name (ARN) of the service network or service.", "ResourceArn": "An IAM policy." }, "AWS::VpcLattice::Rule": { - "Action": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "Action": "Describes the action for a rule.", "ListenerIdentifier": "The ID or Amazon Resource Name (ARN) of the listener.", "Match": "The rule match.", "Name": "The name of the rule. The name must be unique within the listener. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", @@ -35905,24 +39485,24 @@ "Tags": "The tags for the rule." }, "AWS::VpcLattice::Rule Action": { - "FixedResponse": "Describes the rule action that returns a custom HTTP response.", + "FixedResponse": "The fixed response action. The rule returns a custom HTTP response.", "Forward": "The forward action. Traffic that matches the rule is forwarded to the specified target groups." }, "AWS::VpcLattice::Rule FixedResponse": { "StatusCode": "The HTTP response code." }, "AWS::VpcLattice::Rule Forward": { - "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group." + "TargetGroups": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group." }, "AWS::VpcLattice::Rule HeaderMatch": { - "CaseSensitive": "Indicates whether the match is case sensitive. Defaults to false.", + "CaseSensitive": "Indicates whether the match is case sensitive.", "Match": "The header match type.", "Name": "The name of the header." }, "AWS::VpcLattice::Rule HeaderMatchType": { - "Contains": "Specifies a contains type match.", - "Exact": "Specifies an exact type match.", - "Prefix": "Specifies a prefix type match. Matches the value with the prefix." + "Contains": "A contains type match.", + "Exact": "An exact type match.", + "Prefix": "A prefix type match. Matches the value with the prefix." }, "AWS::VpcLattice::Rule HttpMatch": { "HeaderMatches": "The header matches. Matches incoming requests with rule based on request header value before applying rule action.", @@ -35933,22 +39513,26 @@ "HttpMatch": "The HTTP criteria that a rule must match." }, "AWS::VpcLattice::Rule PathMatch": { - "CaseSensitive": "Indicates whether the match is case sensitive. Defaults to false.", + "CaseSensitive": "Indicates whether the match is case sensitive.", "Match": "The type of path match." }, "AWS::VpcLattice::Rule PathMatchType": { "Exact": "An exact match of the path.", "Prefix": "A prefix match of the path." }, + "AWS::VpcLattice::Rule Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::Rule WeightedTargetGroup": { "TargetGroupIdentifier": "The ID of the target group.", - "Weight": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." + "Weight": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100." }, "AWS::VpcLattice::Service": { "AuthType": "The type of IAM policy.\n\n- `NONE` : The resource does not use an IAM policy. This is the default.\n- `AWS_IAM` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required.", "CertificateArn": "The Amazon Resource Name (ARN) of the certificate.", "CustomDomainName": "The custom domain name of the service.", - "DnsEntry": "", + "DnsEntry": "The DNS information of the service.", "Name": "The name of the service. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the service." }, @@ -35956,13 +39540,21 @@ "DomainName": "The domain name of the service.", "HostedZoneId": "The ID of the hosted zone." }, + "AWS::VpcLattice::Service Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetwork": { "AuthType": "The type of IAM policy.\n\n- `NONE` : The resource does not use an IAM policy. This is the default.\n- `AWS_IAM` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required.", "Name": "The name of the service network. The name must be unique to the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the service network." }, + "AWS::VpcLattice::ServiceNetwork Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetworkServiceAssociation": { - "DnsEntry": "", + "DnsEntry": "The DNS information of the service.", "ServiceIdentifier": "The ID or Amazon Resource Name (ARN) of the service.", "ServiceNetworkIdentifier": "The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN if the resources specified in the operation are in different accounts.", "Tags": "The tags for the association." @@ -35971,14 +39563,22 @@ "DomainName": "The domain name of the service.", "HostedZoneId": "The ID of the hosted zone." }, + "AWS::VpcLattice::ServiceNetworkServiceAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::ServiceNetworkVpcAssociation": { "SecurityGroupIds": "The IDs of the security groups. Security groups aren't added by default. You can add a security group to apply network level controls to control which resources in a VPC are allowed to access the service network and its services. For more information, see [Control traffic to resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide* .", "ServiceNetworkIdentifier": "The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN when the resources specified in the operation are in different accounts.", "Tags": "The tags for the association.", "VpcIdentifier": "The ID of the VPC." }, + "AWS::VpcLattice::ServiceNetworkVpcAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::TargetGroup": { - "Config": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "Config": "The target group configuration.", "Name": "The name of the target group. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.\n\nIf you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.", "Tags": "The tags for the target group.", "Targets": "Describes a target.", @@ -35989,7 +39589,7 @@ "HealthCheckIntervalSeconds": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5\u2013300 seconds. The default is 30 seconds.", "HealthCheckTimeoutSeconds": "The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1\u2013120 seconds. The default is 5 seconds.", "HealthyThresholdCount": "The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2\u201310. The default is 5.", - "Matcher": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "Matcher": "The codes to use when checking for a successful response from a target.", "Path": "The destination for health checks on the targets. If the protocol version is `HTTP/1.1` or `HTTP/2` , specify a valid URI (for example, `/path?query` ). The default path is `/` . Health checks are not supported if the protocol version is `gRPC` , however, you can choose `HTTP/1.1` or `HTTP/2` and specify a valid URI.", "Port": "The port used when performing health checks on targets. The default setting is the port that a target receives traffic on.", "Protocol": "The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS` . The default is `HTTP` .", @@ -35999,17 +39599,22 @@ "AWS::VpcLattice::TargetGroup Matcher": { "HttpCode": "The HTTP code to use when checking for a successful response from a target." }, + "AWS::VpcLattice::TargetGroup Tag": { + "Key": "", + "Value": "" + }, "AWS::VpcLattice::TargetGroup Target": { - "Id": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", - "Port": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` ." + "Id": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", + "Port": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443." }, "AWS::VpcLattice::TargetGroup TargetGroupConfig": { - "HealthCheck": "The health check configuration.", - "IpAddressType": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", - "Port": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", - "Protocol": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", - "ProtocolVersion": "The protocol version. Default value is `HTTP1` .", - "VpcIdentifier": "The ID of the VPC." + "HealthCheck": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", + "IpAddressType": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", + "LambdaEventStructureVersion": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "Port": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", + "Protocol": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", + "ProtocolVersion": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", + "VpcIdentifier": "The ID of the VPC. Not supported if the target group type is `LAMBDA` ." }, "AWS::WAF::ByteMatchSet": { "ByteMatchTuples": "Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings.", @@ -36210,13 +39815,17 @@ "TextTransformation": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF . If you specify a transformation, AWS WAF performs the transformation on `FieldToMatch` before inspecting it for a match.\n\nYou can only specify a single type of TextTransformation.\n\n*CMD_LINE*\n\nWhen you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:\n\n- Delete the following characters: \\ \" ' ^\n- Delete spaces before the following characters: / (\n- Replace the following characters with a space: , ;\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE*\n\nUse this option to replace the following characters with a space character (decimal 32):\n\n- \\f, formfeed, decimal 12\n- \\t, tab, decimal 9\n- \\n, newline, decimal 10\n- \\r, carriage return, decimal 13\n- \\v, vertical tab, decimal 11\n- non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*HTML_ENTITY_DECODE*\n\nUse this option to replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs the following operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*LOWERCASE*\n\nUse this option to convert uppercase letters (A-Z) to lowercase (a-z).\n\n*URL_DECODE*\n\nUse this option to decode a URL-encoded value.\n\n*NONE*\n\nSpecify `NONE` if you don't want to perform any text transformations." }, "AWS::WAFv2::IPSet": { - "Addresses": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "Addresses": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "Description": "A description of the IP set that helps with identification.", "IPAddressVersion": "The version of the IP addresses, either `IPV4` or `IPV6` .", "Name": "The name of the IP set. You cannot change the name of an `IPSet` after you create it.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation." }, + "AWS::WAFv2::IPSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::LoggingConfiguration": { "LogDestinationConfigs": "The logging destination configuration that you want to associate with the web ACL.\n\n> You can associate one logging destination to a web ACL.", "LoggingFilter": "Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.", @@ -36245,7 +39854,7 @@ "AWS::WAFv2::LoggingConfiguration JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values." + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values." }, "AWS::WAFv2::LoggingConfiguration LabelNameCondition": { "LabelName": "The label name that a log record must contain in order to meet the condition. This must be a fully qualified label name. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label." @@ -36268,6 +39877,10 @@ "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation." }, + "AWS::WAFv2::RegexPatternSet Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::RuleGroup": { "AvailableLabels": "The labels that one or more rules in this rule group add to matching web requests. These labels are defined in the `RuleLabels` for a `Rule` .", "Capacity": "The web ACL capacity units (WCUs) required for this rule group.\n\nWhen you create your own rule group, you define this, and you cannot change it after creation. When you add or modify the rules in a rule group, AWS WAF enforces this limit.\n\nAWS WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.", @@ -36290,7 +39903,7 @@ "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36318,7 +39931,7 @@ }, "AWS::WAFv2::RuleGroup Cookies": { "MatchPattern": "The filter to use to identify the subset of cookies to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedCookies` , or `ExcludedCookies` .\n\nExample JSON: `\"MatchPattern\": { \"IncludedCookies\": [ \"session-id-time\", \"session-id\" ] }`", - "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the cookies of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available cookies normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::RuleGroup CountAction": { @@ -36334,7 +39947,7 @@ "AWS::WAFv2::RuleGroup CustomResponse": { "CustomResponseBodyKey": "References the response body that you want AWS WAF to return to the web request client. You can define a custom response for a rule action or a default web ACL action that is set to block. To do this, you first define the response body key and value in the `CustomResponseBodies` setting for the `WebACL` or `RuleGroup` where you want to use it. Then, in the rule action or web ACL default action `BlockAction` setting, you reference the response body using this key.", "ResponseCode": "The HTTP status code to return to the client.\n\nFor a list of status codes that you can use in your custom responses, see [Supported status codes for custom response](https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) in the *AWS WAF Developer Guide* .", - "ResponseHeaders": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." + "ResponseHeaders": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup CustomResponseBody": { "Content": "The payload of the custom response.\n\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON content in the `ContentType` setting.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", @@ -36342,10 +39955,10 @@ }, "AWS::WAFv2::RuleGroup FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", @@ -36367,7 +39980,7 @@ }, "AWS::WAFv2::RuleGroup Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", - "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::RuleGroup IPSetForwardedIPConfiguration": { @@ -36385,8 +39998,8 @@ "AWS::WAFv2::RuleGroup JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::RuleGroup JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -36409,10 +40022,43 @@ "Statements": "The statements to combine with OR logic. You can use any statements that can be nested." }, "AWS::WAFv2::RuleGroup RateBasedStatement": { - "AggregateKeyType": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "AggregateKeyType": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", + "CustomKeys": "Specifies the aggregate keys to use in a rate-base rule.", "ForwardedIPConfig": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nThis is required if you specify a forwarded IP in the rule's aggregate key settings.", - "Limit": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", - "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + "Limit": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", + "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + }, + "AWS::WAFv2::RuleGroup RateBasedStatementCustomKey": { + "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "Header": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "IP": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "LabelNamespace": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "QueryArgument": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "QueryString": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "UriPath": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance." + }, + "AWS::WAFv2::RuleGroup RateLimitCookie": { + "Name": "The name of the cookie to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitHeader": { + "Name": "The name of the header to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitLabelNamespace": { + "Namespace": "The namespace to use for aggregation." + }, + "AWS::WAFv2::RuleGroup RateLimitQueryArgument": { + "Name": "The name of the query argument to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitQueryString": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::RuleGroup RateLimitUriPath": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." }, "AWS::WAFv2::RuleGroup RegexMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36428,11 +40074,11 @@ "Action": "The action that AWS WAF should take on a web request when it matches the rule statement. Settings at the web ACL level can override the rule action setting.", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations. If you don't specify this, AWS WAF uses the `CAPTCHA` configuration that's defined for the web ACL.", "ChallengeConfig": "Specifies how AWS WAF should handle `Challenge` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.", - "Name": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "Name": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "Priority": "If you define more than one `Rule` in a `WebACL` , AWS WAF evaluates each request against the `Rules` in order based on the value of `Priority` . AWS WAF processes rules with lower priority first. The priorities don't need to be consecutive, but they must all be different.", "RuleLabels": "Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.\n\nRules that run after this rule in the web ACL can match against these labels using a `LabelMatchStatement` .\n\nFor each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines:\n\n- Separate each component of the label with a colon.\n- Each namespace or name can have up to 128 characters.\n- You can specify up to 5 namespaces in a label.\n- Don't use the following reserved words in your label specification: `aws` , `waf` , `managed` , `rulegroup` , `webacl` , `regexpatternset` , or `ipset` .\n\nFor example, `myLabelName` or `nameSpace1:nameSpace2:myLabelName` .", "Statement": "The AWS WAF processing statement for the rule, for example `ByteMatchStatement` or `SizeConstraintStatement` .", - "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." + "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name." }, "AWS::WAFv2::RuleGroup RuleAction": { "Allow": "Instructs AWS WAF to allow the web request.", @@ -36466,16 +40112,20 @@ "LabelMatchStatement": "A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.\n\nThe label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, AWS WAF performs the search for labels that were added in the same context as the label match statement.", "NotStatement": "A logical rule statement used to negate the results of another rule statement. You provide one `Statement` within the `NotStatement` .", "OrStatement": "A logical rule statement used to combine other rule statements with OR logic. You provide more than one `Statement` within the `OrStatement` .", - "RateBasedStatement": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "RateBasedStatement": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "RegexMatchStatement": "A rule statement used to search web request components for a match against a single regular expression.", "RegexPatternSetReferenceStatement": "A rule statement used to search web request components for matches with regular expressions. To use this, create a `RegexPatternSet` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.\n\nEach regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", - "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "SqliMatchStatement": "A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.", "XssMatchStatement": "A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers." }, + "AWS::WAFv2::RuleGroup Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::RuleGroup TextTransformation": { "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", - "Type": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages." + "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::RuleGroup VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", @@ -36487,26 +40137,35 @@ "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, AWS WAF performs all transformations on the content of the request component identified by `FieldToMatch` , starting from the lowest priority setting, before inspecting the content for a match." }, "AWS::WAFv2::WebACL": { - "AssociationConfig": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "AssociationConfig": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations for rules that don't have their own `CaptchaConfig` settings. If you don't specify this, AWS WAF uses its default settings for `CaptchaConfig` .", "ChallengeConfig": "Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own `ChallengeConfig` settings. If you don't specify this, AWS WAF uses its default settings for `ChallengeConfig` .", "CustomResponseBodies": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* .\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "DefaultAction": "The action to perform if none of the `Rules` contained in the `WebACL` match.", "Description": "A description of the web ACL that helps with identification.", "Name": "The name of the web ACL. You cannot change the name of a web ACL after you create it.", - "Rules": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "Rules": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "Scope": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are `CLOUDFRONT` and `REGIONAL` .\n\n> For `CLOUDFRONT` , you must create your WAFv2 resources in the US East (N. Virginia) Region, `us-east-1` . \n\nFor information about how to define the association of the web ACL with your resource, see `WebACLAssociation` .", "Tags": "Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.\n\n> To modify tags on existing resources, use the AWS WAF APIs or command line interface. With AWS CloudFormation , you can only add tags to AWS WAF resources during resource creation.", "TokenDomains": "Specifies the domains that AWS WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When AWS WAF provides a token, it uses the domain of the AWS resource that the web ACL is protecting. If you don't specify a list of token domains, AWS WAF accepts tokens only for the domain of the protected resource. With a token domain list, AWS WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.", "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." }, + "AWS::WAFv2::WebACL AWSManagedRulesACFPRuleSet": { + "CreationPath": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "EnableRegexInPath": "Allow the use of regular expressions in the registration page path and the account creation path.", + "RegistrationPagePath": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "RequestInspection": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "ResponseInspection": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time." + }, "AWS::WAFv2::WebACL AWSManagedRulesATPRuleSet": { - "LoginPath": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "EnableRegexInPath": "Allow the use of regular expressions in the login page path.", + "LoginPath": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "RequestInspection": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.", - "ResponseInspection": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions." + "ResponseInspection": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time." }, "AWS::WAFv2::WebACL AWSManagedRulesBotControlRuleSet": { - "InspectionLevel": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) ." + "EnableMachineLearning": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "InspectionLevel": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL AllowAction": { "CustomRequestHandling": "Defines custom handling for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." @@ -36515,13 +40174,13 @@ "Statements": "The statements to combine with AND logic. You can use any statements that can be nested." }, "AWS::WAFv2::WebACL AssociationConfig": { - "RequestBody": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) ." + "RequestBody": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) ." }, "AWS::WAFv2::WebACL BlockAction": { "CustomResponse": "Defines a custom response for the web request.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL Body": { - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL ByteMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36537,7 +40196,7 @@ "ImmunityTimeProperty": "Determines how long a `CAPTCHA` timestamp in the token remains valid after the client successfully solves a `CAPTCHA` puzzle." }, "AWS::WAFv2::WebACL ChallengeAction": { - "CustomRequestHandling": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) ." + "CustomRequestHandling": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) ." }, "AWS::WAFv2::WebACL ChallengeConfig": { "ImmunityTimeProperty": "Determines how long a challenge timestamp in the token remains valid after the client successfully responds to a challenge." @@ -36549,7 +40208,7 @@ }, "AWS::WAFv2::WebACL Cookies": { "MatchPattern": "The filter to use to identify the subset of cookies to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedCookies` , or `ExcludedCookies` .\n\nExample JSON: `\"MatchPattern\": { \"IncludedCookies\": [ \"session-id-time\", \"session-id\" ] }`", - "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the cookies of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available cookies normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::WebACL CountAction": { @@ -36565,7 +40224,7 @@ "AWS::WAFv2::WebACL CustomResponse": { "CustomResponseBodyKey": "References the response body that you want AWS WAF to return to the web request client. You can define a custom response for a rule action or a default web ACL action that is set to block. To do this, you first define the response body key and value in the `CustomResponseBodies` setting for the `WebACL` or `RuleGroup` where you want to use it. Then, in the rule action or web ACL default action `BlockAction` setting, you reference the response body using this key.", "ResponseCode": "The HTTP status code to return to the client.\n\nFor a list of status codes that you can use in your custom responses, see [Supported status codes for custom response](https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html) in the *AWS WAF Developer Guide* .", - "ResponseHeaders": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." + "ResponseHeaders": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL CustomResponseBody": { "Content": "The payload of the custom response.\n\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON content in the `ContentType` setting.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", @@ -36579,14 +40238,14 @@ "Name": "The name of the rule whose action you want to override to `Count` ." }, "AWS::WAFv2::WebACL FieldIdentifier": { - "Identifier": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` ." + "Identifier": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties." }, "AWS::WAFv2::WebACL FieldToMatch": { "AllQueryArguments": "Inspect all query arguments.", - "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "Body": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "Cookies": "Inspect the request cookies. You must configure scope and pattern matching filters in the `Cookies` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the `Cookies` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.", "Headers": "Inspect the request headers. You must configure scope and pattern matching filters in the `Headers` object, to define the set of headers to and the parts of the headers that AWS WAF inspects.\n\nOnly the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the `Headers` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.", - "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "JsonBody": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "Method": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.", "QueryString": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.", "SingleHeader": "Inspect a single header. Provide the name of the header to inspect, for example, `User-Agent` or `Referer` . This setting isn't case sensitive.\n\nExample JSON: `\"SingleHeader\": { \"Name\": \"haystack\" }`\n\nAlternately, you can filter and inspect all headers with the `Headers` `FieldToMatch` setting.", @@ -36608,7 +40267,7 @@ }, "AWS::WAFv2::WebACL Headers": { "MatchPattern": "The filter to use to identify the subset of headers to inspect in a web request.\n\nYou must specify exactly one setting: either `All` , `IncludedHeaders` , or `ExcludedHeaders` .\n\nExample JSON: `\"MatchPattern\": { \"ExcludedHeaders\": [ \"KeyToExclude1\", \"KeyToExclude2\" ] }`", - "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "MatchScope": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "OversizeHandling": "What AWS WAF should do if the headers of the request are more numerous or larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to AWS WAF .\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available headers normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement." }, "AWS::WAFv2::WebACL IPSetForwardedIPConfiguration": { @@ -36626,8 +40285,8 @@ "AWS::WAFv2::WebACL JsonBody": { "InvalidFallbackBehavior": "What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:\n\n- `EVALUATE_AS_STRING` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nIf you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters.\n\nAWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array.\n\nAWS WAF parses the JSON in the following examples as two valid key, value pairs:\n\n- Missing comma: `{\"key1\":\"value1\"\"key2\":\"value2\"}`\n- Missing colon: `{\"key1\":\"value1\",\"key2\"\"value2\"}`\n- Extra colons: `{\"key1\"::\"value1\",\"key2\"\"value2\"}`", "MatchPattern": "The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.", - "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", - "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" + "MatchScope": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", + "OversizeHandling": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`" }, "AWS::WAFv2::WebACL JsonMatchPattern": { "All": "Match all of the elements. See also `MatchScope` in the `JsonBody` `FieldToMatch` specification.\n\nYou must specify either this setting or the `IncludedPaths` setting, but not both.", @@ -36641,16 +40300,17 @@ "Scope": "Specify whether you want to match using the label name or just the namespace." }, "AWS::WAFv2::WebACL ManagedRuleGroupConfig": { + "AWSManagedRulesACFPRuleSet": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesATPRuleSet": "Additional configuration for using the account takeover prevention (ATP) managed rule group, `AWSManagedRulesATPRuleSet` . Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests.\n\nThis configuration replaces the individual configuration fields in `ManagedRuleGroupConfig` and provides additional feature configuration.\n\nFor information about using the ATP managed rule group, see [AWS WAF Fraud Control account takeover prevention (ATP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html) and [AWS WAF Fraud Control account takeover prevention (ATP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html) in the *AWS WAF Developer Guide* .", "AWSManagedRulesBotControlRuleSet": "Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) and [AWS WAF Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html) in the *AWS WAF Developer Guide* .", "LoginPath": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` .", - "PasswordField": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", - "PayloadType": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", - "UsernameField": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` ." + "PasswordField": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", + "PayloadType": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", + "UsernameField": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` ." }, "AWS::WAFv2::WebACL ManagedRuleGroupStatement": { "ExcludedRules": "Rules in the referenced rule group whose actions are set to `Count` .\n\n> Instead of this option, use `RuleActionOverrides` . It accepts any valid action setting, including `Count` .", - "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "ManagedRuleGroupConfigs": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "Name": "The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.", "RuleActionOverrides": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change.\n\nYou can use overrides for testing, for example you can override all of rule actions to `Count` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.", "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", @@ -36668,10 +40328,43 @@ "None": "Don't override the rule group evaluation result. This is the most common setting." }, "AWS::WAFv2::WebACL RateBasedStatement": { - "AggregateKeyType": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "AggregateKeyType": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", + "CustomKeys": "Specifies the aggregate keys to use in a rate-base rule.", "ForwardedIPConfig": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.\n\n> If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. \n\nThis is required if you specify a forwarded IP in the rule's aggregate key settings.", - "Limit": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", - "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + "Limit": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", + "ScopeDownStatement": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement." + }, + "AWS::WAFv2::WebACL RateBasedStatementCustomKey": { + "Cookie": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "ForwardedIP": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "HTTPMethod": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "Header": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "IP": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "LabelNamespace": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "QueryArgument": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "QueryString": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "UriPath": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance." + }, + "AWS::WAFv2::WebACL RateLimitCookie": { + "Name": "The name of the cookie to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitHeader": { + "Name": "The name of the header to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitLabelNamespace": { + "Namespace": "The namespace to use for aggregation." + }, + "AWS::WAFv2::WebACL RateLimitQueryArgument": { + "Name": "The name of the query argument to use.", + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitQueryString": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." + }, + "AWS::WAFv2::WebACL RateLimitUriPath": { + "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents." }, "AWS::WAFv2::WebACL RegexMatchStatement": { "FieldToMatch": "The part of the web request that you want AWS WAF to inspect.", @@ -36684,47 +40377,55 @@ "TextTransformations": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, AWS WAF performs all transformations on the content of the request component identified by `FieldToMatch` , starting from the lowest priority setting, before inspecting the content for a match." }, "AWS::WAFv2::WebACL RequestBodyAssociatedResourceTypeConfig": { - "DefaultSizeInspectionLimit": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`" + "DefaultSizeInspectionLimit": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`" }, "AWS::WAFv2::WebACL RequestInspection": { "PasswordField": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", "PayloadType": "The payload type for your login endpoint, either JSON or form encoded.", "UsernameField": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`" }, + "AWS::WAFv2::WebACL RequestInspectionACFP": { + "AddressFields": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "EmailField": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "PasswordField": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "PayloadType": "The payload type for your account creation endpoint, either JSON or form encoded.", + "PhoneNumberFields": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "UsernameField": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`" + }, "AWS::WAFv2::WebACL ResponseInspection": { - "BodyContains": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", - "Header": "Configures inspection of the response header.", - "Json": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", - "StatusCode": "Configures inspection of the response status code." + "BodyContains": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "Header": "Configures inspection of the response header for success and failure indicators.", + "Json": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "StatusCode": "Configures inspection of the response status code for success and failure indicators." }, "AWS::WAFv2::WebACL ResponseInspectionBodyContains": { - "FailureStrings": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", - "SuccessStrings": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`" + "FailureStrings": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", + "SuccessStrings": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionHeader": { - "FailureValues": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", - "Name": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", - "SuccessValues": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`" + "FailureValues": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", + "Name": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", + "SuccessValues": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionJson": { - "FailureValues": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", - "Identifier": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", - "SuccessValues": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`" + "FailureValues": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "Identifier": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", + "SuccessValues": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`" }, "AWS::WAFv2::WebACL ResponseInspectionStatusCode": { - "FailureCodes": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", - "SuccessCodes": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`" + "FailureCodes": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "SuccessCodes": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`" }, "AWS::WAFv2::WebACL Rule": { "Action": "The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the web ACL level can override the rule action setting.\n\nThis is used only for rules whose statements don't reference a rule group. Rule statements that reference a rule group are `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement` .\n\nYou must set either this `Action` setting or the rule's `OverrideAction` , but not both:\n\n- If the rule statement doesn't reference a rule group, you must set this rule action setting and you must not set the rule's override action setting.\n- If the rule statement references a rule group, you must not set this action setting, because the actions are already set on the rules inside the rule group. You must set the rule's override action setting to indicate specifically whether to override the actions that are set on the rules in the rule group.", "CaptchaConfig": "Specifies how AWS WAF should handle `CAPTCHA` evaluations. If you don't specify this, AWS WAF uses the `CAPTCHA` configuration that's defined for the web ACL.", "ChallengeConfig": "Specifies how AWS WAF should handle `Challenge` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.", - "Name": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "Name": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "OverrideAction": "The override action to apply to the rules in a rule group, instead of the individual rule action settings. This is used only for rules whose statements reference a rule group. Rule statements that reference a rule group are `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement` .\n\nSet the override action to none to leave the rule group rule actions in effect. Set it to count to only count matches, regardless of the rule action settings.\n\nYou must set either this `OverrideAction` setting or the `Action` setting, but not both:\n\n- If the rule statement references a rule group, you must set this override action setting and you must not set the rule's action setting.\n- If the rule statement doesn't reference a rule group, you must set the rule action setting and you must not set the rule's override action setting.", "Priority": "If you define more than one `Rule` in a `WebACL` , AWS WAF evaluates each request against the `Rules` in order based on the value of `Priority` . AWS WAF processes rules with lower priority first. The priorities don't need to be consecutive, but they must all be different.", "RuleLabels": "Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.\n\nRules that run after this rule in the web ACL can match against these labels using a `LabelMatchStatement` .\n\nFor each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines:\n\n- Separate each component of the label with a colon.\n- Each namespace or name can have up to 128 characters.\n- You can specify up to 5 namespaces in a label.\n- Don't use the following reserved words in your label specification: `aws` , `waf` , `managed` , `rulegroup` , `webacl` , `regexpatternset` , or `ipset` .\n\nFor example, `myLabelName` or `nameSpace1:nameSpace2:myLabelName` .", "Statement": "The AWS WAF processing statement for the rule, for example `ByteMatchStatement` or `SizeConstraintStatement` .", - "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection." + "VisibilityConfig": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name." }, "AWS::WAFv2::WebACL RuleAction": { "Allow": "Instructs AWS WAF to allow the web request.", @@ -36765,20 +40466,24 @@ "GeoMatchStatement": "A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.\n\n- To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the `CountryCodes` array.\n- Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed.\n\nAWS WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. AWS WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match `ForwardedIPConfig` .\n\nIf you use the web request origin, the label formats are `awswaf:clientip:geo:region:-` and `awswaf:clientip:geo:country:` .\n\nIf you use a forwarded IP address, the label formats are `awswaf:forwardedip:geo:region:-` and `awswaf:forwardedip:geo:country:` .\n\nFor additional details, see [Geographic match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "IPSetReferenceStatement": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an `IPSet` that specifies the addresses you want to detect, then use the ARN of that set in this statement.\n\nEach IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", "LabelMatchStatement": "A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.\n\nThe label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, AWS WAF performs the search for labels that were added in the same context as the label match statement.", - "ManagedRuleGroupStatement": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "ManagedRuleGroupStatement": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "NotStatement": "A logical rule statement used to negate the results of another rule statement. You provide one `Statement` within the `NotStatement` .", "OrStatement": "A logical rule statement used to combine other rule statements with OR logic. You provide more than one `Statement` within the `OrStatement` .", - "RateBasedStatement": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "RateBasedStatement": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "RegexMatchStatement": "A rule statement used to search web request components for a match against a single regular expression.", "RegexPatternSetReferenceStatement": "A rule statement used to search web request components for matches with regular expressions. To use this, create a `RegexPatternSet` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set.\n\nEach regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.", - "RuleGroupReferenceStatement": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", - "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "RuleGroupReferenceStatement": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", + "SizeConstraintStatement": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "SqliMatchStatement": "A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.", "XssMatchStatement": "A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers." }, + "AWS::WAFv2::WebACL Tag": { + "Key": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.", + "Value": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive." + }, "AWS::WAFv2::WebACL TextTransformation": { "Priority": "Sets the relative processing order for multiple transformations. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. The priorities don't need to be consecutive, but they must all be different.", - "Type": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages." + "Type": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* ." }, "AWS::WAFv2::WebACL VisibilityConfig": { "CloudWatchMetricsEnabled": "Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics) in the *AWS WAF Developer Guide* .\n\nFor web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information,\nsee [The web ACL default action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) in the *AWS WAF Developer Guide* .", @@ -36796,12 +40501,16 @@ "AWS::Wisdom::Assistant": { "Description": "The description of the assistant.", "Name": "The name of the assistant.", - "ServerSideEncryptionConfiguration": "The KMS key used for encryption.", + "ServerSideEncryptionConfiguration": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "Tags": "The tags used to organize, track, or control access for this resource.", "Type": "The type of assistant." }, "AWS::Wisdom::Assistant ServerSideEncryptionConfiguration": { - "KmsKeyId": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + "KmsKeyId": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + }, + "AWS::Wisdom::Assistant Tag": { + "Key": "", + "Value": "" }, "AWS::Wisdom::AssistantAssociation": { "AssistantId": "The identifier of the Wisdom assistant.", @@ -36812,37 +40521,49 @@ "AWS::Wisdom::AssistantAssociation AssociationData": { "KnowledgeBaseId": "The identifier of the knowledge base." }, + "AWS::Wisdom::AssistantAssociation Tag": { + "Key": "", + "Value": "" + }, "AWS::Wisdom::KnowledgeBase": { "Description": "The description.", "KnowledgeBaseType": "The type of knowledge base. Only CUSTOM knowledge bases allow you to upload your own content. EXTERNAL knowledge bases support integrations with third-party systems whose content is synchronized automatically.", "Name": "The name of the knowledge base.", "RenderingConfiguration": "Information about how to render the content.", - "ServerSideEncryptionConfiguration": "The KMS key used for encryption.", + "ServerSideEncryptionConfiguration": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "SourceConfiguration": "The source of the knowledge base content. Only set this argument for EXTERNAL knowledge bases.", "Tags": "The tags used to organize, track, or control access for this resource." }, "AWS::Wisdom::KnowledgeBase AppIntegrationsConfiguration": { - "AppIntegrationArn": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", + "AppIntegrationArn": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", "ObjectFields": "The fields from the source that are made available to your agents in Wisdom. Optional if ObjectConfiguration is included in the provided DataIntegration.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , you must include at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` .\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , you must include at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` .\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , you must include at least `id` , `title` , `updated_at` , and `draft` .\n\nMake sure to include additional fields. These fields are indexed and used to source recommendations." }, "AWS::Wisdom::KnowledgeBase RenderingConfiguration": { "TemplateUri": "A URI template containing exactly one variable in `${variableName}` format. This can only be set for `EXTERNAL` knowledge bases. For Salesforce, ServiceNow, and Zendesk, the variable must be one of the following:\n\n- Salesforce: `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , or `IsDeleted`\n- ServiceNow: `number` , `short_description` , `sys_mod_count` , `workflow_state` , or `active`\n- Zendesk: `id` , `title` , `updated_at` , or `draft`\n\nThe variable is replaced with the actual value for a piece of content when calling [GetContent](https://docs.aws.amazon.com/wisdom/latest/APIReference/API_GetContent.html) ." }, "AWS::Wisdom::KnowledgeBase ServerSideEncryptionConfiguration": { - "KmsKeyId": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* ." + "KmsKeyId": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) ." }, "AWS::Wisdom::KnowledgeBase SourceConfiguration": { "AppIntegrations": "Configuration information for Amazon AppIntegrations to automatically ingest content." }, + "AWS::Wisdom::KnowledgeBase Tag": { + "Key": "", + "Value": "" + }, "AWS::WorkSpaces::ConnectionAlias": { "ConnectionString": "The connection string specified for the connection alias. The connection string must be in the form of a fully qualified domain name (FQDN), such as `www.example.com` .", "Tags": "The tags to associate with the connection alias." }, "AWS::WorkSpaces::ConnectionAlias ConnectionAliasAssociation": { - "AssociatedAccountId": "", - "AssociationStatus": "", - "ConnectionIdentifier": "", - "ResourceId": "" + "AssociatedAccountId": "The identifier of the AWS account that associated the connection alias with a directory.", + "AssociationStatus": "The association status of the connection alias.", + "ConnectionIdentifier": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", + "ResourceId": "The identifier of the directory associated with a connection alias." + }, + "AWS::WorkSpaces::ConnectionAlias Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." }, "AWS::WorkSpaces::Workspace": { "BundleId": "The identifier of the bundle for the WorkSpace.", @@ -36854,6 +40575,10 @@ "VolumeEncryptionKey": "The ARN of the symmetric AWS KMS key used to encrypt data stored on your WorkSpace. Amazon WorkSpaces does not support asymmetric KMS keys.", "WorkspaceProperties": "The WorkSpace properties." }, + "AWS::WorkSpaces::Workspace Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag." + }, "AWS::WorkSpaces::Workspace WorkspaceProperties": { "ComputeTypeName": "The compute type. For more information, see [Amazon WorkSpaces Bundles](https://docs.aws.amazon.com/workspaces/details/#Amazon_WorkSpaces_Bundles) .", "RootVolumeSizeGib": "The size of the root volume. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) .", @@ -36861,6 +40586,107 @@ "RunningModeAutoStopTimeoutInMinutes": "The time after a user logs off when WorkSpaces are automatically stopped. Configured in 60-minute intervals.", "UserVolumeSizeGib": "The size of the user storage. For important information about how to modify the size of the root and user volumes, see [Modify a WorkSpace](https://docs.aws.amazon.com/workspaces/latest/adminguide/modify-workspaces.html) ." }, + "AWS::WorkSpacesWeb::BrowserSettings": { + "AdditionalEncryptionContext": "Additional encryption context of the browser settings.", + "BrowserPolicy": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "CustomerManagedKey": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "Tags": "The tags to add to the browser settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::BrowserSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::IdentityProvider": { + "IdentityProviderDetails": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", + "IdentityProviderName": "The identity provider name.", + "IdentityProviderType": "The identity provider type.", + "PortalArn": "The ARN of the identity provider." + }, + "AWS::WorkSpacesWeb::IpAccessSettings": { + "AdditionalEncryptionContext": "Additional encryption context of the IP access settings.", + "CustomerManagedKey": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "Description": "The description of the IP access settings.", + "DisplayName": "The display name of the IP access settings.", + "IpRules": "The IP rules of the IP access settings.", + "Tags": "The tags to add to the browser settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::IpAccessSettings IpRule": { + "Description": "The description of the IP rule.", + "IpRange": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation." + }, + "AWS::WorkSpacesWeb::IpAccessSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::NetworkSettings": { + "SecurityGroupIds": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "SubnetIds": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "Tags": "The tags to add to the network settings resource. A tag is a key-value pair.", + "VpcId": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`" + }, + "AWS::WorkSpacesWeb::NetworkSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::Portal": { + "AdditionalEncryptionContext": "The additional encryption context of the portal.", + "AuthenticationType": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "BrowserSettingsArn": "The ARN of the browser settings that is associated with this web portal.", + "CustomerManagedKey": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "DisplayName": "The name of the web portal.", + "IpAccessSettingsArn": "The ARN of the IP access settings that is associated with the web portal.", + "NetworkSettingsArn": "The ARN of the network settings that is associated with the web portal.", + "Tags": "The tags to add to the web portal. A tag is a key-value pair.", + "TrustStoreArn": "The ARN of the trust store that is associated with the web portal.", + "UserAccessLoggingSettingsArn": "The ARN of the user access logging settings that is associated with the web portal.", + "UserSettingsArn": "The ARN of the user settings that is associated with the web portal." + }, + "AWS::WorkSpacesWeb::Portal Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::TrustStore": { + "CertificateList": "A list of CA certificates to be added to the trust store.", + "Tags": "The tags to add to the trust store. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::TrustStore Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::UserAccessLoggingSettings": { + "KinesisStreamArn": "The ARN of the Kinesis stream.", + "Tags": "The tags to add to the user access logging settings resource. A tag is a key-value pair." + }, + "AWS::WorkSpacesWeb::UserAccessLoggingSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, + "AWS::WorkSpacesWeb::UserSettings": { + "AdditionalEncryptionContext": "", + "CookieSynchronizationConfiguration": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "CopyAllowed": "Specifies whether the user can copy text from the streaming session to the local device.", + "CustomerManagedKey": "", + "DisconnectTimeoutInMinutes": "The amount of time that a streaming session remains active after users disconnect.", + "DownloadAllowed": "Specifies whether the user can download files from the streaming session to the local device.", + "IdleDisconnectTimeoutInMinutes": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "PasteAllowed": "Specifies whether the user can paste text from the local device to the streaming session.", + "PrintAllowed": "Specifies whether the user can print to the local device.", + "Tags": "The tags to add to the user settings resource. A tag is a key-value pair.", + "UploadAllowed": "Specifies whether the user can upload files from the local device to the streaming session." + }, + "AWS::WorkSpacesWeb::UserSettings CookieSpecification": { + "Domain": "The domain of the cookie.", + "Name": "The name of the cookie.", + "Path": "The path of the cookie." + }, + "AWS::WorkSpacesWeb::UserSettings CookieSynchronizationConfiguration": { + "Allowlist": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "Blocklist": "The list of cookie specifications that are blocked from being synchronized to the remote browser." + }, + "AWS::WorkSpacesWeb::UserSettings Tag": { + "Key": "The key of the tag.", + "Value": "The value of the tag" + }, "AWS::XRay::Group": { "FilterExpression": "The filter expression defining the parameters to include traces.", "GroupName": "The unique case-sensitive name of the group.", @@ -36871,6 +40697,10 @@ "InsightsEnabled": "Set the InsightsEnabled value to true to enable insights or false to disable insights.", "NotificationsEnabled": "Set the NotificationsEnabled value to true to enable insights notifications. Notifications can only be enabled on a group with InsightsEnabled set to true." }, + "AWS::XRay::Group Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 128 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-only` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "AWS::XRay::ResourcePolicy": { "BypassPolicyLockoutCheck": "A flag to indicate whether to bypass the resource-based policy lockout safety check.", "PolicyDocument": "The resource-based policy document, which can be up to 5kb in size.", @@ -36895,6 +40725,10 @@ "URLPath": "Matches the path from a request URL.", "Version": "The version of the sampling rule. `Version` can only be set when creating a new sampling rule." }, + "AWS::XRay::SamplingRule Tag": { + "Key": "A tag key, such as `Stage` or `Name` . A tag key cannot be empty. The key can be a maximum of 128 characters, and can contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`", + "Value": "An optional tag value, such as `Production` or `test-only` . The value can be a maximum of 255 characters, and contain only Unicode letters, numbers, or separators, or the following special characters: `+ - = . _ : /`" + }, "Alexa::ASK::Skill": { "AuthenticationConfiguration": "Login with Amazon (LWA) configuration used to authenticate with the Alexa service. Only Login with Amazon clients created through the are supported. The client ID, client secret, and refresh token are required.", "SkillPackage": "Configuration for the skill package that contains the components of the Alexa skill. Skill packages are retrieved from an Amazon S3 bucket and key and used to create and update the skill. For more information about the skill package format, see the .", diff --git a/schema_source/cloudformation.schema.json b/schema_source/cloudformation.schema.json index 9d754e4b5..9fb692b87 100644 --- a/schema_source/cloudformation.schema.json +++ b/schema_source/cloudformation.schema.json @@ -1550,9 +1550,13 @@ "title": "Configuration" }, "DataReplicationMode": { + "markdownDescription": "Defines whether this broker is a part of a data replication pair.", + "title": "DataReplicationMode", "type": "string" }, "DataReplicationPrimaryBrokerArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the primary broker that is used to replicate data from in a data replication pair, and is applied to the replica broker. Must be set when dataReplicationMode is set to CRDR.", + "title": "DataReplicationPrimaryBrokerArn", "type": "string" }, "DeploymentMode": { @@ -2414,12 +2418,14 @@ "additionalProperties": false, "properties": { "AppId": { - "markdownDescription": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+", + "markdownDescription": "The unique ID for an Amplify app.", "title": "AppId", "type": "string" }, "Backend": { - "$ref": "#/definitions/AWS::Amplify::Branch.Backend" + "$ref": "#/definitions/AWS::Amplify::Branch.Backend", + "markdownDescription": "The backend environment for an Amplify app.", + "title": "Backend" }, "BasicAuthConfig": { "$ref": "#/definitions/AWS::Amplify::Branch.BasicAuthConfig", @@ -2519,6 +2525,8 @@ "additionalProperties": false, "properties": { "StackArn": { + "markdownDescription": "The Amazon Resource Name (ARN) for the AWS CloudFormation stack.", + "title": "StackArn", "type": "string" } }, @@ -4405,8 +4413,6 @@ "type": "string" }, "Id": { - "markdownDescription": "", - "title": "Id", "type": "string" }, "RestApiId": { @@ -4693,7 +4699,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -6237,7 +6243,7 @@ "type": "boolean" }, "DataTraceEnabled": { - "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs.", + "markdownDescription": "Specifies whether data trace logging is enabled for this method, which affects the log entries pushed to Amazon CloudWatch Logs. This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable this option for production APIs.", "title": "DataTraceEnabled", "type": "boolean" }, @@ -8525,6 +8531,8 @@ "type": "string" }, "KmsKeyIdentifier": { + "markdownDescription": "", + "title": "KmsKeyIdentifier", "type": "string" }, "LocationUri": { @@ -8690,7 +8698,7 @@ "type": "string" }, "KmsKeyIdentifier": { - "markdownDescription": "The AWS KMS key identifier (key ID, key alias, or key ARN). AWS AppConfig uses this ID to encrypt the configuration data using a customer managed key.", + "markdownDescription": "The AWS Key Management Service key identifier (key ID, key alias, or key ARN) provided when the resource was created or updated.", "title": "KmsKeyIdentifier", "type": "string" }, @@ -9645,7 +9653,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileCredentials", - "markdownDescription": "", + "markdownDescription": "The connector-specific credentials required when using Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -9731,7 +9739,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.PardotConnectorProfileProperties", - "markdownDescription": "", + "markdownDescription": "The connector-specific properties required by Salesforce Pardot.", "title": "Pardot" }, "Redshift": { @@ -10162,12 +10170,12 @@ "additionalProperties": false, "properties": { "AccessToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to access protected Salesforce Pardot resources.", "title": "AccessToken", "type": "string" }, "ClientCredentialsArn": { - "markdownDescription": "", + "markdownDescription": "The secret manager ARN, which contains the client ID and client secret of the connected app.", "title": "ClientCredentialsArn", "type": "string" }, @@ -10177,7 +10185,7 @@ "title": "ConnectorOAuthRequest" }, "RefreshToken": { - "markdownDescription": "", + "markdownDescription": "The credentials used to acquire new access tokens.", "title": "RefreshToken", "type": "string" } @@ -10188,17 +10196,17 @@ "additionalProperties": false, "properties": { "BusinessUnitId": { - "markdownDescription": "", + "markdownDescription": "The business unit id of Salesforce Pardot instance.", "title": "BusinessUnitId", "type": "string" }, "InstanceUrl": { - "markdownDescription": "", + "markdownDescription": "The location of the Salesforce Pardot resource.", "title": "InstanceUrl", "type": "string" }, "IsSandboxEnvironment": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile applies to a sandbox or production environment.", "title": "IsSandboxEnvironment", "type": "boolean" } @@ -10238,17 +10246,17 @@ "type": "string" }, "ClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The unique ID that's assigned to an Amazon Redshift cluster.", "title": "ClusterIdentifier", "type": "string" }, "DataApiRoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that permits Amazon AppFlow to access your Amazon Redshift database through the Data API. For more information, and for the polices that you attach to this role, see [Allow Amazon AppFlow to access Amazon Redshift databases with the Data API](https://docs.aws.amazon.com/appflow/latest/userguide/security_iam_service-role-policies.html#access-redshift) .", "title": "DataApiRoleArn", "type": "string" }, "DatabaseName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift database.", "title": "DatabaseName", "type": "string" }, @@ -10258,7 +10266,7 @@ "type": "string" }, "IsRedshiftServerless": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the connector profile defines a connection to an Amazon Redshift Serverless data warehouse.", "title": "IsRedshiftServerless", "type": "boolean" }, @@ -10268,7 +10276,7 @@ "type": "string" }, "WorkgroupName": { - "markdownDescription": "", + "markdownDescription": "The name of an Amazon Redshift workgroup.", "title": "WorkgroupName", "type": "string" } @@ -10360,12 +10368,12 @@ "title": "ConnectorOAuthRequest" }, "JwtToken": { - "markdownDescription": "", + "markdownDescription": "A JSON web token (JWT) that authorizes Amazon AppFlow to access your Salesforce records.", "title": "JwtToken", "type": "string" }, "OAuth2GrantType": { - "markdownDescription": "", + "markdownDescription": "Specifies the OAuth 2.0 grant type that Amazon AppFlow uses when it requests an access token from Salesforce. Amazon AppFlow requires an access token each time it attempts to access your Salesforce records.\n\nYou can specify one of the following values:\n\n- **AUTHORIZATION_CODE** - Amazon AppFlow passes an authorization code when it requests the access token from Salesforce. Amazon AppFlow receives the authorization code from Salesforce after you log in to your Salesforce account and authorize Amazon AppFlow to access your records.\n- **CLIENT_CREDENTIALS** - Amazon AppFlow passes client credentials (a client ID and client secret) when it requests the access token from Salesforce. You provide these credentials to Amazon AppFlow when you define the connection to your Salesforce account.\n- **JWT_BEARER** - Amazon AppFlow passes a JSON web token (JWT) when it requests the access token from Salesforce. You provide the JWT to Amazon AppFlow when you define the connection to your Salesforce account. When you use this grant type, you don't need to log in to your Salesforce account to authorize Amazon AppFlow to access your records.", "title": "OAuth2GrantType", "type": "string" }, @@ -10391,7 +10399,7 @@ "type": "boolean" }, "usePrivateLinkForMetadataAndAuthorization": { - "markdownDescription": "", + "markdownDescription": "If the connection mode for the connector profile is private, this parameter sets whether Amazon AppFlow uses the private network to send metadata and authorization calls to Salesforce. Amazon AppFlow sends private calls through AWS PrivateLink . These calls travel through AWS infrastructure without being exposed to the public internet.\n\nSet either of the following values:\n\n- **true** - Amazon AppFlow sends all calls to Salesforce over the private network.\n\nThese private calls are:\n\n- Calls to get metadata about your Salesforce records. This metadata describes your Salesforce objects and their fields.\n- Calls to get or refresh access tokens that allow Amazon AppFlow to access your Salesforce records.\n- Calls to transfer your Salesforce records as part of a flow run.\n- **false** - The default value. Amazon AppFlow sends some calls to Salesforce privately and other calls over the public internet.\n\nThe public calls are:\n\n- Calls to get metadata about your Salesforce records.\n- Calls to get or refresh access tokens.\n\nThe private calls are:\n\n- Calls to transfer your Salesforce records as part of a flow run.", "title": "usePrivateLinkForMetadataAndAuthorization", "type": "boolean" } @@ -10402,7 +10410,9 @@ "additionalProperties": false, "properties": { "OAuth2Credentials": { - "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials" + "$ref": "#/definitions/AWS::AppFlow::ConnectorProfile.OAuth2Credentials", + "markdownDescription": "", + "title": "OAuth2Credentials" }, "Password": { "markdownDescription": "The password that corresponds to the user name.", @@ -10712,7 +10722,7 @@ }, "MetadataCatalogConfig": { "$ref": "#/definitions/AWS::AppFlow::Flow.MetadataCatalogConfig", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data. When Amazon AppFlow catalogs your data, it stores metadata in a data catalog.", "title": "MetadataCatalogConfig" }, "SourceFlowConfig": { @@ -10781,7 +10791,7 @@ "type": "string" }, "TargetFileSize": { - "markdownDescription": "", + "markdownDescription": "The desired file size, in MB, for each output file that Amazon AppFlow writes to the flow destination. For each file, Amazon AppFlow attempts to achieve the size that you specify. The actual file sizes might differ from this target based on the number and size of the records that each file contains.", "title": "TargetFileSize", "type": "number" } @@ -10841,7 +10851,7 @@ "type": "string" }, "Pardot": { - "markdownDescription": "", + "markdownDescription": "The operation to be performed on the provided Salesforce Pardot source fields.", "title": "Pardot", "type": "string" }, @@ -10952,7 +10962,7 @@ }, "DataTransferApi": { "$ref": "#/definitions/AWS::AppFlow::Flow.DataTransferApi", - "markdownDescription": "", + "markdownDescription": "The API of the connector application that Amazon AppFlow uses to transfer your data.", "title": "DataTransferApi" }, "EntityName": { @@ -10970,12 +10980,12 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the connector application API.", "title": "Name", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "You can specify one of the following types:\n\n- **AUTOMATIC** - The default. Optimizes a flow for datasets that fluctuate in size from small to large. For each flow run, Amazon AppFlow chooses to use the SYNC or ASYNC API type based on the amount of data that the run transfers.\n- **SYNC** - A synchronous API. This type of API optimizes a flow for small to medium-sized datasets.\n- **ASYNC** - An asynchronous API. This type of API optimizes a flow for large datasets.", "title": "Type", "type": "string" } @@ -11075,7 +11085,7 @@ "type": "string" }, "ConnectorType": { - "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.\n\n*Allowed Values* : `EventBridge | Redshift | S3 | Salesforce | Snowflake`", + "markdownDescription": "The type of destination connector, such as Sales force, Amazon S3, and so on.", "title": "ConnectorType", "type": "string" }, @@ -11259,7 +11269,7 @@ "properties": { "GlueDataCatalog": { "$ref": "#/definitions/AWS::AppFlow::Flow.GlueDataCatalog", - "markdownDescription": "", + "markdownDescription": "Specifies the configuration that Amazon AppFlow uses when it catalogs your data with the AWS Glue Data Catalog .", "title": "GlueDataCatalog" } }, @@ -11269,7 +11279,7 @@ "additionalProperties": false, "properties": { "Object": { - "markdownDescription": "", + "markdownDescription": "The object specified in the Salesforce Pardot flow source.", "title": "Object", "type": "string" } @@ -11286,7 +11296,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Specifies whether the destination file path includes either or both of the following elements:\n\n- **EXECUTION_ID** - The ID that Amazon AppFlow assigns to the flow run.\n- **SCHEMA_VERSION** - The version number of your data schema. Amazon AppFlow assigns this version number. The version number increases by one when you change any of the following settings in your flow configuration:\n\n- Source-to-destination field mappings\n- Field data types\n- Partition keys", "title": "PathPrefixHierarchy", "type": "array" }, @@ -11387,7 +11397,7 @@ "title": "PrefixConfig" }, "PreserveSourceDataTyping": { - "markdownDescription": "", + "markdownDescription": "If your file output format is Parquet, use this parameter to set whether Amazon AppFlow preserves the data types in your source data when it writes the output to Amazon S3.\n\n- `true` : Amazon AppFlow preserves the data types when it writes to Amazon S3. For example, an integer or `1` in your source data is still an integer in your output.\n- `false` : Amazon AppFlow converts all of the source data into strings when it writes to Amazon S3. For example, an integer of `1` in your source data becomes the string `\"1\"` in the output.", "title": "PreserveSourceDataTyping", "type": "boolean" } @@ -11460,6 +11470,8 @@ "additionalProperties": false, "properties": { "maxPageSize": { + "markdownDescription": "", + "title": "maxPageSize", "type": "number" } }, @@ -11472,6 +11484,8 @@ "additionalProperties": false, "properties": { "maxParallelism": { + "markdownDescription": "", + "title": "maxParallelism", "type": "number" } }, @@ -11489,10 +11503,14 @@ "type": "string" }, "paginationConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataPaginationConfig", + "markdownDescription": "", + "title": "paginationConfig" }, "parallelismConfig": { - "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig" + "$ref": "#/definitions/AWS::AppFlow::Flow.SAPODataParallelismConfig", + "markdownDescription": "", + "title": "parallelismConfig" } }, "required": [ @@ -11580,7 +11598,7 @@ "type": "number" }, "FlowErrorDeactivationThreshold": { - "markdownDescription": "", + "markdownDescription": "Defines how many times a scheduled flow fails consecutively before Amazon AppFlow deactivates it.", "title": "FlowErrorDeactivationThreshold", "type": "number" }, @@ -11727,7 +11745,7 @@ }, "Pardot": { "$ref": "#/definitions/AWS::AppFlow::Flow.PardotSourceProperties", - "markdownDescription": "", + "markdownDescription": "Specifies the information that is required for querying Salesforce Pardot.", "title": "Pardot" }, "S3": { @@ -11874,7 +11892,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The task property key.\n\n*Allowed Values* : `VALUE | VALUES | DATA_TYPE | UPPER_BOUND | LOWER_BOUND | SOURCE_DATA_TYPE | DESTINATION_DATA_TYPE | VALIDATION_ACTION | MASK_VALUE | MASK_LENGTH | TRUNCATE_LENGTH | MATH_OPERATION_FIELDS_ORDER | CONCAT_FORMAT | SUBFIELD_CATEGORY_MAP` | `EXCLUDE_SOURCE_FIELDS_LIST`", + "markdownDescription": "The task property key.", "title": "Key", "type": "string" }, @@ -16001,6 +16019,8 @@ "title": "SourceCodeVersion" }, "SourceDirectory": { + "markdownDescription": "The path of the directory that stores source code and configuration files. The build and start commands also execute from here. The path is absolute from root and, if not specified, defaults to the repository root.", + "title": "SourceDirectory", "type": "string" } }, @@ -16525,7 +16545,7 @@ }, "PostSetupScriptDetails": { "$ref": "#/definitions/AWS::AppStream::AppBlock.ScriptDetails", - "markdownDescription": "The post setup script details of the app block.\n\nThis only applies to app blocks with PackagingType `APPSTREAM2` .", + "markdownDescription": "The post setup script details of the app block.", "title": "PostSetupScriptDetails" }, "SetupScriptDetails": { @@ -16663,7 +16683,7 @@ "items": { "$ref": "#/definitions/AWS::AppStream::AppBlockBuilder.AccessEndpoint" }, - "markdownDescription": "", + "markdownDescription": "The access endpoints of the app block builder.", "title": "AccessEndpoints", "type": "array" }, @@ -16671,7 +16691,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The ARN of the app block.\n\n*Maximum* : `1`", "title": "AppBlockArns", "type": "array" }, @@ -16706,7 +16726,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the app block builder.\n\n`WINDOWS_SERVER_2019` is the only valid value.", + "markdownDescription": "The platform of the app block builder.\n\n*Allowed values* : `WINDOWS_SERVER_2019`", "title": "Platform", "type": "string" }, @@ -16714,7 +16734,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags of the app block builder.", "title": "Tags", "type": "array" }, @@ -17443,10 +17463,12 @@ "type": "number" }, "MaxSessionsPerInstance": { + "markdownDescription": "The maximum number of user sessions on an instance. This only applies to multi-session fleets.", + "title": "MaxSessionsPerInstance", "type": "number" }, "MaxUserDurationInSeconds": { - "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 360000.", + "markdownDescription": "The maximum amount of time that a streaming session can remain active, in seconds. If users are still connected to a streaming instance five minutes before this limit is reached, they are prompted to save any open documents before being disconnected. After this time elapses, the instance is terminated and replaced by a new instance.\n\nSpecify a value between 600 and 432000.", "title": "MaxUserDurationInSeconds", "type": "number" }, @@ -17456,7 +17478,7 @@ "type": "string" }, "Platform": { - "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.\n\n*Allowed Values* : `WINDOWS_SERVER_2019` | `AMAZON_LINUX2`", + "markdownDescription": "The platform of the fleet. Platform is a required setting for Elastic fleets, and is not used for other fleet types.", "title": "Platform", "type": "string" }, @@ -17528,6 +17550,8 @@ "type": "number" }, "DesiredSessions": { + "markdownDescription": "The desired number of user sessions for a multi-session fleet. This is not allowed for single-session fleets.\n\nWhen you create a fleet, you must set either the DesiredSessions or DesiredInstances attribute, based on the type of fleet you create. You can\u2019t define both attributes or leave both attributes blank.", + "title": "DesiredSessions", "type": "number" } }, @@ -18410,8 +18434,6 @@ "type": "string" }, "ApiKeyId": { - "markdownDescription": "The API key ID.", - "title": "ApiKeyId", "type": "string" }, "Description": { @@ -19061,7 +19083,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::FunctionConfiguration.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -19610,7 +19632,7 @@ }, "Runtime": { "$ref": "#/definitions/AWS::AppSync::Resolver.AppSyncRuntime", - "markdownDescription": "Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", + "markdownDescription": "Describes a runtime used by an AWS AppSync resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified.", "title": "Runtime" }, "SyncConfig": { @@ -20232,7 +20254,7 @@ "type": "string" }, "Cooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scaling activity to take effect. If not specified, the default value is 300. For more information, see [Cooldown period](https://docs.aws.amazon.com/autoscaling/application/userguide/step-scaling-policy-overview.html#step-scaling-cooldown) in the *Application Auto Scaling User Guide* .", "title": "Cooldown", "type": "number" }, @@ -20276,12 +20298,12 @@ "title": "PredefinedMetricSpecification" }, "ScaleInCooldown": { - "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, after a scale-in activity completes before another scale-in activity can start. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleInCooldown", "type": "number" }, "ScaleOutCooldown": { - "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", + "markdownDescription": "The amount of time, in seconds, to wait for a previous scale-out activity to take effect. For more information and for default values, see [Define cooldown periods](https://docs.aws.amazon.com/autoscaling/application/userguide/target-tracking-scaling-policy-overview.html#target-tracking-cooldown) in the *Application Auto Scaling User Guide* .", "title": "ScaleOutCooldown", "type": "number" }, @@ -20991,7 +21013,7 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.\n- Queries that specify a GLUE data catalog other than the default `AwsDataCatalog` must be run on Athena engine version 2.\n- In Regions where Athena engine version 2 is not available, creating new GLUE data catalogs results in an `INVALID_INPUT` error.", + "markdownDescription": "Specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.\n\n- The `HIVE` data catalog type uses the following syntax. The `metadata-function` parameter is required. `The sdk-version` parameter is optional and defaults to the currently supported version.\n\n`metadata-function= *lambda_arn* , sdk-version= *version_number*`\n- The `LAMBDA` data catalog type uses one of the following sets of required parameters, but not both.\n\n- When one Lambda function processes metadata and another Lambda function reads data, the following syntax is used. Both parameters are required.\n\n`metadata-function= *lambda_arn* , record-function= *lambda_arn*`\n- A composite Lambda function that processes both metadata and data uses the following syntax.\n\n`function= *lambda_arn*`\n- The `GLUE` type takes a catalog ID parameter and is required. The `*catalog_id*` is the account ID of the AWS account to which the Glue catalog belongs.\n\n`catalog-id= *catalog_id*`\n\n- The `GLUE` data catalog type also applies to the default `AwsDataCatalog` that already exists in your account, of which you can have only one and cannot modify.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -21326,7 +21348,7 @@ "additionalProperties": false, "properties": { "KmsKey": { - "markdownDescription": "The KMS key that is used to encrypt the user's data stores in Athena.", + "markdownDescription": "The customer managed KMS key that is used to encrypt the user's data stores in Athena.", "title": "KmsKey", "type": "string" } @@ -21530,7 +21552,7 @@ "title": "Scope" }, "Status": { - "markdownDescription": "The overall status of the assessment.\n\nWhen you create a new assessment, the initial `Status` value is always `ACTIVE` . When you create an assessment, even if you specify the value as `INACTIVE` , the value overrides to `ACTIVE` .\n\nAfter you create an assessment, you can change the value of the `Status` property at any time. For example, when you want to stop collecting evidence for your assessment, you can change the assessment status to `INACTIVE` .", + "markdownDescription": "The overall status of the assessment.", "title": "Status", "type": "string" }, @@ -21637,7 +21659,7 @@ "type": "string" }, "CreatedBy": { - "markdownDescription": "The user or role that created the delegation.\n\n*Minimum* : `1`\n\n*Maximum* : `100`\n\n*Pattern* : `^[a-zA-Z0-9-_()\\\\[\\\\]\\\\s]+$`", + "markdownDescription": "The user or role that created the delegation.", "title": "CreatedBy", "type": "string" }, @@ -22239,7 +22261,7 @@ "type": "string" }, "Version": { - "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html#aws-properties-as-group--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", + "markdownDescription": "The version number of the launch template.\n\nSpecifying `$Latest` or `$Default` for the template version number is not supported. However, you can specify `LatestVersionNumber` or `DefaultVersionNumber` using the `Fn::GetAtt` intrinsic function. For more information, see [Fn::GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) .\n\n> For an example of using the `Fn::GetAtt` function, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-autoscaling-autoscalinggroup.html#aws-resource-autoscaling-autoscalinggroup--examples) section of the `AWS::AutoScaling::AutoScalingGroup` resource.", "title": "Version", "type": "string" } @@ -23807,7 +23829,7 @@ "title": "CustomizedLoadMetricSpecification" }, "DisableDynamicScaling": { - "markdownDescription": "Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", + "markdownDescription": "Controls whether dynamic scaling is disabled. When dynamic scaling is enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target tracking configurations.\n\nThe default is enabled ( `false` ).", "title": "DisableDynamicScaling", "type": "boolean" }, @@ -23852,7 +23874,7 @@ "type": "string" }, "ScalingPolicyUpdateBehavior": { - "markdownDescription": "Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", + "markdownDescription": "Controls whether a resource's externally created scaling policies are deleted and new target tracking scaling policies created. The default value is `KeepExternalPolicies` .\n\nValid only when configuring dynamic scaling.", "title": "ScalingPolicyUpdateBehavior", "type": "string" }, @@ -24128,6 +24150,8 @@ "type": "string" }, "ScheduleExpressionTimezone": { + "markdownDescription": "", + "title": "ScheduleExpressionTimezone", "type": "string" }, "StartWindowMinutes": { @@ -24685,7 +24709,7 @@ }, "ControlScope": { "$ref": "#/definitions/AWS::Backup::Framework.ControlScope", - "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. For more information, see [`ControlScope` .](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_ControlScope.html)", + "markdownDescription": "The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans.", "title": "ControlScope" } }, @@ -25076,7 +25100,7 @@ "additionalProperties": false, "properties": { "AllocationStrategy": { - "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n\nWith both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", + "markdownDescription": "The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated. This might be because of availability of the instance type in the Region or [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) . For more information, see [Allocation strategies](https://docs.aws.amazon.com/batch/latest/userguide/allocation-strategies.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing the allocation strategy requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* . `BEST_FIT` is not supported when updating a compute environment.\n\n> This parameter isn't applicable to jobs that are running on Fargate resources, and shouldn't be specified. \n\n- **BEST_FIT (default)** - AWS Batch selects an instance type that best fits the needs of the jobs with a preference for the lowest-cost instance type. If additional instances of the selected instance type aren't available, AWS Batch waits for the additional instances to be available. If there aren't enough instances available, or if the user is reaching [Amazon EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) then additional jobs aren't run until the currently running jobs have completed. This allocation strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with `BEST_FIT` then the Spot Fleet IAM role must be specified.\n- **BEST_FIT_PROGRESSIVE** - AWS Batch will select additional instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types with a lower cost per unit vCPU. If additional instances of the previously selected instance types aren't available, AWS Batch will select new instance types.\n- **SPOT_CAPACITY_OPTIMIZED** - AWS Batch will select one or more instance types that are large enough to meet the requirements of the jobs in the queue, with a preference for instance types that are less likely to be interrupted. This allocation strategy is only available for Spot Instance compute resources.\n- **SPOT_PRICE_CAPACITY_OPTIMIZED** - The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price. This allocation strategy is only available for Spot Instance compute resources.\n\n> We recommend that you use `SPOT_PRICE_CAPACITY_OPTIMIZED` rather than `SPOT_CAPACITY_OPTIMIZED` in most instances.\n\nWith `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` , and `SPOT_PRICE_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to go above `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "AllocationStrategy", "type": "string" }, @@ -25109,7 +25133,7 @@ "type": "string" }, "InstanceRole": { - "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", + "markdownDescription": "The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment. Required for Amazon EC2 instances. You can specify the short name or full Amazon Resource Name (ARN) of an instance profile. For example, `*ecsInstanceRole*` or `arn:aws:iam:: ** :instance-profile/ *ecsInstanceRole*` . For more information, see [Amazon ECS instance role](https://docs.aws.amazon.com/batch/latest/userguide/instance_IAM_role.html) in the *AWS Batch User Guide* .\n\nWhen updating a compute environment, changing this setting requires an infrastructure update of the compute environment. For more information, see [Updating compute environments](https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html) in the *AWS Batch User Guide* .\n\n> This parameter isn't applicable to jobs that are running on Fargate resources. Don't specify it.", "title": "InstanceRole", "type": "string" }, @@ -25127,7 +25151,7 @@ "title": "LaunchTemplate" }, "MaxvCpus": { - "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With both `BEST_FIT_PROGRESSIVE` and `SPOT_CAPACITY_OPTIMIZED` allocation strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance. That is, no more than a single instance from among those specified in your compute environment.", + "markdownDescription": "The maximum number of Amazon EC2 vCPUs that an environment can reach.\n\n> With `BEST_FIT_PROGRESSIVE` , `SPOT_CAPACITY_OPTIMIZED` and `SPOT_PRICE_CAPACITY_OPTIMIZED` (recommended) strategies using On-Demand or Spot Instances, and the `BEST_FIT` strategy using Spot Instances, AWS Batch might need to exceed `maxvCpus` to meet your capacity requirements. In this event, AWS Batch never exceeds `maxvCpus` by more than a single instance.", "title": "MaxvCpus", "type": "number" }, @@ -25205,7 +25229,7 @@ "type": "string" }, "ImageType": { - "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", + "markdownDescription": "The image type to match with the instance type to select an AMI. The supported values are different for `ECS` and `EKS` resources.\n\n- **ECS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon ECS-optimized Amazon Linux 2 AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) ( `ECS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon ECS optimized AMI for that image type that's supported by AWS Batch is used.\n\n- **ECS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#al2ami) : Default for all non-GPU instance families.\n- **ECS_AL2_NVIDIA** - [Amazon Linux 2 (GPU)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#gpuami) : Default for all GPU instance families (for example `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.\n- **ECS_AL2023** - [Amazon Linux 2023](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) : AWS Batch supports Amazon Linux 2023.\n\n> Amazon Linux 2023 does not support `A1` instances.\n- **ECS_AL1** - [Amazon Linux](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html#alami) . Amazon Linux has reached the end-of-life of standard support. For more information, see [Amazon Linux AMI](https://docs.aws.amazon.com/amazon-linux-ami/) .\n- **EKS** - If the `imageIdOverride` parameter isn't specified, then a recent [Amazon EKS-optimized Amazon Linux AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) ( `EKS_AL2` ) is used. If a new image type is specified in an update, but neither an `imageId` nor a `imageIdOverride` parameter is specified, then the latest Amazon EKS optimized AMI for that image type that AWS Batch supports is used.\n\n- **EKS_AL2** - [Amazon Linux 2](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all non-GPU instance families.\n- **EKS_AL2_NVIDIA** - [Amazon Linux 2 (accelerated)](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html) : Default for all GPU instance families (for example, `P4` and `G4` ) and can be used for all non AWS Graviton-based instance types.", "title": "ImageType", "type": "string" } @@ -25448,7 +25472,7 @@ "title": "FargatePlatformConfiguration" }, "Image": { - "markdownDescription": "The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", + "markdownDescription": "Required. The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with `*repository-url* / *image* : *tag*` . It can be 255 characters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), underscores (_), colons (:), periods (.), forward slashes (/), and number signs (#). This parameter maps to `Image` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/#create-a-container) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.23/) and the `IMAGE` parameter of [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/) .\n\n> Docker image architecture must match the processor architecture of the compute resources that they're scheduled on. For example, ARM-based Docker images can only run on ARM-based compute resources. \n\n- Images in Amazon ECR Public repositories use the full `registry/repository[:tag]` or `registry/repository[@digest]` naming conventions. For example, `public.ecr.aws/ *registry_alias* / *my-web-app* : *latest*` .\n- Images in Amazon ECR repositories use the full registry and repository URI (for example, `123456789012.dkr.ecr..amazonaws.com/` ).\n- Images in official repositories on Docker Hub use a single name (for example, `ubuntu` or `mongo` ).\n- Images in other repositories on Docker Hub are qualified with an organization name (for example, `amazon/amazon-ecs-agent` ).\n- Images in other online repositories are qualified further by a domain name (for example, `quay.io/assemblyline/ubuntu` ).", "title": "Image", "type": "string" }, @@ -25509,7 +25533,9 @@ "type": "array" }, "RuntimePlatform": { - "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform" + "$ref": "#/definitions/AWS::Batch::JobDefinition.RuntimePlatform", + "markdownDescription": "An object that represents the compute environment architecture for AWS Batch jobs on Fargate.", + "title": "RuntimePlatform" }, "Secrets": { "items": { @@ -25658,7 +25684,7 @@ }, "SecurityContext": { "$ref": "#/definitions/AWS::Batch::JobDefinition.EksContainerSecurityContext", - "markdownDescription": "", + "markdownDescription": "The security context for a job. For more information, see [Configure a security context for a pod or container](https://docs.aws.amazon.com/https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) in the *Kubernetes documentation* .", "title": "SecurityContext" }, "VolumeMounts": { @@ -26159,9 +26185,13 @@ "additionalProperties": false, "properties": { "CpuArchitecture": { + "markdownDescription": "The vCPU architecture. The default value is `X86_64` . Valid values are `X86_64` and `ARM64` .\n\n> This parameter must be set to `X86_64` for Windows containers. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "CpuArchitecture", "type": "string" }, "OperatingSystemFamily": { + "markdownDescription": "The operating system for the compute environment. Valid values are: `LINUX` (default), `WINDOWS_SERVER_2019_CORE` , `WINDOWS_SERVER_2019_FULL` , `WINDOWS_SERVER_2022_CORE` , and `WINDOWS_SERVER_2022_FULL` .\n\n> The following parameters can\u2019t be set for Windows containers: `linuxParameters` , `privileged` , `user` , `ulimits` , `readonlyRootFilesystem` , and `efsVolumeConfiguration` . > The AWS Batch Scheduler checks the compute environments that are attached to the job queue before registering a task definition with Fargate. In this scenario, the job queue is where the job is submitted. If the job requires a Windows container and the first compute environment is `LINUX` , the compute environment is skipped and the next compute environment is checked until a Windows-based compute environment is found. > Fargate Spot is not supported for `ARM64` and Windows-based containers on Fargate. A job queue will be blocked if a Fargate `ARM64` or Windows job is submitted to a job queue with only Fargate Spot compute environments. However, you can attach both `FARGATE` and `FARGATE_SPOT` compute environments to the same job queue.", + "title": "OperatingSystemFamily", "type": "string" } }, @@ -26235,7 +26265,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The `type` of the `ulimit` .", + "markdownDescription": "The `type` of the `ulimit` . Valid values are: `core` | `cpu` | `data` | `fsize` | `locks` | `memlock` | `msgqueue` | `nice` | `nofile` | `nproc` | `rss` | `rtprio` | `rttime` | `sigpending` | `stack` .", "title": "Name", "type": "string" }, @@ -26562,7 +26592,7 @@ "properties": { "AccountGrouping": { "$ref": "#/definitions/AWS::BillingConductor::BillingGroup.AccountGrouping", - "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated family.", + "markdownDescription": "The set of accounts that will be under the billing group. The set of accounts resemble the linked accounts in a consolidated billing family.", "title": "AccountGrouping" }, "ComputationPreference": { @@ -26589,7 +26619,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "A map that contains tag keys and tag values that are attached to a billing group.", "title": "Tags", "type": "array" } @@ -26627,6 +26657,8 @@ "additionalProperties": false, "properties": { "AutoAssociate": { + "markdownDescription": "Specifies if this billing group will automatically associate newly added AWS accounts that join your consolidated billing family.", + "title": "AutoAssociate", "type": "boolean" }, "LinkedAccountIds": { @@ -26781,6 +26813,8 @@ "items": { "$ref": "#/definitions/AWS::BillingConductor::CustomLineItem.LineItemFilter" }, + "markdownDescription": "A representation of the line item filter.", + "title": "LineItemFilters", "type": "array" }, "Percentage": { @@ -26839,15 +26873,21 @@ "additionalProperties": false, "properties": { "Attribute": { + "markdownDescription": "The attribute of the line item filter. This specifies what attribute that you can filter on.", + "title": "Attribute", "type": "string" }, "MatchOption": { + "markdownDescription": "The match criteria of the line item filter. This parameter specifies whether not to include the resource value from the billing group total cost.", + "title": "MatchOption", "type": "string" }, "Values": { "items": { "type": "string" }, + "markdownDescription": "The values of the line item filter. This specifies the values to filter on. Currently, you can only exclude Savings Plan discounts.", + "title": "Values", "type": "array" } }, @@ -27087,7 +27127,7 @@ "properties": { "FreeTier": { "$ref": "#/definitions/AWS::BillingConductor::PricingRule.FreeTier", - "markdownDescription": "", + "markdownDescription": "The possible AWS Free Tier configurations.", "title": "FreeTier" } }, @@ -27211,7 +27251,7 @@ "type": "string" }, "CostFilters": { - "markdownDescription": "The cost filters, such as `Region` , `Service` , `member account` , `Tag` , or `Cost Category` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", + "markdownDescription": "The cost filters, such as `Region` , `Service` , `LinkedAccount` , `Tag` , or `CostCategory` , that are applied to a budget.\n\nAWS Budgets supports the following services as a `Service` filter for RI budgets:\n\n- Amazon EC2\n- Amazon Redshift\n- Amazon Relational Database Service\n- Amazon ElastiCache\n- Amazon OpenSearch Service", "title": "CostFilters", "type": "object" }, @@ -27380,7 +27420,7 @@ "type": "number" }, "Unit": { - "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.", + "markdownDescription": "The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.", "title": "Unit", "type": "string" } @@ -28638,6 +28678,8 @@ "type": "array" }, "KeyAlgorithm": { + "markdownDescription": "Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the AWS service where you plan to deploy your certificate. For more information about selecting an algorithm, see [Key algorithms](https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms) .\n\n> Algorithms supported for an ACM certificate request include:\n> \n> - `RSA_2048`\n> - `EC_prime256v1`\n> - `EC_secp384r1`\n> \n> Other listed algorithms are for imported certificates only. > When you request a private PKI certificate signed by a CA from AWS Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key. \n\nDefault: RSA_2048", + "title": "KeyAlgorithm", "type": "string" }, "SubjectAlternativeNames": { @@ -28784,7 +28826,7 @@ "type": "string" }, "TeamsChannelId": { - "markdownDescription": "The ID of the Microsoft Teams channel.\n\nTo get the channel ID, open Microsoft Teams, right click on the channel name in the left pane, then choose Copy. An example of the channel ID syntax is: `19%3ab6ef35dc342d56ba5654e6fc6d25a071%40thread.tacv2` .", + "markdownDescription": "", "title": "TeamsChannelId", "type": "string" }, @@ -28979,27 +29021,41 @@ "items": { "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisParameter" }, + "markdownDescription": "The parameters of the analysis template.", + "title": "AnalysisParameters", "type": "array" }, "Description": { + "markdownDescription": "The description of the analysis template.", + "title": "Description", "type": "string" }, "Format": { + "markdownDescription": "The format of the analysis template.", + "title": "Format", "type": "string" }, "MembershipIdentifier": { + "markdownDescription": "The identifier for a membership resource.", + "title": "MembershipIdentifier", "type": "string" }, "Name": { + "markdownDescription": "The name of the analysis template.", + "title": "Name", "type": "string" }, "Source": { - "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource" + "$ref": "#/definitions/AWS::CleanRooms::AnalysisTemplate.AnalysisSource", + "markdownDescription": "The source of the analysis template.", + "title": "Source" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An optional label that you can assign to a resource when you create it. Each tag consists of a key and an optional value, both of which you define. When you use tagging, you can also use tag-based access control in IAM policies to control access to this resource.", + "title": "Tags", "type": "array" } }, @@ -29036,12 +29092,18 @@ "additionalProperties": false, "properties": { "DefaultValue": { + "markdownDescription": "Optional. The default value that is applied in the analysis template. The member who can query can override this value in the query editor.", + "title": "DefaultValue", "type": "string" }, "Name": { + "markdownDescription": "The name of the parameter. The name must use only alphanumeric, underscore (_), or hyphen (-) characters but cannot start or end with a hyphen.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of parameter.", + "title": "Type", "type": "string" } }, @@ -29058,6 +29120,8 @@ "items": { "type": "string" }, + "markdownDescription": "The tables referenced in the analysis schema.", + "title": "ReferencedTables", "type": "array" } }, @@ -29070,6 +29134,8 @@ "additionalProperties": false, "properties": { "Text": { + "markdownDescription": "The query text.", + "title": "Text", "type": "string" } }, @@ -29122,7 +29188,7 @@ "items": { "type": "string" }, - "markdownDescription": "The abilities granted to the collaboration creator.", + "markdownDescription": "The abilities granted to the collaboration creator.\n\n*Allowed values* `CAN_QUERY` | `CAN_RECEIVE_RESULTS`", "title": "CreatorMemberAbilities", "type": "array" }, @@ -29230,7 +29296,7 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "The identifier used to reference members of the collaboration. Currently only supports AWS account ID.", + "markdownDescription": "The identifier used to reference members of the collaboration. Currently only supports ID.", "title": "AccountId", "type": "string" }, @@ -29422,7 +29488,7 @@ "title": "Policy" }, "Type": { - "markdownDescription": "The type of analysis rule. Valid values are `AGGREGATION` and `LIST`.", + "markdownDescription": "The type of analysis rule.", "title": "Type", "type": "string" } @@ -29506,12 +29572,16 @@ "items": { "type": "string" }, + "markdownDescription": "The analysis templates that are allowed by the custom analysis rule.", + "title": "AllowedAnalyses", "type": "array" }, "AllowedAnalysisProviders": { "items": { "type": "string" }, + "markdownDescription": "The accounts that are allowed to query by the custom analysis rule. Required when `allowedAnalyses` is `ANY_QUERY` .", + "title": "AllowedAnalysisProviders", "type": "array" } }, @@ -29527,7 +29597,7 @@ "items": { "type": "string" }, - "markdownDescription": "Which logical operators (if any) are to be used in an INNER JOIN match condition. Default is `AND` .", + "markdownDescription": "The logical operators (if any) that are to be used in an INNER JOIN match condition. Default is `AND` .", "title": "AllowedJoinOperators", "type": "array" }, @@ -29577,7 +29647,9 @@ "title": "Aggregation" }, "Custom": { - "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom" + "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleCustom", + "markdownDescription": "Analysis rule type that enables custom SQL queries on a configured table.", + "title": "Custom" }, "List": { "$ref": "#/definitions/AWS::CleanRooms::ConfiguredTable.AnalysisRuleList", @@ -29760,7 +29832,9 @@ "type": "string" }, "DefaultResultConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryResultConfiguration", + "markdownDescription": "The default protected query result configuration as specified by the member who can receive results.", + "title": "DefaultResultConfiguration" }, "QueryLogStatus": { "markdownDescription": "An indicator as to whether query logging has been enabled or disabled for the collaboration.", @@ -29807,7 +29881,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.ProtectedQueryS3OutputConfiguration", + "markdownDescription": "Required configuration for a protected query with an `S3` output type.", + "title": "S3" } }, "required": [ @@ -29819,9 +29895,13 @@ "additionalProperties": false, "properties": { "OutputConfiguration": { - "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration" + "$ref": "#/definitions/AWS::CleanRooms::Membership.MembershipProtectedQueryOutputConfiguration", + "markdownDescription": "Configuration for protected query results.", + "title": "OutputConfiguration" }, "RoleArn": { + "markdownDescription": "The unique ARN for an IAM role that is used by to write protected query results to the result location, given by the member who can receive results.", + "title": "RoleArn", "type": "string" } }, @@ -29834,12 +29914,18 @@ "additionalProperties": false, "properties": { "Bucket": { + "markdownDescription": "The S3 bucket to unload the protected query results.", + "title": "Bucket", "type": "string" }, "KeyPrefix": { + "markdownDescription": "The S3 prefix to unload the protected query results.", + "title": "KeyPrefix", "type": "string" }, "ResultFormat": { + "markdownDescription": "Intended file format of the result.", + "title": "ResultFormat", "type": "string" } }, @@ -29900,7 +29986,7 @@ "type": "string" }, "ImageId": { - "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nThe default AMI is used if the parameter isn't explicitly assigned a value in the request.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`", + "markdownDescription": "The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. To choose an AMI for the instance, you must specify a valid AMI alias or a valid AWS Systems Manager path.\n\nFrom November 20, 2023, you will be required to include the `imageId` parameter for the `CreateEnvironmentEC2` action. This change will be reflected across all direct methods of communicating with the API, such as AWS SDK, AWS CLI and AWS CloudFormation. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nFrom January 22, 2024, Amazon Linux (AL1) will be removed from the list of available image IDs for Cloud9. This is necessary as AL1 will reach the end of maintenance support in December 2023, and as a result will no longer receive security updates. We recommend using Amazon Linux 2 as the new AMI to create your environment as it is fully supported. This change will only affect direct API consumers, and not AWS Cloud9 console users.\n\nSince Ubuntu 18.04 has ended standard support as of May 31, 2023, we recommend you choose Ubuntu 22.04.\n\n*AMI aliases*\n\n- *Amazon Linux (default): `amazonlinux-1-x86_64`*\n- Amazon Linux 2: `amazonlinux-2-x86_64`\n- Ubuntu 18.04: `ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `ubuntu-22.04-x86_64`\n\n*SSM paths*\n\n- *Amazon Linux (default): `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-1-x86_64`*\n- Amazon Linux 2: `resolve:ssm:/aws/service/cloud9/amis/amazonlinux-2-x86_64`\n- Ubuntu 18.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-18.04-x86_64`\n- Ubuntu 22.04: `resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64`", "title": "ImageId", "type": "string" }, @@ -31068,7 +31154,7 @@ "type": "array" }, "StackSetName": { - "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n*Maximum* : `128`\n\n*Pattern* : `^[a-zA-Z][a-zA-Z0-9-]{0,127}$`\n\n> The `StackSetName` property is required.", + "markdownDescription": "The name to associate with the stack set. The name must be unique in the Region where you create your stack set.\n\n> The `StackSetName` property is required.", "title": "StackSetName", "type": "string" }, @@ -31076,17 +31162,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.", + "markdownDescription": "Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.\n\nIf you don't specify this parameter, AWS CloudFormation doesn't modify the stack's tags. If you specify an empty value, AWS CloudFormation removes all associated tags.", "title": "Tags", "type": "array" }, "TemplateBody": { - "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.\n\n*Minimum* : `1`\n\n*Maximum* : `51200`", + "markdownDescription": "The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both. Dynamic references in the `TemplateBody` may not work correctly in all cases. It's recommended to pass templates containing dynamic references through `TemplateUrl` instead.", "title": "TemplateBody", "type": "string" }, "TemplateURL": { - "markdownDescription": "Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.\n\nYou must include either `TemplateURL` or `TemplateBody` in a StackSet, but you can't use both.\n\n*Minimum* : `1`\n\n*Maximum* : `1024`", + "markdownDescription": "Location of file containing the template body. The URL must point to a template that's located in an Amazon S3 bucket or a Systems Manager document. For more information, go to [Template Anatomy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html) in the AWS CloudFormation User Guide.\n\nConditional: You must specify only one of the following parameters: `TemplateBody` , `TemplateURL` .", "title": "TemplateURL", "type": "string" } @@ -31151,6 +31237,8 @@ "type": "array" }, "AccountsUrl": { + "markdownDescription": "Returns the value of the `AccountsUrl` property.", + "title": "AccountsUrl", "type": "string" }, "OrganizationalUnitIds": { @@ -31892,10 +31980,14 @@ "type": "boolean" }, "SingleHeaderPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleHeaderPolicyConfig", + "markdownDescription": "This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.", + "title": "SingleHeaderPolicyConfig" }, "SingleWeightPolicyConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SingleWeightPolicyConfig", + "markdownDescription": "This configuration determines the percentage of HTTP requests that are sent to the staging distribution.", + "title": "SingleWeightPolicyConfig" }, "StagingDistributionDnsNames": { "items": { @@ -31911,6 +32003,8 @@ "title": "TrafficConfig" }, "Type": { + "markdownDescription": "The type of traffic configuration.", + "title": "Type", "type": "string" } }, @@ -31964,9 +32058,13 @@ "additionalProperties": false, "properties": { "Header": { + "markdownDescription": "", + "title": "Header", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -31999,9 +32097,13 @@ "additionalProperties": false, "properties": { "SessionStickinessConfig": { - "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig" + "$ref": "#/definitions/AWS::CloudFront::ContinuousDeploymentPolicy.SessionStickinessConfig", + "markdownDescription": "", + "title": "SessionStickinessConfig" }, "Weight": { + "markdownDescription": "", + "title": "Weight", "type": "number" } }, @@ -33015,7 +33117,7 @@ "type": "string" }, "CloudFrontDefaultCertificate": { - "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:\n\n- `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)\n\nIn CloudFormation, these field names are `AcmCertificateArn` and `IamCertificateId` . Note the different capitalization.\n- `MinimumProtocolVersion`\n- `SSLSupportMethod` (In CloudFormation, this field name is `SslSupportMethod` . Note the different capitalization.)", + "markdownDescription": "If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` , set this field to `true` .\n\nIf the distribution uses `Aliases` (alternate domain names or CNAMEs), omit this field and specify values for the following fields:\n\n- `AcmCertificateArn` or `IamCertificateId` (specify a value for one, not both)\n- `MinimumProtocolVersion`\n- `SslSupportMethod`", "title": "CloudFrontDefaultCertificate", "type": "boolean" }, @@ -34792,7 +34894,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -34951,7 +35053,7 @@ "type": "array" }, "CloudWatchLogsLogGroupArn": { - "markdownDescription": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .", + "markdownDescription": "Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.\n\nNot required unless you specify `CloudWatchLogsRoleArn` .\n\n> Only the management account can configure a CloudWatch Logs log group for an organization trail.", "title": "CloudWatchLogsLogGroupArn", "type": "string" }, @@ -34969,7 +35071,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.EventSelector" }, - "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nFor more information about how to configure event selectors, see [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#aws-resource-cloudtrail-trail--examples) and [Configuring event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-examples) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.\n\nYou can configure up to five event selectors for a trail.\n\nYou cannot apply both event selectors and advanced event selectors to a trail.", "title": "EventSelectors", "type": "array" }, @@ -34997,7 +35099,7 @@ "type": "boolean" }, "IsOrganizationTrail": { - "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.", + "markdownDescription": "Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to `true` , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false` , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.\n\n> Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.", "title": "IsOrganizationTrail", "type": "boolean" }, @@ -35104,7 +35206,7 @@ "type": "array" }, "Field": { - "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set only to `NotEquals` `kms.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", + "markdownDescription": "A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported.\n\nFor CloudTrail event records, supported fields include `readOnly` , `eventCategory` , `eventSource` (for management events), `eventName` , `resources.type` , and `resources.ARN` .\n\nFor event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is `eventCategory` .\n\n- *`readOnly`* - Optional. Can be set to `Equals` a value of `true` or `false` . If you do not add this field, CloudTrail logs both `read` and `write` events. A value of `true` logs only `read` events. A value of `false` logs only `write` events.\n- *`eventSource`* - For filtering management events only. This can be set to `NotEquals` `kms.amazonaws.com` or `NotEquals` `rdsdata.amazonaws.com` .\n- *`eventName`* - Can use any operator. You can use it to \ufb01lter in or \ufb01lter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock` . You can have multiple values for this \ufb01eld, separated by commas.\n- *`eventCategory`* - This is required and must be set to `Equals` .\n\n- For CloudTrail event records, the value must be `Management` or `Data` .\n- For AWS Config configuration items, the value must be `ConfigurationItem` .\n- For Audit Manager evidence, the value must be `Evidence` .\n- For non- AWS events, the value must be `ActivityAuditLog` .\n- *`resources.type`* - This \ufb01eld is required for CloudTrail data events. `resources.type` can only use the `Equals` operator, and the value can be one of the following:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`\n\nYou can have only one `resources.type` \ufb01eld per selector. To log data events on more than one resource type, add another selector.\n- *`resources.ARN`* - You can use any operator with `resources.ARN` , but if you use `Equals` or `NotEquals` , the value must exactly match the ARN of a valid resource of the type you've speci\ufb01ed in the template as the value of resources.type. For example, if resources.type equals `AWS::S3::Object` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value.\n\nThe trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.\n\n- `arn::s3:::/`\n- `arn::s3::://`\n\nWhen resources.type equals `AWS::DynamoDB::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table/`\n\nWhen resources.type equals `AWS::Lambda::Function` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::lambda:::function:`\n\nWhen resources.type equals `AWS::CloudTrail::Channel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cloudtrail:::channel/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Customization` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::customization/`\n\nWhen resources.type equals `AWS::CodeWhisperer::Profile` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::codewhisperer:::profile/`\n\nWhen resources.type equals `AWS::Cognito::IdentityPool` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::cognito-identity:::identitypool/`\n\nWhen `resources.type` equals `AWS::DynamoDB::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::dynamodb:::table//stream/`\n\nWhen `resources.type` equals `AWS::EC2::Snapshot` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ec2:::snapshot/`\n\nWhen `resources.type` equals `AWS::EMRWAL::Workspace` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::emrwal:::workspace/`\n\nWhen `resources.type` equals `AWS::FinSpace::Environment` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::finspace:::environment/`\n\nWhen `resources.type` equals `AWS::Glue::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::glue:::table//`\n\nWhen `resources.type` equals `AWS::GuardDuty::Detector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::guardduty:::detector/`\n\nWhen `resources.type` equals `AWS::KendraRanking::ExecutionPlan` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kendra-ranking:::rescore-execution-plan/`\n\nWhen `resources.type` equals `AWS::KinesisVideo::Stream` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::kinesisvideo:::stream/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Network` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::networks/`\n\nWhen `resources.type` equals `AWS::ManagedBlockchain::Node` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::managedblockchain:::nodes/`\n\nWhen `resources.type` equals `AWS::MedicalImaging::Datastore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::medical-imaging:::datastore/`\n\nWhen `resources.type` equals `AWS::PCAConnectorAD::Connector` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::pca-connector-ad:::connector/`\n\nWhen `resources.type` equals `AWS::SageMaker::Endpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::endpoint/`\n\nWhen `resources.type` equals `AWS::SageMaker::ExperimentTrialComponent` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::experiment-trial-component/`\n\nWhen `resources.type` equals `AWS::SageMaker::FeatureGroup` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sagemaker:::feature-group/`\n\nWhen `resources.type` equals `AWS::SNS::PlatformEndpoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::endpoint///`\n\nWhen `resources.type` equals `AWS::SNS::Topic` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::sns:::`\n\nWhen `resources.type` equals `AWS::S3::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don\u2019t include the object path, and use the `StartsWith` or `NotStartsWith` operators.\n\n- `arn::s3:::accesspoint/`\n- `arn::s3:::accesspoint//object/`\n\nWhen `resources.type` equals `AWS::S3ObjectLambda::AccessPoint` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-object-lambda:::accesspoint/`\n\nWhen `resources.type` equals `AWS::S3Outposts::Object` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::s3-outposts:::`\n\nWhen `resources.type` equals `AWS::SSMMessages::ControlChannel` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::ssmmessages:::control-channel/`\n\nWhen `resources.type` equals `AWS::Timestream::Database` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database/`\n\nWhen `resources.type` equals `AWS::Timestream::Table` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::timestream:::database//table/`\n\nWhen resources.type equals `AWS::VerifiedPermissions::PolicyStore` , and the operator is set to `Equals` or `NotEquals` , the ARN must be in the following format:\n\n- `arn::verifiedpermissions:::policy-store/`", "title": "Field", "type": "string" }, @@ -35150,7 +35252,7 @@ "additionalProperties": false, "properties": { "Type": { - "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::S3::Object`\n- `AWS::Lambda::Function`\n- `AWS::DynamoDB::Table`", + "markdownDescription": "The resource type in which you want to log data events. You can specify the following *basic* event selector resource types:\n\n- `AWS::DynamoDB::Table`\n- `AWS::Lambda::Function`\n- `AWS::S3::Object`\n\nThe following resource types are also available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) .\n\n- `AWS::CloudTrail::Channel`\n- `AWS::CodeWhisperer::Customization`\n- `AWS::CodeWhisperer::Profile`\n- `AWS::Cognito::IdentityPool`\n- `AWS::DynamoDB::Stream`\n- `AWS::EC2::Snapshot`\n- `AWS::EMRWAL::Workspace`\n- `AWS::FinSpace::Environment`\n- `AWS::Glue::Table`\n- `AWS::GuardDuty::Detector`\n- `AWS::KendraRanking::ExecutionPlan`\n- `AWS::KinesisVideo::Stream`\n- `AWS::ManagedBlockchain::Network`\n- `AWS::ManagedBlockchain::Node`\n- `AWS::MedicalImaging::Datastore`\n- `AWS::PCAConnectorAD::Connector`\n- `AWS::SageMaker::Endpoint`\n- `AWS::SageMaker::ExperimentTrialComponent`\n- `AWS::SageMaker::FeatureGroup`\n- `AWS::SNS::PlatformEndpoint`\n- `AWS::SNS::Topic`\n- `AWS::S3::AccessPoint`\n- `AWS::S3ObjectLambda::AccessPoint`\n- `AWS::S3Outposts::Object`\n- `AWS::SSMMessages::ControlChannel`\n- `AWS::Timestream::Database`\n- `AWS::Timestream::Table`\n- `AWS::VerifiedPermissions::PolicyStore`", "title": "Type", "type": "string" }, @@ -35175,7 +35277,7 @@ "items": { "$ref": "#/definitions/AWS::CloudTrail::Trail.DataResource" }, - "markdownDescription": "In AWS CloudFormation , CloudTrail supports data event logging for Amazon S3 objects, Amazon DynamoDB tables, and AWS Lambda functions. Currently, advanced event selectors for data events are not supported in AWS CloudFormation templates. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", + "markdownDescription": "CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.\n\nFor more information, see [Data Events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Limits in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the *AWS CloudTrail User Guide* .", "title": "DataResources", "type": "array" }, @@ -36181,7 +36283,7 @@ "items": { "$ref": "#/definitions/AWS::CloudWatch::MetricStream.MetricStreamStatisticsConfiguration" }, - "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", + "markdownDescription": "By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.\n\nFor each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's `OutputFormat` . If the `OutputFormat` is `json` , you can stream any additional statistic that is supported by CloudWatch , listed in [CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) . If the `OutputFormat` is `opentelemetry0` .7, you can stream percentile statistics *(p??)* .", "title": "StatisticsConfigurations", "type": "array" }, @@ -36331,8 +36433,6 @@ "type": "string" }, "EncryptionKey": { - "markdownDescription": "The key used to encrypt the domain.", - "title": "EncryptionKey", "type": "string" }, "PermissionsPolicyDocument": { @@ -36421,8 +36521,6 @@ "type": "string" }, "DomainOwner": { - "markdownDescription": "The 12-digit account number of the AWS account that owns the domain that contains the repository. It does not include dashes or spaces.", - "title": "DomainOwner", "type": "string" }, "ExternalConnections": { @@ -36842,7 +36940,7 @@ "title": "RegistryCredential" }, "Type": { - "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific (Sydney), and EU (Frankfurt).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) , China (Beijing), and China (Ningxia).\n\n- The environment types `WINDOWS_CONTAINER` and `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", + "markdownDescription": "The type of build environment to use for related builds.\n\n- The environment type `ARM_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_CONTAINER` with compute type `build.general1.2xlarge` is available only in regions US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Hyderabad), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Spain), Europe (Stockholm), Europe (Zurich), Israel (Tel Aviv), Middle East (Bahrain), Middle East (UAE), and South America (S\u00e3o Paulo).\n- The environment type `LINUX_GPU_CONTAINER` is available only in regions US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing), China (Ningxia), Europe (Frankfurt), Europe (Ireland), and Europe (London).\n\n- The environment types `WINDOWS_SERVER_2019_CONTAINER` are available only in regions US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).\n\nFor more information, see [Build environment compute types](https://docs.aws.amazon.com//codebuild/latest/userguide/build-env-ref-compute-types.html) in the *AWS CodeBuild user guide* .", "title": "Type", "type": "string" } @@ -36866,7 +36964,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs and secret access keys. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", + "markdownDescription": "The value of the environment variable.\n\n> We strongly discourage the use of `PLAINTEXT` environment variables to store sensitive values, especially AWS secret key IDs. `PLAINTEXT` environment variables can be displayed in plain text using the AWS CodeBuild console and the AWS CLI . For sensitive values, we recommend you use an environment variable of type `PARAMETER_STORE` or `SECRETS_MANAGER` .", "title": "Value", "type": "string" } @@ -38006,7 +38104,7 @@ "title": "OnPremisesTagSet" }, "OutdatedInstancesStrategy": { - "markdownDescription": "", + "markdownDescription": "Indicates what happens when new Amazon EC2 instances are launched mid-deployment and do not receive the deployed application revision.\n\nIf this option is set to `UPDATE` or is unspecified, CodeDeploy initiates one or more 'auto-update outdated instances' deployments to apply the deployed application revision to the new Amazon EC2 instances.\n\nIf this option is set to `IGNORE` , CodeDeploy does not initiate a deployment to update the new Amazon EC2 instances. This may result in instances having different revisions.", "title": "OutdatedInstancesStrategy", "type": "string" }, @@ -38019,7 +38117,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The metadata that you apply to CodeDeploy deployment groups to help you organize and categorize them. Each tag consists of a key and an optional value, both of which you define.", "title": "Tags", "type": "array" }, @@ -38324,7 +38422,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.ELBInfo" }, - "markdownDescription": "An array that contains information about the load balancer to use for load balancing in a deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.\n\n> Adding more than one load balancer to the array is not supported.", + "markdownDescription": "An array that contains information about the load balancers to use for load balancing in a deployment. If you're using Classic Load Balancers, specify those load balancers in this array.\n\n> You can add up to 10 load balancers to the array. > If you're using Application Load Balancers or Network Load Balancers, use the `targetGroupInfoList` array instead of this one.", "title": "ElbInfoList", "type": "array" }, @@ -38332,7 +38430,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "An array that contains information about the target group to use for load balancing in a deployment. In Elastic Load Balancing , target groups are used with Application Load Balancers .\n\n> Adding more than one target group to the array is not supported.", + "markdownDescription": "An array that contains information about the target groups to use for load balancing in a deployment. If you're using Application Load Balancers and Network Load Balancers, specify their associated target groups in this array.\n\n> You can add up to 10 target groups to the array. > If you're using Classic Load Balancers, use the `elbInfoList` array instead of this one.", "title": "TargetGroupInfoList", "type": "array" }, @@ -38340,7 +38438,7 @@ "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupPairInfo" }, - "markdownDescription": "", + "markdownDescription": "The target group pair information. This is an array of `TargeGroupPairInfo` objects with a maximum size of one.", "title": "TargetGroupPairInfoList", "type": "array" } @@ -38468,20 +38566,20 @@ "properties": { "ProdTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "The path used by a load balancer to route production traffic when an Amazon ECS deployment is complete.", "title": "ProdTrafficRoute" }, "TargetGroups": { "items": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TargetGroupInfo" }, - "markdownDescription": "", + "markdownDescription": "One pair of target groups. One is associated with the original task set. The second is associated with the task set that serves traffic after the deployment is complete.", "title": "TargetGroups", "type": "array" }, "TestTrafficRoute": { "$ref": "#/definitions/AWS::CodeDeploy::DeploymentGroup.TrafficRoute", - "markdownDescription": "", + "markdownDescription": "An optional path used by a load balancer to route test traffic after an Amazon ECS deployment. Validation can occur while test traffic is served during a deployment.", "title": "TestTrafficRoute" } }, @@ -38494,7 +38592,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of one listener. The listener identifies the route between a target group and a load balancer. This is an array of strings with a maximum size of one.", "title": "ListenerArns", "type": "array" } @@ -40311,9 +40409,13 @@ "items": { "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.LogConfiguration" }, + "markdownDescription": "The detailed activity logging destination of a user pool.", + "title": "LogConfigurations", "type": "array" }, "UserPoolId": { + "markdownDescription": "The ID of the user pool where you configured detailed activity logging.", + "title": "UserPoolId", "type": "string" } }, @@ -40347,6 +40449,8 @@ "additionalProperties": false, "properties": { "LogGroupArn": { + "markdownDescription": "The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.\n\nTo send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) .", + "title": "LogGroupArn", "type": "string" } }, @@ -40356,12 +40460,18 @@ "additionalProperties": false, "properties": { "CloudWatchLogsConfiguration": { - "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration" + "$ref": "#/definitions/AWS::Cognito::LogDeliveryConfiguration.CloudWatchLogsConfiguration", + "markdownDescription": "The CloudWatch logging destination of a user pool detailed activity logging configuration.", + "title": "CloudWatchLogsConfiguration" }, "EventSource": { + "markdownDescription": "The source of events that your user pool sends for detailed activity logging.", + "title": "EventSource", "type": "string" }, "LogLevel": { + "markdownDescription": "The `errorlevel` selection of logs that a user pool sends for detailed activity logging.", + "title": "LogLevel", "type": "string" } }, @@ -40506,7 +40616,7 @@ }, "UserPoolAddOns": { "$ref": "#/definitions/AWS::Cognito::UserPool.UserPoolAddOns", - "markdownDescription": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", + "markdownDescription": "User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .\n\nFor more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) .", "title": "UserPoolAddOns" }, "UserPoolName": { @@ -40673,7 +40783,7 @@ "type": "string" }, "SourceArn": { - "markdownDescription": "The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", + "markdownDescription": "The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:\n\n- If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.\n- If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.\n\nThe Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .", "title": "SourceArn", "type": "string" } @@ -40817,7 +40927,7 @@ "type": "boolean" }, "TemporaryPasswordValidityDays": { - "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", + "markdownDescription": "The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.\n\n> When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.", "title": "TemporaryPasswordValidityDays", "type": "number" } @@ -40855,7 +40965,7 @@ "additionalProperties": false, "properties": { "AttributeDataType": { - "markdownDescription": "The attribute data type.", + "markdownDescription": "The data format of the values for your attribute. When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `\"custom:isMember\" : \"true\"` or `\"custom:YearsAsMember\" : \"12\"` .", "title": "AttributeDataType", "type": "string" }, @@ -40865,12 +40975,12 @@ "type": "boolean" }, "Mutable": { - "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nFor any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "Specifies whether the value of the attribute can be changed.\n\nAny user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "Mutable", "type": "boolean" }, "Name": { - "markdownDescription": "A schema attribute of the name type.", + "markdownDescription": "The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..", "title": "Name", "type": "string" }, @@ -40950,7 +41060,7 @@ "additionalProperties": false, "properties": { "AdvancedSecurityMode": { - "markdownDescription": "The advanced security mode.", + "markdownDescription": "The operating mode of advanced security features in your user pool.", "title": "AdvancedSecurityMode", "type": "string" } @@ -41053,7 +41163,7 @@ "type": "array" }, "AllowedOAuthFlowsUserPoolClient": { - "markdownDescription": "Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.", + "markdownDescription": "Set to `true` to use OAuth 2.0 features in your user pool app client.\n\n`AllowedOAuthFlowsUserPoolClient` must be `true` before you can configure the following features in your app client.\n\n- `CallBackURLs` : Callback URLs.\n- `LogoutURLs` : Sign-out redirect URLs.\n- `AllowedOAuthScopes` : OAuth 2.0 scopes.\n- `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.\n\nTo use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` .", "title": "AllowedOAuthFlowsUserPoolClient", "type": "boolean" }, @@ -41138,7 +41248,7 @@ "items": { "type": "string" }, - "markdownDescription": "The read attributes.", + "markdownDescription": "The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html) API request to retrieve and display your user's profile data.\n\nWhen you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.", "title": "ReadAttributes", "type": "array" }, @@ -41169,7 +41279,7 @@ "items": { "type": "string" }, - "markdownDescription": "The user pool attributes that the app client can write to.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", + "markdownDescription": "The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) API request and sets `family_name` to the new value.\n\nWhen you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.\n\nIf your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .", "title": "WriteAttributes", "type": "array" } @@ -42057,7 +42167,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.", + "markdownDescription": "The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.\n\n- The username can't be a duplicate of another username in the same user pool.\n- You can't change the value of a username after you create it.\n- You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .", "title": "Username", "type": "string" }, @@ -42065,7 +42175,7 @@ "items": { "$ref": "#/definitions/AWS::Cognito::UserPoolUser.AttributeType" }, - "markdownDescription": "The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.\n\nTo configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.\n\nThe user's validation data isn't persisted.", + "markdownDescription": "Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.\n\nYour Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.\n\nFor more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) .", "title": "ValidationData", "type": "array" } @@ -42148,7 +42258,7 @@ "additionalProperties": false, "properties": { "GroupName": { - "markdownDescription": "The group name.", + "markdownDescription": "The name of the group that you want to add your user to.", "title": "GroupName", "type": "string" }, @@ -42158,7 +42268,7 @@ "type": "string" }, "Username": { - "markdownDescription": "The username for the user.", + "markdownDescription": "", "title": "Username", "type": "string" } @@ -42834,7 +42944,9 @@ "additionalProperties": false, "properties": { "Compliance": { - "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance" + "$ref": "#/definitions/AWS::Config::ConfigRule.Compliance", + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.", + "title": "Compliance" }, "ConfigRuleName": { "markdownDescription": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", @@ -42850,6 +42962,8 @@ "items": { "$ref": "#/definitions/AWS::Config::ConfigRule.EvaluationModeConfiguration" }, + "markdownDescription": "The modes the AWS Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.", + "title": "EvaluationModes", "type": "array" }, "InputParameters": { @@ -42903,6 +43017,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Indicates whether an AWS resource or AWS Config rule is compliant.\n\nA resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.\n\nA rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.\n\nAWS Config returns the `INSUFFICIENT_DATA` value when no evaluation results are available for the AWS resource or AWS Config rule.\n\nFor the `Compliance` data type, AWS Config supports only `COMPLIANT` , `NON_COMPLIANT` , and `INSUFFICIENT_DATA` values. AWS Config does not support the `NOT_APPLICABLE` value for the `Compliance` data type.", + "title": "Type", "type": "string" } }, @@ -42933,6 +43049,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of an evaluation. The valid values are Detective or Proactive.", + "title": "Mode", "type": "string" } }, @@ -43201,17 +43319,17 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "A name for the configuration recorder. If you don't specify a name, AWS CloudFormation CloudFormation generates a unique physical ID and uses that ID for the configuration recorder name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\n> After you create a configuration recorder, you cannot rename it. If you don't want a name that AWS CloudFormation generates, specify a value for this property. \n\nUpdates are not supported.", + "markdownDescription": "The name of the configuration recorder. AWS Config automatically assigns the name of \"default\" when creating the configuration recorder.\n\nYou cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.", "title": "Name", "type": "string" }, "RecordingGroup": { "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingGroup", - "markdownDescription": "Indicates whether to record configurations for all supported resources or for a list of resource types. The resource types that you list must be supported by AWS Config .", + "markdownDescription": "Specifies which resource types AWS Config records for configuration changes.\n\n> *High Number of AWS Config Evaluations*\n> \n> You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record.\n> \n> If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.", "title": "RecordingGroup" }, "RoleARN": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM (IAM) role that is used to make read or write requests to the delivery channel that you specify and to get configuration details for supported AWS resources. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.", + "markdownDescription": "Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see [Permissions for the IAM Role Assigned](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) to AWS Config in the AWS Config Developer Guide.\n\n> *Pre-existing AWS Config role*\n> \n> If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected.\n> \n> For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see [*Identity and Access Management for AWS Config*](https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html) in the *AWS Config Developer Guide* .", "title": "RoleARN", "type": "string" } @@ -43249,6 +43367,8 @@ "items": { "type": "string" }, + "markdownDescription": "A comma-separated list of resource types to exclude from recording by the configuration recorder.", + "title": "ResourceTypes", "type": "array" } }, @@ -43261,26 +43381,30 @@ "additionalProperties": false, "properties": { "AllSupported": { - "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regional resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .", + "markdownDescription": "Specifies whether AWS Config records configuration changes for all supported regionally recorded resource types.\n\nIf you set this field to `true` , when AWS Config adds support for a new regionally recorded resource type, AWS Config starts recording resources of that type automatically.\n\nIf you set this field to `true` , you cannot enumerate specific resource types to record in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , or to exclude in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Region Availability*\n> \n> Check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if a resource type is supported in the AWS Region where you set up AWS Config .", "title": "AllSupported", "type": "boolean" }, "ExclusionByResourceTypes": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.ExclusionByResourceTypes", + "markdownDescription": "An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder.\n\nTo use this option, you must set the `useOnly` field of [AWS::Config::ConfigurationRecorder RecordingStrategy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` .", + "title": "ExclusionByResourceTypes" }, "IncludeGlobalResourceTypes": { - "markdownDescription": "Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.\n\nBefore you can set this option to `true` , you must set the `AllSupported` option to `true` .\n\nIf you set this option to `true` , when AWS Config adds support for a new type of global resource, it starts recording resources of that type automatically.\n\nThe configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.", + "markdownDescription": "This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by AWS Config in Regions where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n\n- Asia Pacific (Hyderabad)\n- Asia Pacific (Melbourne)\n- Europe (Spain)\n- Europe (Zurich)\n- Israel (Tel Aviv)\n- Middle East (UAE)\n\n> *Aurora global clusters are recorded in all enabled Regions*\n> \n> The `AWS::RDS::GlobalCluster` resource type will be recorded in all supported AWS Config Regions where the configuration recorder is enabled, even if `includeGlobalResourceTypes` is not set to `true` . The `includeGlobalResourceTypes` option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.\n> \n> If you do not want to record `AWS::RDS::GlobalCluster` in all enabled Regions, use one of the following recording strategies:\n> \n> - *Record all current and future resource types with exclusions* ( `EXCLUSION_BY_RESOURCE_TYPES` ), or\n> - *Record specific resource types* ( `INCLUSION_BY_RESOURCE_TYPES` ).\n> \n> For more information, see [Selecting Which Resources are Recorded](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all) in the *AWS Config developer guide* . > Before you set this field to `true` , set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` . > *Overriding fields*\n> \n> If you set this field to `false` but list global IAM resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the `includeGlobalResourceTypes` field to false.\n> \n> If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the `resourceTypes` field in addition to setting the `includeGlobalResourceTypes` field to false.", "title": "IncludeGlobalResourceTypes", "type": "boolean" }, "RecordingStrategy": { - "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy" + "$ref": "#/definitions/AWS::Config::ConfigurationRecorder.RecordingStrategy", + "markdownDescription": "An object that specifies the recording strategy for the configuration recorder.\n\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type.\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resources types and the resource exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "RecordingStrategy" }, "ResourceTypes": { "items": { "type": "string" }, - "markdownDescription": "A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail` ).\n\nTo record all configuration changes, you must set the `AllSupported` option to `false` .\n\nIf you set the `AllSupported` option to false and populate the `ResourceTypes` option with values, when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.\n\nFor a list of valid `resourceTypes` values, see the *resourceType Value* column in [Supported AWS Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) .", + "markdownDescription": "A comma-separated list that specifies which resource types AWS Config records.\n\nFor a list of valid `resourceTypes` values, see the *Resource Type Value* column in [Supported AWS resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n\n> *Required and optional fields*\n> \n> Optionally, you can set the `useOnly` field of [RecordingStrategy](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingStrategy.html) to `INCLUSION_BY_RESOURCE_TYPES` .\n> \n> To record all configuration changes, set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` , and either omit this field or don't specify any resource types in this field. If you set the `allSupported` field to `false` and specify values for `resourceTypes` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. > *Region availability*\n> \n> Before specifying a resource type for AWS Config to track, check [Resource Coverage by Region Availability](https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html) to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .", "title": "ResourceTypes", "type": "array" } @@ -43291,6 +43415,8 @@ "additionalProperties": false, "properties": { "UseOnly": { + "markdownDescription": "The recording strategy for the configuration recorder.\n\n- If you set this option to `ALL_SUPPORTED_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` . When AWS Config adds support for a new resource type, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources) in the *AWS Config developer guide* .\n- If you set this option to `INCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for only the resource types that you specify in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n- If you set this option to `EXCLUSION_BY_RESOURCE_TYPES` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) .\n\n> *Required and optional fields*\n> \n> The `recordingStrategy` field is optional when you set the `allSupported` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) to `true` .\n> \n> The `recordingStrategy` field is optional when you list resource types in the `resourceTypes` field of [RecordingGroup](https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html) .\n> \n> The `recordingStrategy` field is required if you list resource types to exclude from recording in the `resourceTypes` field of [ExclusionByResourceTypes](https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html) . > *Overriding fields*\n> \n> If you choose `EXCLUSION_BY_RESOURCE_TYPES` for the recording strategy, the `exclusionByResourceTypes` field will override other properties in the request.\n> \n> For example, even if you set `includeGlobalResourceTypes` to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the `resourceTypes` field of `exclusionByResourceTypes` . > *Global resource types and the exclusion recording strategy*\n> \n> By default, if you choose the `EXCLUSION_BY_RESOURCE_TYPES` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.\n> \n> Unless specifically listed as exclusions, `AWS::RDS::GlobalCluster` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled.\n> \n> IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where AWS Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by AWS Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:\n> \n> - Asia Pacific (Hyderabad)\n> - Asia Pacific (Melbourne)\n> - Europe (Spain)\n> - Europe (Zurich)\n> - Israel (Tel Aviv)\n> - Middle East (UAE)", + "title": "UseOnly", "type": "string" } }, @@ -43369,7 +43495,7 @@ }, "TemplateSSMDocumentDetails": { "$ref": "#/definitions/AWS::Config::ConformancePack.TemplateSSMDocumentDetails", - "markdownDescription": "", + "markdownDescription": "An object that contains the name or Amazon Resource Name (ARN) of the AWS Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.", "title": "TemplateSSMDocumentDetails" } }, @@ -43588,7 +43714,7 @@ }, "OrganizationCustomPolicyRuleMetadata": { "$ref": "#/definitions/AWS::Config::OrganizationConfigRule.OrganizationCustomPolicyRuleMetadata", - "markdownDescription": "", + "markdownDescription": "An object that specifies metadata for your organization's AWS Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of AWS resource, and organization trigger types that initiate AWS Config to evaluate AWS resources against a rule.", "title": "OrganizationCustomPolicyRuleMetadata" }, "OrganizationCustomRuleMetadata": { @@ -43635,22 +43761,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of accounts that you can enable debug logging for your organization AWS Config Custom Policy rule. List is null when debug logging is enabled for all accounts.", "title": "DebugLogDeliveryAccounts", "type": "array" }, "Description": { - "markdownDescription": "", + "markdownDescription": "The description that you provide for your organization AWS Config Custom Policy rule.", "title": "Description", "type": "string" }, "InputParameters": { - "markdownDescription": "", + "markdownDescription": "A string, in JSON format, that is passed to your organization AWS Config Custom Policy rule.", "title": "InputParameters", "type": "string" }, "MaximumExecutionFrequency": { - "markdownDescription": "", + "markdownDescription": "The maximum frequency with which AWS Config runs evaluations for a rule. Your AWS Config Custom Policy rule is triggered when AWS Config delivers the configuration snapshot. For more information, see `ConfigSnapshotDeliveryProperties` .", "title": "MaximumExecutionFrequency", "type": "string" }, @@ -43658,17 +43784,17 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of notification that initiates AWS Config to run an evaluation for a rule. For AWS Config Custom Policy rules, AWS Config supports change-initiated notification types:\n\n- `ConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers a configuration item as a result of a resource change.\n- `OversizedConfigurationItemChangeNotification` - Initiates an evaluation when AWS Config delivers an oversized configuration item. AWS Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.", "title": "OrganizationConfigRuleTriggerTypes", "type": "array" }, "PolicyText": { - "markdownDescription": "", + "markdownDescription": "The policy definition containing the logic for your organization AWS Config Custom Policy rule.", "title": "PolicyText", "type": "string" }, "ResourceIdScope": { - "markdownDescription": "", + "markdownDescription": "The ID of the AWS resource that was evaluated.", "title": "ResourceIdScope", "type": "string" }, @@ -43676,22 +43802,22 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The type of the AWS resource that was evaluated.", "title": "ResourceTypesScope", "type": "array" }, "Runtime": { - "markdownDescription": "", + "markdownDescription": "The runtime system for your organization AWS Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by AWS Config Custom Policy rules. For more information about Guard, see the [Guard GitHub Repository](https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-guard) .", "title": "Runtime", "type": "string" }, "TagKeyScope": { - "markdownDescription": "", + "markdownDescription": "One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.", "title": "TagKeyScope", "type": "string" }, "TagValueScope": { - "markdownDescription": "", + "markdownDescription": "The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).", "title": "TagValueScope", "type": "string" } @@ -44083,8 +44209,6 @@ "additionalProperties": false, "properties": { "Value": { - "markdownDescription": "The value is a resource ID.", - "title": "Value", "type": "string" } }, @@ -44113,8 +44237,6 @@ "items": { "type": "string" }, - "markdownDescription": "A list of values. For example, the ARN of the assumed role.", - "title": "Values", "type": "array" } }, @@ -44889,7 +45011,7 @@ "additionalProperties": false, "properties": { "Label": { - "markdownDescription": "The property label of the automation.\n\n*Allowed values* : `OVERALL_CUSTOMER_SENTIMENT_SCORE` , `OVERALL_AGENT_SENTIMENT_SCORE` | `NON_TALK_TIME` | `NON_TALK_TIME_PERCENTAGE` | `NUMBER_OF_INTERRUPTIONS` | `CONTACT_DURATION` | `AGENT_INTERACTION_DURATION` | `CUSTOMER_HOLD_TIME`", + "markdownDescription": "The property label of the automation.", "title": "Label", "type": "string" } @@ -45555,7 +45677,7 @@ "type": "array" }, "TargetArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", + "markdownDescription": "The Amazon Resource Name (ARN) for Amazon Connect instances or traffic distribution group that phone numbers are claimed to.", "title": "TargetArn", "type": "string" }, @@ -45720,36 +45842,54 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the queue.", + "title": "Description", "type": "string" }, "HoursOfOperationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the hours of operation.", + "title": "HoursOfOperationArn", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MaxContacts": { + "markdownDescription": "The maximum number of contacts that can be in the queue before it is considered full.", + "title": "MaxContacts", "type": "number" }, "Name": { + "markdownDescription": "The name of the queue.", + "title": "Name", "type": "string" }, "OutboundCallerConfig": { - "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig" + "$ref": "#/definitions/AWS::Connect::Queue.OutboundCallerConfig", + "markdownDescription": "The outbound caller ID name, number, and outbound whisper flow.", + "title": "OutboundCallerConfig" }, "QuickConnectArns": { "items": { "type": "string" }, + "markdownDescription": "The Amazon Resource Names (ARN) of the of the quick connects available to agents who are working the queue.", + "title": "QuickConnectArns", "type": "array" }, "Status": { + "markdownDescription": "The status of the queue.", + "title": "Status", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -45785,12 +45925,18 @@ "additionalProperties": false, "properties": { "OutboundCallerIdName": { + "markdownDescription": "The caller ID name.", + "title": "OutboundCallerIdName", "type": "string" }, "OutboundCallerIdNumberArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound caller ID number.\n\n> Only use the phone number ARN format that doesn't contain `instance` in the path, for example, `arn:aws:connect:us-east-1:1234567890:phone-number/uuid` . This is the same ARN format that is returned when you create a phone number using CloudFormation , or when you call the [ListPhoneNumbersV2](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListPhoneNumbersV2.html) API.", + "title": "OutboundCallerIdNumberArn", "type": "string" }, "OutboundFlowArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the outbound flow.", + "title": "OutboundFlowArn", "type": "string" } }, @@ -46007,36 +46153,52 @@ "additionalProperties": false, "properties": { "AgentAvailabilityTimer": { + "markdownDescription": "Whether agents with this routing profile will have their routing order calculated based on *time since their last inbound contact* or *longest idle time* .", + "title": "AgentAvailabilityTimer", "type": "string" }, "DefaultOutboundQueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the default outbound queue for the routing profile.", + "title": "DefaultOutboundQueueArn", "type": "string" }, "Description": { + "markdownDescription": "The description of the routing profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "MediaConcurrencies": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.MediaConcurrency" }, + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "MediaConcurrencies", "type": "array" }, "Name": { + "markdownDescription": "The name of the routing profile.", + "title": "Name", "type": "string" }, "QueueConfigs": { "items": { "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueConfig" }, + "markdownDescription": "The inbound queues associated with the routing profile. If no queue is added, the agent can make only outbound calls.", + "title": "QueueConfigs", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46074,6 +46236,8 @@ "additionalProperties": false, "properties": { "BehaviorType": { + "markdownDescription": "Specifies the other channels that can be routed to an agent handling their current channel.", + "title": "BehaviorType", "type": "string" } }, @@ -46086,13 +46250,19 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels that agents can handle in the Contact Control Panel (CCP).", + "title": "Channel", "type": "string" }, "Concurrency": { + "markdownDescription": "The number of contacts an agent can have on a channel simultaneously.\n\nValid Range for `VOICE` : Minimum value of 1. Maximum value of 1.\n\nValid Range for `CHAT` : Minimum value of 1. Maximum value of 10.\n\nValid Range for `TASK` : Minimum value of 1. Maximum value of 10.", + "title": "Concurrency", "type": "number" }, "CrossChannelBehavior": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.CrossChannelBehavior", + "markdownDescription": "Defines the cross-channel routing behavior for each channel that is enabled for this Routing Profile. For example, this allows you to offer an agent a different contact from another channel when they are currently working with a contact from a Voice channel.", + "title": "CrossChannelBehavior" } }, "required": [ @@ -46105,13 +46275,19 @@ "additionalProperties": false, "properties": { "Delay": { + "markdownDescription": "The delay, in seconds, a contact should be in the queue before they are routed to an available agent. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) in the *Amazon Connect Administrator Guide* .", + "title": "Delay", "type": "number" }, "Priority": { + "markdownDescription": "The order in which contacts are to be handled for the queue. For more information, see [Queues: priority and delay](https://docs.aws.amazon.com/connect/latest/adminguide/concepts-routing-profiles-priority.html) .", + "title": "Priority", "type": "number" }, "QueueReference": { - "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference" + "$ref": "#/definitions/AWS::Connect::RoutingProfile.RoutingProfileQueueReference", + "markdownDescription": "Contains information about a queue resource.", + "title": "QueueReference" } }, "required": [ @@ -46125,9 +46301,13 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The channels agents can handle in the Contact Control Panel (CCP) for this routing profile.", + "title": "Channel", "type": "string" }, "QueueArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the queue.", + "title": "QueueArn", "type": "string" } }, @@ -46343,7 +46523,7 @@ "additionalProperties": false, "properties": { "EventSourceName": { - "markdownDescription": "The name of the event source.\n\n*Allowed values* : `OnPostCallAnalysisAvailable` | `OnRealTimeCallAnalysisAvailable` | `OnPostChatAnalysisAvailable` | `OnZendeskTicketCreate` | `OnZendeskTicketStatusUpdate` | `OnSalesforceCaseCreate`", + "markdownDescription": "The name of the event source.", "title": "EventSourceName", "type": "string" }, @@ -46543,33 +46723,47 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The list of tags that a security profile uses to restrict access to resources in Amazon Connect.", + "title": "AllowedAccessControlTags", "type": "array" }, "Description": { + "markdownDescription": "The description of the security profile.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The identifier of the Amazon Connect instance.", + "title": "InstanceArn", "type": "string" }, "Permissions": { "items": { "type": "string" }, + "markdownDescription": "Permissions assigned to the security profile. For a list of valid permissions, see [List of security profile permissions](https://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) .", + "title": "Permissions", "type": "array" }, "SecurityProfileName": { + "markdownDescription": "The name for the security profile.", + "title": "SecurityProfileName", "type": "string" }, "TagRestrictedResources": { "items": { "type": "string" }, + "markdownDescription": "The list of resources that a security profile applies tag restrictions to in Amazon Connect.", + "title": "TagRestrictedResources", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, { \"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -46896,18 +47090,26 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the traffic distribution group.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN).", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the traffic distribution group.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource. For example, {\"tags\": {\"key1\":\"value1\", \"key2\":\"value2\"} }.", + "title": "Tags", "type": "array" } }, @@ -47174,6 +47376,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -47243,24 +47447,36 @@ "items": { "type": "string" }, + "markdownDescription": "A list of actions possible from the view.", + "title": "Actions", "type": "array" }, "Description": { + "markdownDescription": "The description of the view.", + "title": "Description", "type": "string" }, "InstanceArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the instance.", + "title": "InstanceArn", "type": "string" }, "Name": { + "markdownDescription": "The name of the view.", + "title": "Name", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the view resource (not specific to view version).", + "title": "Tags", "type": "array" }, "Template": { + "markdownDescription": "The view template representing the structure of the view.", + "title": "Template", "type": "object" } }, @@ -47329,12 +47545,18 @@ "additionalProperties": false, "properties": { "VersionDescription": { + "markdownDescription": "The description of the view version.", + "title": "VersionDescription", "type": "string" }, "ViewArn": { + "markdownDescription": "The unqualified Amazon Resource Name (ARN) of the view.\n\nFor example:\n\n`arn::connect:::instance/00000000-0000-0000-0000-000000000000/view/00000000-0000-0000-0000-000000000000`", + "title": "ViewArn", "type": "string" }, "ViewContentSha256": { + "markdownDescription": "Indicates the checksum value of the latest published view content.", + "title": "ViewContentSha256", "type": "string" } }, @@ -47461,6 +47683,8 @@ "additionalProperties": false, "properties": { "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47470,7 +47694,7 @@ "additionalProperties": false, "properties": { "EnableAnswerMachineDetection": { - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection is enabled.", "title": "EnableAnswerMachineDetection", "type": "boolean" } @@ -47484,7 +47708,9 @@ "additionalProperties": false, "properties": { "AgentlessDialerConfig": { - "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig" + "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AgentlessDialerConfig", + "markdownDescription": "The configuration of the agentless dialer.", + "title": "AgentlessDialerConfig" }, "PredictiveDialerConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.PredictiveDialerConfig", @@ -47504,7 +47730,7 @@ "properties": { "AnswerMachineDetectionConfig": { "$ref": "#/definitions/AWS::ConnectCampaigns::Campaign.AnswerMachineDetectionConfig", - "markdownDescription": "", + "markdownDescription": "Whether answering machine detection has been enabled.", "title": "AnswerMachineDetectionConfig" }, "ConnectContactFlowArn": { @@ -47537,6 +47763,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47554,6 +47782,8 @@ "type": "number" }, "DialingCapacity": { + "markdownDescription": "The allocation of dialing capacity between multiple active campaigns.", + "title": "DialingCapacity", "type": "number" } }, @@ -47598,12 +47828,12 @@ "additionalProperties": false, "properties": { "ControlIdentifier": { - "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* guardrail.", + "markdownDescription": "The ARN of the control. Only *Strongly recommended* and *Elective* controls are permitted, with the exception of the *Region deny* control. For information on how to find the `controlIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "ControlIdentifier", "type": "string" }, "TargetIdentifier": { - "markdownDescription": "The ARN of the organizational unit.", + "markdownDescription": "The ARN of the organizational unit. For information on how to find the `targetIdentifier` , see [the overview page](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) .", "title": "TargetIdentifier", "type": "string" } @@ -47877,7 +48107,7 @@ "additionalProperties": false, "properties": { "DeadLetterQueueUrl": { - "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the DeadLetterQueue for the SendMessage operation to enable Amazon Connect Customer Profiles to send messages to the DeadLetterQueue.", + "markdownDescription": "The URL of the SQS dead letter queue, which is used for reporting errors associated with ingesting data from third party applications. You must set up a policy on the `DeadLetterQueue` for the `SendMessage` operation to enable Amazon Connect Customer Profiles to send messages to the `DeadLetterQueue` .", "title": "DeadLetterQueueUrl", "type": "string" }, @@ -47897,10 +48127,14 @@ "type": "string" }, "Matching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Matching", + "markdownDescription": "The process of matching duplicate profiles.", + "title": "Matching" }, "RuleBasedMatching": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.RuleBasedMatching", + "markdownDescription": "The process of matching duplicate profiles using Rule-Based matching.", + "title": "RuleBasedMatching" }, "Tags": { "items": { @@ -47944,21 +48178,29 @@ "items": { "type": "string" }, + "markdownDescription": "The `Address` type. You can choose from `Address` , `BusinessAddress` , `MaillingAddress` , and `ShippingAddress` . You only can use the `Address` type in the `MatchingRule` . For example, if you want to match a profile based on `BusinessAddress.City` or `MaillingAddress.City` , you can choose the `BusinessAddress` and the `MaillingAddress` to represent the `Address` type and specify the `Address.City` on the matching rule.", + "title": "Address", "type": "array" }, "AttributeMatchingModel": { + "markdownDescription": "Configures the `AttributeMatchingModel` , you can either choose `ONE_TO_ONE` or `MANY_TO_MANY` .", + "title": "AttributeMatchingModel", "type": "string" }, "EmailAddress": { "items": { "type": "string" }, + "markdownDescription": "The Email type. You can choose from `EmailAddress` , `BusinessEmailAddress` and `PersonalEmailAddress` . You only can use the `EmailAddress` type in the `MatchingRule` . For example, if you want to match profile based on `PersonalEmailAddress` or `BusinessEmailAddress` , you can choose the `PersonalEmailAddress` and the `BusinessEmailAddress` to represent the `EmailAddress` type and only specify the `EmailAddress` on the matching rule.", + "title": "EmailAddress", "type": "array" }, "PhoneNumber": { "items": { "type": "string" }, + "markdownDescription": "The `PhoneNumber` type. You can choose from `PhoneNumber` , `HomePhoneNumber` , and `MobilePhoneNumber` . You only can use the `PhoneNumber` type in the `MatchingRule` . For example, if you want to match a profile based on `Phone` or `HomePhone` , you can choose the `Phone` and the `HomePhone` to represent the `PhoneNumber` type and only specify the `PhoneNumber` on the matching rule.", + "title": "PhoneNumber", "type": "array" } }, @@ -47971,15 +48213,23 @@ "additionalProperties": false, "properties": { "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Consolidation": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.Consolidation", + "markdownDescription": "A list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged.", + "title": "Consolidation" }, "Enabled": { + "markdownDescription": "The flag that enables the auto-merging of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "MinAllowedConfidenceScoreForMerging": { + "markdownDescription": "A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means that a higher similarity is required to merge profiles.", + "title": "MinAllowedConfidenceScoreForMerging", "type": "number" } }, @@ -47992,9 +48242,13 @@ "additionalProperties": false, "properties": { "ConflictResolvingModel": { + "markdownDescription": "How the auto-merging process should resolve conflicts between different profiles.", + "title": "ConflictResolvingModel", "type": "string" }, "SourceName": { + "markdownDescription": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel` .", + "title": "SourceName", "type": "string" } }, @@ -48007,6 +48261,8 @@ "additionalProperties": false, "properties": { "MatchingAttributesList": { + "markdownDescription": "A list of matching criteria.", + "title": "MatchingAttributesList", "type": "object" } }, @@ -48019,15 +48275,23 @@ "additionalProperties": false, "properties": { "MeteringProfileCount": { + "markdownDescription": "The number of profiles that you are currently paying for in the domain. If you have more than 100 objects associated with a single profile, that profile counts as two profiles. If you have more than 200 objects, that profile counts as three, and so on.", + "title": "MeteringProfileCount", "type": "number" }, "ObjectCount": { + "markdownDescription": "The total number of objects in domain.", + "title": "ObjectCount", "type": "number" }, "ProfileCount": { + "markdownDescription": "The total number of profiles currently in the domain.", + "title": "ProfileCount", "type": "number" }, "TotalSize": { + "markdownDescription": "The total size, in bytes, of all objects in the domain.", + "title": "TotalSize", "type": "number" } }, @@ -48037,7 +48301,9 @@ "additionalProperties": false, "properties": { "S3Exporting": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.S3ExportingConfig", + "markdownDescription": "", + "title": "S3Exporting" } }, "type": "object" @@ -48046,9 +48312,13 @@ "additionalProperties": false, "properties": { "DayOfTheWeek": { + "markdownDescription": "The day when the Identity Resolution Job should run every week.", + "title": "DayOfTheWeek", "type": "string" }, "Time": { + "markdownDescription": "The time when the Identity Resolution Job should run every week.", + "title": "Time", "type": "string" } }, @@ -48062,16 +48332,24 @@ "additionalProperties": false, "properties": { "AutoMerging": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AutoMerging", + "markdownDescription": "Configuration information about the auto-merging process.", + "title": "AutoMerging" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "JobSchedule": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.JobSchedule", + "markdownDescription": "The day and time when do you want to start the Identity Resolution Job every week.", + "title": "JobSchedule" } }, "required": [ @@ -48086,6 +48364,8 @@ "items": { "type": "string" }, + "markdownDescription": "A single rule level of the `MatchRules` . Configures how the rule-based matching process should match profiles.", + "title": "Rule", "type": "array" } }, @@ -48098,30 +48378,46 @@ "additionalProperties": false, "properties": { "AttributeTypesSelector": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.AttributeTypesSelector", + "markdownDescription": "Configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles.", + "title": "AttributeTypesSelector" }, "ConflictResolution": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ConflictResolution", + "markdownDescription": "Determines how the auto-merging process should resolve conflicts between different profiles. For example, if Profile A and Profile B have the same `FirstName` and `LastName` , `ConflictResolution` specifies which `EmailAddress` should be used.", + "title": "ConflictResolution" }, "Enabled": { + "markdownDescription": "The flag that enables the matching process of duplicate profiles.", + "title": "Enabled", "type": "boolean" }, "ExportingConfig": { - "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig" + "$ref": "#/definitions/AWS::CustomerProfiles::Domain.ExportingConfig", + "markdownDescription": "The S3 location where Identity Resolution Jobs write result files.", + "title": "ExportingConfig" }, "MatchingRules": { "items": { "$ref": "#/definitions/AWS::CustomerProfiles::Domain.MatchingRule" }, + "markdownDescription": "Configures how the rule-based matching process should match profiles. You can have up to 15 `MatchingRule` in the `MatchingRules` .", + "title": "MatchingRules", "type": "array" }, "MaxAllowedRuleLevelForMatching": { + "markdownDescription": "Indicates the maximum allowed rule level for matching.", + "title": "MaxAllowedRuleLevelForMatching", "type": "number" }, "MaxAllowedRuleLevelForMerging": { + "markdownDescription": "Indicates the maximum allowed rule level for merging.", + "title": "MaxAllowedRuleLevelForMerging", "type": "number" }, "Status": { + "markdownDescription": "The status of rule-based matching rule.", + "title": "Status", "type": "string" } }, @@ -48134,9 +48430,13 @@ "additionalProperties": false, "properties": { "S3BucketName": { + "markdownDescription": "The name of the S3 bucket where Identity Resolution Jobs write result files.", + "title": "S3BucketName", "type": "string" }, "S3KeyName": { + "markdownDescription": "The S3 key name of the location where Identity Resolution Jobs write result files.", + "title": "S3KeyName", "type": "string" } }, @@ -48821,6 +49121,8 @@ "type": "string" }, "SourceLastUpdatedTimestampFormat": { + "markdownDescription": "The format of your sourceLastUpdatedTimestamp that was previously set up.", + "title": "SourceLastUpdatedTimestampFormat", "type": "string" }, "Tags": { @@ -49359,7 +49661,7 @@ "properties": { "RetentionArchiveTier": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.RetentionArchiveTier", - "markdownDescription": "", + "markdownDescription": "Information about retention period in the Amazon EBS Snapshots Archive. For more information, see [Archive Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/snapshot-archive.html) .", "title": "RetentionArchiveTier" } }, @@ -49373,7 +49675,7 @@ "properties": { "RetainRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRetainRule", - "markdownDescription": "", + "markdownDescription": "Information about the retention period for the snapshot archiving rule.", "title": "RetainRule" } }, @@ -49451,12 +49753,12 @@ "additionalProperties": false, "properties": { "Interval": { - "markdownDescription": "", + "markdownDescription": "The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to deprecate a cross-Region AMI copy after 3 months, specify `Interval=3` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49502,7 +49804,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.CrossRegionCopyDeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[AMI policies only]* The AMI deprecation rule for cross-Region AMI copies created by the rule.", "title": "DeprecateRule" }, "Encrypted": { @@ -49516,12 +49818,12 @@ "title": "RetainRule" }, "Target": { - "markdownDescription": "The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.\n\nUse this parameter instead of *TargetRegion* . Do not specify both.", + "markdownDescription": "> Use this parameter for snapshot policies only. For AMI policies, use *TargetRegion* instead. \n\n*[Snapshot policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "Target", "type": "string" }, "TargetRegion": { - "markdownDescription": "> Avoid using this parameter when creating new policies. Instead, use *Target* to specify a target Region or a target Outpost for snapshot copies.\n> \n> For policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies.", + "markdownDescription": "> Use this parameter for AMI policies only. For snapshot policies, use *Target* instead. For snapshot policies created before the *Target* parameter was introduced, this parameter indicates the target Region for snapshot copies. \n\n*[AMI policies only]* The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.", "title": "TargetRegion", "type": "string" } @@ -49535,17 +49837,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "If the schedule has a count-based retention rule, this parameter specifies the number of oldest AMIs to deprecate. The count must be less than or equal to the schedule's retention count, and it can't be greater than 1000.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "If the schedule has an age-based retention rule, this parameter specifies the period after which to deprecate AMIs created by the schedule. The period must be less than or equal to the schedule's retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* .", "title": "IntervalUnit", "type": "string" } @@ -49659,7 +49961,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "*[Snapshot policies that target instances only]* The tags used to identify data (non-root) volumes to exclude from multi-volume snapshot sets.\n\nIf you create a snapshot lifecycle policy that targets instances and you specify tags for this parameter, then data volumes with the specified tags that are attached to targeted instances will be excluded from the multi-volume snapshot sets created by the policy.", "title": "ExcludeDataVolumeTags", "type": "array" }, @@ -49757,17 +50059,17 @@ "additionalProperties": false, "properties": { "Count": { - "markdownDescription": "", + "markdownDescription": "The maximum number of snapshots to retain in the archive storage tier for each volume. The count must ensure that each snapshot remains in the archive tier for at least 90 days. For example, if the schedule creates snapshots every 30 days, you must specify a count of 3 or more to ensure that each snapshot is archived for at least 90 days.", "title": "Count", "type": "number" }, "Interval": { - "markdownDescription": "", + "markdownDescription": "Specifies the period of time to retain snapshots in the archive tier. After this period expires, the snapshot is permanently deleted.", "title": "Interval", "type": "number" }, "IntervalUnit": { - "markdownDescription": "", + "markdownDescription": "The unit of time in which to measure the *Interval* . For example, to retain a snapshots in the archive tier for 6 months, specify `Interval=6` and `IntervalUnit=MONTHS` .", "title": "IntervalUnit", "type": "string" } @@ -49779,7 +50081,7 @@ "properties": { "ArchiveRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.ArchiveRule", - "markdownDescription": "", + "markdownDescription": "*[Snapshot policies that target volumes only]* The snapshot archiving rule for the schedule. When you specify an archiving rule, snapshots are automatically moved from the standard tier to the archive tier once the schedule's retention threshold is met. Snapshots are then retained in the archive tier for the archive retention period that you specify.\n\nFor more information about using snapshot archiving, see [Considerations for snapshot lifecycle policies](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-ami-policy.html#dlm-archive) .", "title": "ArchiveRule" }, "CopyTags": { @@ -49802,7 +50104,7 @@ }, "DeprecateRule": { "$ref": "#/definitions/AWS::DLM::LifecyclePolicy.DeprecateRule", - "markdownDescription": "", + "markdownDescription": "*[AMI policies only]* The AMI deprecation rule for the schedule.", "title": "DeprecateRule" }, "FastRestoreRule": { @@ -50042,7 +50344,7 @@ "type": "string" }, "EngineName": { - "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", + "markdownDescription": "The type of engine for the endpoint, depending on the `EndpointType` value.\n\n*Valid values* : `mysql` | `oracle` | `postgres` | `mariadb` | `aurora` | `aurora-postgresql` | `opensearch` | `redshift` | `redshift-serverless` | `s3` | `db2` | `azuredb` | `sybase` | `dynamodb` | `mongodb` | `kinesis` | `kafka` | `elasticsearch` | `docdb` | `sqlserver` | `neptune`", "title": "EngineName", "type": "string" }, @@ -50314,7 +50616,7 @@ "type": "string" }, "ServerName": { - "markdownDescription": "Endpoint TCP port.", + "markdownDescription": "The MySQL host name.", "title": "ServerName", "type": "string" }, @@ -50528,15 +50830,23 @@ "type": "string" }, "DatabaseName": { + "markdownDescription": "Database name for the endpoint.", + "title": "DatabaseName", "type": "string" }, "ForceLobLookup": { + "markdownDescription": "Forces LOB lookup on inline LOB.", + "title": "ForceLobLookup", "type": "boolean" }, "Password": { + "markdownDescription": "Endpoint connection password.", + "title": "Password", "type": "string" }, "Port": { + "markdownDescription": "Endpoint TCP port.", + "title": "Port", "type": "number" }, "QuerySingleAlwaysOnNode": { @@ -50565,12 +50875,18 @@ "type": "string" }, "ServerName": { + "markdownDescription": "Fully qualified domain name of the endpoint. For an Amazon RDS SQL Server instance, this is the output of [DescribeDBInstances](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) , in the `[Endpoint](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Endpoint.html) .Address` field.", + "title": "ServerName", "type": "string" }, "TlogAccessMode": { + "markdownDescription": "Indicates the mode used to fetch CDC data.", + "title": "TlogAccessMode", "type": "string" }, "TrimSpaceInChar": { + "markdownDescription": "Use the `TrimSpaceInChar` source endpoint setting to right-trim data on CHAR and NCHAR data types during migration. Setting `TrimSpaceInChar` does not left-trim data. The default value is `true` .", + "title": "TrimSpaceInChar", "type": "boolean" }, "UseBcpFullLoad": { @@ -50584,6 +50900,8 @@ "type": "boolean" }, "Username": { + "markdownDescription": "Endpoint connection user name.", + "title": "Username", "type": "string" } }, @@ -50874,7 +51192,7 @@ "type": "string" }, "SecretsManagerOracleAsmAccessRoleArn": { - "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUserName` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", + "markdownDescription": "Required only if your Oracle endpoint uses Advanced Storage Manager (ASM). The full ARN of the IAM role that specifies AWS DMS as the trusted entity and grants the required permissions to access the `SecretsManagerOracleAsmSecret` . This `SecretsManagerOracleAsmSecret` has the secret value that allows access to the Oracle ASM of the endpoint.\n\n> You can specify one of two sets of values for these permissions. You can specify the values for this setting and `SecretsManagerOracleAsmSecretId` . Or you can specify clear-text values for `AsmUser` , `AsmPassword` , and `AsmServerName` . You can't specify both.\n> \n> For more information on creating this `SecretsManagerOracleAsmSecret` , the corresponding `SecretsManagerOracleAsmAccessRoleArn` , and the `SecretsManagerOracleAsmSecretId` that is required to access it, see [Using secrets to access AWS Database Migration Service resources](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#security-iam-secretsmanager) in the *AWS Database Migration Service User Guide* .", "title": "SecretsManagerOracleAsmAccessRoleArn", "type": "string" }, @@ -50945,6 +51263,8 @@ "type": "string" }, "BabelfishDatabaseName": { + "markdownDescription": "The Babelfish for Aurora PostgreSQL database name for the endpoint.", + "title": "BabelfishDatabaseName", "type": "string" }, "CaptureDdls": { @@ -50953,6 +51273,8 @@ "type": "boolean" }, "DatabaseMode": { + "markdownDescription": "Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints.", + "title": "DatabaseMode", "type": "string" }, "DdlArtifactsSchema": { @@ -50986,7 +51308,7 @@ "type": "string" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets PostgreSQL migrate the boolean type as boolean. By default, PostgreSQL migrates booleans as `varchar(5)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51128,7 +51450,7 @@ "type": "number" }, "MapBooleanAsBoolean": { - "markdownDescription": "", + "markdownDescription": "When true, lets Redshift migrate the boolean type as boolean. By default, Redshift migrates booleans as `varchar(1)` . You must set this setting on both the source and target endpoints for it to take effect.", "title": "MapBooleanAsBoolean", "type": "boolean" }, @@ -51549,39 +51871,61 @@ "additionalProperties": false, "properties": { "ComputeConfig": { - "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig" + "$ref": "#/definitions/AWS::DMS::ReplicationConfig.ComputeConfig", + "markdownDescription": "Configuration parameters for provisioning an AWS DMS Serverless replication.", + "title": "ComputeConfig" }, "ReplicationConfigArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of this AWS DMS Serverless replication configuration.", + "title": "ReplicationConfigArn", "type": "string" }, "ReplicationConfigIdentifier": { + "markdownDescription": "A unique identifier that you want to use to create a `ReplicationConfigArn` that is returned as part of the output from this action. You can then pass this output `ReplicationConfigArn` as the value of the `ReplicationConfigArn` option for other actions to identify both AWS DMS Serverless replications and replication configurations that you want those actions to operate on. For some actions, you can also use either this unique identifier or a corresponding ARN in action filters to identify the specific replication and replication configuration to operate on.", + "title": "ReplicationConfigIdentifier", "type": "string" }, "ReplicationSettings": { + "markdownDescription": "Optional JSON settings for AWS DMS Serverless replications that are provisioned using this replication configuration. For example, see [Change processing tuning settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TaskSettings.ChangeProcessingTuning.html) .", + "title": "ReplicationSettings", "type": "object" }, "ReplicationType": { + "markdownDescription": "The type of AWS DMS Serverless replication to provision using this replication configuration.\n\nPossible values:\n\n- `\"full-load\"`\n- `\"cdc\"`\n- `\"full-load-and-cdc\"`", + "title": "ReplicationType", "type": "string" }, "ResourceIdentifier": { + "markdownDescription": "Optional unique value or name that you set for a given resource that can be used to construct an Amazon Resource Name (ARN) for that resource. For more information, see [Fine-grained access control using resource names and tags](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.FineGrainedAccess) .", + "title": "ResourceIdentifier", "type": "string" }, "SourceEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the source endpoint for this AWS DMS Serverless replication configuration.", + "title": "SourceEndpointArn", "type": "string" }, "SupplementalSettings": { + "markdownDescription": "Optional JSON settings for specifying supplemental data. For more information, see [Specifying supplemental data for task settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) .", + "title": "SupplementalSettings", "type": "object" }, "TableMappings": { + "markdownDescription": "JSON table mappings for AWS DMS Serverless replications that are provisioned using this replication configuration. For more information, see [Specifying table selection and transformations rules using JSON](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.CustomizingTasks.TableMapping.SelectionTransformation.html) .", + "title": "TableMappings", "type": "object" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "One or more optional tags associated with resources used by the AWS DMS Serverless replication. For more information, see [Tagging resources in AWS Database Migration Service](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tagging.html) .", + "title": "Tags", "type": "array" }, "TargetEndpointArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the target endpoint for this AWS DMS serverless replication configuration.", + "title": "TargetEndpointArn", "type": "string" } }, @@ -51611,33 +51955,51 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { + "markdownDescription": "The Availability Zone where the AWS DMS Serverless replication using this configuration will run. The default value is a random, system-chosen Availability Zone in the configuration's AWS Region , for example, `\"us-west-2\"` . You can't set this parameter if the `MultiAZ` parameter is set to `true` .", + "title": "AvailabilityZone", "type": "string" }, "DnsNameServers": { + "markdownDescription": "A list of custom DNS name servers supported for the AWS DMS Serverless replication to access your source or target database. This list overrides the default name servers supported by the AWS DMS Serverless replication. You can specify a comma-separated list of internet addresses for up to four DNS name servers. For example: `\"1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4\"`", + "title": "DnsNameServers", "type": "string" }, "KmsKeyId": { + "markdownDescription": "An AWS Key Management Service ( AWS KMS ) key Amazon Resource Name (ARN) that is used to encrypt the data during AWS DMS Serverless replication.\n\nIf you don't specify a value for the `KmsKeyId` parameter, AWS DMS uses your default encryption key.\n\nAWS KMS creates the default encryption key for your Amazon Web Services account. Your AWS account has a different default encryption key for each AWS Region .", + "title": "KmsKeyId", "type": "string" }, "MaxCapacityUnits": { + "markdownDescription": "Specifies the maximum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the maximum value that you can specify for AWS DMS Serverless is 384. The `MaxCapacityUnits` parameter is the only DCU parameter you are required to specify.", + "title": "MaxCapacityUnits", "type": "number" }, "MinCapacityUnits": { + "markdownDescription": "Specifies the minimum value of the AWS DMS capacity units (DCUs) for which a given AWS DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 1 DCU as the minimum value allowed. The list of valid DCU values includes 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. So, the minimum DCU value that you can specify for AWS DMS Serverless is 1. You don't have to specify a value for the `MinCapacityUnits` parameter. If you don't set this value, AWS DMS scans the current activity of available source tables to identify an optimum setting for this parameter. If there is no current source activity or AWS DMS can't otherwise identify a more appropriate value, it sets this parameter to the minimum DCU value allowed, 1.", + "title": "MinCapacityUnits", "type": "number" }, "MultiAZ": { + "markdownDescription": "Specifies whether the AWS DMS Serverless replication is a Multi-AZ deployment. You can't set the `AvailabilityZone` parameter if the `MultiAZ` parameter is set to `true` .", + "title": "MultiAZ", "type": "boolean" }, "PreferredMaintenanceWindow": { + "markdownDescription": "The weekly time range during which system maintenance can occur for the AWS DMS Serverless replication, in Universal Coordinated Time (UTC). The format is `ddd:hh24:mi-ddd:hh24:mi` .\n\nThe default is a 30-minute window selected at random from an 8-hour block of time per AWS Region . This maintenance occurs on a random day of the week. Valid values for days of the week include `Mon` , `Tue` , `Wed` , `Thu` , `Fri` , `Sat` , and `Sun` .\n\nConstraints include a minimum 30-minute window.", + "title": "PreferredMaintenanceWindow", "type": "string" }, "ReplicationSubnetGroupId": { + "markdownDescription": "Specifies a subnet group identifier to associate with the AWS DMS Serverless replication.", + "title": "ReplicationSubnetGroupId", "type": "string" }, "VpcSecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "Specifies the virtual private cloud (VPC) security group to use with the AWS DMS Serverless replication. The VPC security group must work with the VPC containing the replication.", + "title": "VpcSecurityGroupIds", "type": "array" } }, @@ -51977,7 +52339,7 @@ "type": "string" }, "TaskData": { - "markdownDescription": "", + "markdownDescription": "Supplemental information that the task requires to migrate the data for certain source and target endpoints. For more information, see [Specifying Supplemental Data for Task Settings](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Tasks.TaskData.html) in the *AWS Database Migration Service User Guide.*", "title": "TaskData", "type": "string" } @@ -52557,7 +52919,7 @@ }, "OutputLocation": { "$ref": "#/definitions/AWS::DataBrew::Job.OutputLocation", - "markdownDescription": "", + "markdownDescription": "The location in Amazon S3 where the job writes its output.", "title": "OutputLocation" }, "Outputs": { @@ -53350,12 +53712,12 @@ "properties": { "DataCatalogInputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.DataCatalogInputDefinition", - "markdownDescription": "", + "markdownDescription": "The AWS Glue Data Catalog parameters for the data.", "title": "DataCatalogInputDefinition" }, "S3InputDefinition": { "$ref": "#/definitions/AWS::DataBrew::Recipe.S3Location", - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location where the data is stored.", "title": "S3InputDefinition" } }, @@ -54609,30 +54971,46 @@ "items": { "type": "string" }, + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for your transfer](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", + "title": "AgentArns", "type": "array" }, "AzureAccessTier": { + "markdownDescription": "Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see [Access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) .", + "title": "AzureAccessTier", "type": "string" }, "AzureBlobAuthenticationType": { + "markdownDescription": "Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS).", + "title": "AzureBlobAuthenticationType", "type": "string" }, "AzureBlobContainerUrl": { + "markdownDescription": "Specifies the URL of the Azure Blob Storage container involved in your transfer.", + "title": "AzureBlobContainerUrl", "type": "string" }, "AzureBlobSasConfiguration": { - "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration" + "$ref": "#/definitions/AWS::DataSync::LocationAzureBlob.AzureBlobSasConfiguration", + "markdownDescription": "Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.", + "title": "AzureBlobSasConfiguration" }, "AzureBlobType": { + "markdownDescription": "Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the [Azure Blob Storage documentation](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) .", + "title": "AzureBlobType", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, `/my/images` ).", + "title": "Subdirectory", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.", + "title": "Tags", "type": "array" } }, @@ -54667,6 +55045,8 @@ "additionalProperties": false, "properties": { "AzureBlobSasToken": { + "markdownDescription": "Specifies a SAS token that provides permissions to access your Azure Blob Storage.\n\nThe token is part of the SAS URI string that comes after the storage resource URI and a question mark. A token looks something like this:\n\n`sp=r&st=2023-12-20T14:54:52Z&se=2023-12-20T22:54:52Z&spr=https&sv=2021-06-08&sr=c&sig=aBBKDWQvyuVcTPH9EBp%2FXTI9E%2F%2Fmq171%2BZU178wcwqU%3D`", + "title": "AzureBlobSasToken", "type": "string" } }, @@ -55229,7 +55609,7 @@ "additionalProperties": false, "properties": { "Domain": { - "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.", + "markdownDescription": "Specifies the name of the Windows domain that the FSx for Windows File Server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "title": "Domain", "type": "string" }, @@ -55239,7 +55619,7 @@ "type": "string" }, "Password": { - "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.", + "markdownDescription": "Specifies the password of the user who has the permissions to access files and folders in the file system.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html#create-fsx-windows-location-permissions) for FSx for Windows File Server locations.", "title": "Password", "type": "string" }, @@ -55508,21 +55888,21 @@ "properties": { "MountOptions": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.MountOptions", - "markdownDescription": "Specifies the mount options that DataSync can use to mount your NFS share.", + "markdownDescription": "Specifies the options that DataSync can use to mount your NFS file server.", "title": "MountOptions" }, "OnPremConfig": { "$ref": "#/definitions/AWS::DataSync::LocationNFS.OnPremConfig", - "markdownDescription": "Specifies the Amazon Resource Names (ARNs) of agents that DataSync uses to connect to your NFS file server.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the DataSync agent that want to connect to your NFS file server.\n\nYou can specify more than one agent. For more information, see [Using multiple agents for transfers](https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html) .", "title": "OnPremConfig" }, "ServerHostname": { - "markdownDescription": "Specifies the IP address or domain name of your NFS file server. An agent that is installed on-premises uses this hostname to mount the NFS server in a network.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.\n\n> You must specify be an IP version 4 address or Domain Name System (DNS)-compliant name.", + "markdownDescription": "Specifies the Domain Name System (DNS) name or IP version 4 address of the NFS file server that your DataSync agent connects to.", "title": "ServerHostname", "type": "string" }, "Subdirectory": { - "markdownDescription": "Specifies the subdirectory in the NFS file server that DataSync transfers to or from. The NFS path should be a path that's exported by the NFS server, or a subdirectory of that path. The path should be such that it can be mounted by other NFS clients in your network.\n\nTo see all the paths exported by your NFS server, run \" `showmount -e nfs-server-name` \" from an NFS client that has access to your server. You can specify any directory that appears in the results, and any subdirectory of that directory. Ensure that the NFS export is accessible without Kerberos authentication.\n\nTo transfer all the data in the folder you specified, DataSync needs to have permissions to read all the data. To ensure this, either configure the NFS export with `no_root_squash,` or ensure that the permissions for all of the files that you want DataSync allow read access for all users. Doing either enables the agent to read the files. For the agent to access directories, you must additionally enable all execute access.\n\nIf you are copying data to or from your AWS Snowcone device, see [NFS Server on AWS Snowcone](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#nfs-on-snowcone) for more information.", + "markdownDescription": "Specifies the export path in your NFS file server that you want DataSync to mount.\n\nThis path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see [Accessing NFS file servers](https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs) .", "title": "Subdirectory", "type": "string" }, @@ -55579,7 +55959,7 @@ "items": { "type": "string" }, - "markdownDescription": "ARNs of the agents to use for an NFS location.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the agents connecting to a transfer location.", "title": "AgentArns", "type": "array" } @@ -55855,7 +56235,7 @@ "type": "array" }, "Domain": { - "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", + "markdownDescription": "Specifies the Windows domain name that your SMB file server belongs to.\n\nIf you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.\n\nFor more information, see [required permissions](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions) for SMB locations.", "title": "Domain", "type": "string" }, @@ -56165,7 +56545,9 @@ "type": "array" }, "TaskReportConfig": { - "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig" + "$ref": "#/definitions/AWS::DataSync::Task.TaskReportConfig", + "markdownDescription": "Specifies how you want to configure a task report, which provides detailed information about for your DataSync transfer.", + "title": "TaskReportConfig" } }, "required": [ @@ -56199,6 +56581,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56208,7 +56592,9 @@ "additionalProperties": false, "properties": { "S3": { - "$ref": "#/definitions/AWS::DataSync::Task.S3" + "$ref": "#/definitions/AWS::DataSync::Task.S3", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report.", + "title": "S3" } }, "type": "object" @@ -56314,16 +56700,24 @@ "additionalProperties": false, "properties": { "Deleted": { - "$ref": "#/definitions/AWS::DataSync::Task.Deleted" + "$ref": "#/definitions/AWS::DataSync::Task.Deleted", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you [configure your task](https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html) to delete data in the destination that isn't in the source.", + "title": "Deleted" }, "Skipped": { - "$ref": "#/definitions/AWS::DataSync::Task.Skipped" + "$ref": "#/definitions/AWS::DataSync::Task.Skipped", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.", + "title": "Skipped" }, "Transferred": { - "$ref": "#/definitions/AWS::DataSync::Task.Transferred" + "$ref": "#/definitions/AWS::DataSync::Task.Transferred", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.", + "title": "Transferred" }, "Verified": { - "$ref": "#/definitions/AWS::DataSync::Task.Verified" + "$ref": "#/definitions/AWS::DataSync::Task.Verified", + "markdownDescription": "Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.", + "title": "Verified" } }, "type": "object" @@ -56332,12 +56726,18 @@ "additionalProperties": false, "properties": { "BucketAccessRoleArn": { + "markdownDescription": "Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. For more information, see [Allowing DataSync to upload a task report to an Amazon S3 bucket](https://docs.aws.amazon.com/datasync/latest/userguide/creating-task-reports.html) .", + "title": "BucketAccessRoleArn", "type": "string" }, "S3BucketArn": { + "markdownDescription": "Specifies the ARN of the S3 bucket where DataSync uploads your report.", + "title": "S3BucketArn", "type": "string" }, "Subdirectory": { + "markdownDescription": "Specifies a bucket prefix for your report.", + "title": "Subdirectory", "type": "string" } }, @@ -56347,6 +56747,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to skip.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to skip.", + "title": "ReportLevel", "type": "string" } }, @@ -56356,18 +56758,28 @@ "additionalProperties": false, "properties": { "Destination": { - "$ref": "#/definitions/AWS::DataSync::Task.Destination" + "$ref": "#/definitions/AWS::DataSync::Task.Destination", + "markdownDescription": "Specifies the Amazon S3 bucket where DataSync uploads your task report. For more information, see [Task reports](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html#task-report-access) .", + "title": "Destination" }, "ObjectVersionIds": { + "markdownDescription": "Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you [enable versioning on your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) . Keep in mind that setting this to `INCLUDE` can increase the duration of your task execution.", + "title": "ObjectVersionIds", "type": "string" }, "OutputType": { + "markdownDescription": "Specifies the type of task report that you want:\n\n- `SUMMARY_ONLY` : Provides necessary details about your task, including the number of files, objects, and directories transferred and transfer duration.\n- `STANDARD` : Provides complete details about your task, including a full list of files, objects, and directories that were transferred, skipped, verified, and more.", + "title": "OutputType", "type": "string" }, "Overrides": { - "$ref": "#/definitions/AWS::DataSync::Task.Overrides" + "$ref": "#/definitions/AWS::DataSync::Task.Overrides", + "markdownDescription": "Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.", + "title": "Overrides" }, "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer, skip, verify, and delete.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer, skip, verify, and delete.", + "title": "ReportLevel", "type": "string" } }, @@ -56395,6 +56807,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to transfer.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to transfer.", + "title": "ReportLevel", "type": "string" } }, @@ -56404,6 +56818,8 @@ "additionalProperties": false, "properties": { "ReportLevel": { + "markdownDescription": "Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.\n\n- `ERRORS_ONLY` : A report shows what DataSync was unable to verify.\n- `SUCCESSES_AND_ERRORS` : A report shows what DataSync was able and unable to verify.", + "title": "ReportLevel", "type": "string" } }, @@ -56895,7 +57311,7 @@ "properties": { "CloudFormation": { "$ref": "#/definitions/AWS::DevOpsGuru::ResourceCollection.CloudFormationCollectionFilter", - "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 500 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", + "markdownDescription": "Information about AWS CloudFormation stacks. You can use up to 1000 stacks to specify which AWS resources in your account to analyze. For more information, see [Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) in the *AWS CloudFormation User Guide* .", "title": "CloudFormation" }, "Tags": { @@ -57294,12 +57710,12 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "", + "markdownDescription": "The date and time to restore the cluster to.\n\nValid values: A time in Universal Coordinated Time (UTC) format.\n\nConstraints:\n\n- Must be before the latest restorable time for the instance.\n- Must be specified if the `UseLatestRestorableTime` parameter is not provided.\n- Cannot be specified if the `UseLatestRestorableTime` parameter is `true` .\n- Cannot be specified if the `RestoreType` parameter is `copy-on-write` .\n\nExample: `2015-03-07T23:45:00Z`", "title": "RestoreToTime", "type": "string" }, "RestoreType": { - "markdownDescription": "", + "markdownDescription": "The type of restore to be performed. You can specify one of the following values:\n\n- `full-copy` - The new DB cluster is restored as a full copy of the source DB cluster.\n- `copy-on-write` - The new DB cluster is restored as a clone of the source DB cluster.\n\nConstraints: You can't specify `copy-on-write` if the engine version of the source DB cluster is earlier than 1.11.\n\nIf you don't specify a `RestoreType` value, then the new DB cluster is restored as a full copy of the source DB cluster.", "title": "RestoreType", "type": "string" }, @@ -57309,7 +57725,7 @@ "type": "string" }, "SourceDBClusterIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the source cluster from which to restore.\n\nConstraints:\n\n- Must match the identifier of an existing `DBCluster` .", "title": "SourceDBClusterIdentifier", "type": "string" }, @@ -57327,7 +57743,7 @@ "type": "array" }, "UseLatestRestorableTime": { - "markdownDescription": "", + "markdownDescription": "A value that is set to `true` to restore the cluster to the latest restorable backup time, and `false` otherwise.\n\nDefault: `false`\n\nConstraints: Cannot be specified if the `RestoreToTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -57515,7 +57931,7 @@ "type": "string" }, "EnablePerformanceInsights": { - "markdownDescription": "", + "markdownDescription": "A value that indicates whether to enable Performance Insights for the DB Instance. For more information, see [Using Amazon Performance Insights](https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) .", "title": "EnablePerformanceInsights", "type": "boolean" }, @@ -60028,7 +60444,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::EC2Fleet.TagSpecification" }, - "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tagging your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", + "markdownDescription": "The key-value pair for tagging the EC2 Fleet request on creation. For more information, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .\n\nIf the fleet type is `instant` , specify a resource type of `fleet` to tag the fleet or `instance` to tag the instances at launch.\n\nIf the fleet type is `maintain` or `request` , specify a resource type of `fleet` to tag the fleet. You cannot specify a resource type of `instance` . To tag instances at launch, specify the tags in a [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) .", "title": "TagSpecifications", "type": "array" }, @@ -60483,7 +60899,7 @@ "title": "CapacityReservationOptions" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60575,7 +60991,7 @@ "title": "MaintenanceStrategies" }, "MaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.\n\n> If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `MaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `MaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "MaxTotalPrice", "type": "string" }, @@ -60601,7 +61017,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag. `ResourceType` must be `fleet` .", + "markdownDescription": "The type of resource to tag.", "title": "ResourceType", "type": "string" }, @@ -60728,7 +61144,7 @@ "type": "string" }, "NetworkBorderGroup": { - "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.\n\nYou cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an `InvalidParameterCombination` error.", + "markdownDescription": "A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups.\n\nUse [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.", "title": "NetworkBorderGroup", "type": "string" }, @@ -61027,6 +61443,8 @@ "additionalProperties": false, "properties": { "DeliverCrossAccountRole": { + "markdownDescription": "The ARN of the IAM role that allows the service to publish flow logs across accounts.", + "title": "DeliverCrossAccountRole", "type": "string" }, "DeliverLogsPermissionArn": { @@ -61250,6 +61668,8 @@ "additionalProperties": false, "properties": { "AssetId": { + "markdownDescription": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.", + "title": "AssetId", "type": "string" }, "AutoPlacement": { @@ -61371,6 +61791,8 @@ "type": "array" }, "Tier": { + "markdownDescription": "", + "title": "Tier", "type": "string" } }, @@ -62350,7 +62772,7 @@ "additionalProperties": false, "properties": { "CPUCredits": { - "markdownDescription": "The credit option for CPU usage of the instance.\n\nValid values: `standard` | `unlimited`\n\nT3 instances with `host` tenancy do not support the `unlimited` CPU credit option.", + "markdownDescription": "The credit option for CPU usage of a T instance.\n\nValid values: `standard` | `unlimited`", "title": "CPUCredits", "type": "string" } @@ -62446,7 +62868,7 @@ "additionalProperties": false, "properties": { "Configured": { - "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nDefault: `false`", + "markdownDescription": "Set to `true` to enable your instance for hibernation.\n\nFor Spot Instances, if you set `Configured` to `true` , either omit the `InstanceInterruptionBehavior` parameter (for [`SpotMarketOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html) ), or set it to `hibernate` . When `Configured` is true:\n\n- If you omit `InstanceInterruptionBehavior` , it defaults to `hibernate` .\n- If you set `InstanceInterruptionBehavior` to a value other than `hibernate` , you'll get an error.\n\nDefault: `false`", "title": "Configured", "type": "boolean" } @@ -62712,24 +63134,34 @@ "additionalProperties": false, "properties": { "ClientToken": { + "markdownDescription": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.", + "title": "ClientToken", "type": "string" }, "PreserveClientIp": { + "markdownDescription": "Indicates whether your client's IP address is preserved as the source. The value is `true` or `false` .\n\n- If `true` , your client's IP address is used when you connect to a resource.\n- If `false` , the elastic network interface IP address is used when you connect to a resource.\n\nDefault: `true`", + "title": "PreserveClientIp", "type": "boolean" }, "SecurityGroupIds": { "items": { "type": "string" }, + "markdownDescription": "One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.", + "title": "SecurityGroupIds", "type": "array" }, "SubnetId": { + "markdownDescription": "The ID of the subnet in which to create the EC2 Instance Connect Endpoint.", + "title": "SubnetId", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to apply to the EC2 Instance Connect Endpoint during creation.", + "title": "Tags", "type": "array" } }, @@ -62964,7 +63396,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateTagSpecification" }, - "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\n> To specify the tags for the resources that are created when an instance is launched, you must use the `TagSpecifications` parameter in the [launch template data](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestLaunchTemplateData.html) structure.", + "markdownDescription": "The tags to apply to the launch template on creation. To tag the launch template, the resource type must be `launch-template` .\n\nTo specify the tags for the resources that are created when an instance is launched, you must use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63480,7 +63912,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.LaunchTemplateElasticInferenceAccelerator" }, - "markdownDescription": "The elastic inference accelerator for the instance.", + "markdownDescription": "An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.\n\nYou cannot specify accelerators from different generations in the same request.\n\n> Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.", "title": "ElasticInferenceAccelerators", "type": "array" }, @@ -63600,7 +64032,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::LaunchTemplate.TagSpecification" }, - "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nYou can specify tags for the following resources only:\n\n- Instances\n- Volumes\n- Elastic graphics\n- Spot Instance requests\n- Network interfaces\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\n> To tag the launch template itself, you must use the [TagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) parameter.", + "markdownDescription": "The tags to apply to the resources that are created during instance launch.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .\n\nTo tag the launch template itself, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications) .", "title": "TagSpecifications", "type": "array" }, @@ -63763,7 +64195,7 @@ "additionalProperties": false, "properties": { "AssociateCarrierIpAddress": { - "markdownDescription": "Indicates whether to associate a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", + "markdownDescription": "Associates a Carrier IP address with eth0 for a new network interface.\n\nUse this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see [Carrier IP addresses](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) in the *AWS Wavelength Developer Guide* .", "title": "AssociateCarrierIpAddress", "type": "boolean" }, @@ -63850,6 +64282,8 @@ "type": "string" }, "PrimaryIpv6": { + "markdownDescription": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) .", + "title": "PrimaryIpv6", "type": "boolean" }, "PrivateIpAddress": { @@ -64017,7 +64451,7 @@ "additionalProperties": false, "properties": { "ResourceType": { - "markdownDescription": "The type of resource to tag.\n\nThe `Valid Values` are all the resource types that can be tagged. However, when creating a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request`\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", + "markdownDescription": "The type of resource to tag.\n\nValid Values lists all resource types for Amazon EC2 that can be tagged. When you create a launch template, you can specify tags for the following resource types only: `instance` | `volume` | `elastic-gpu` | `network-interface` | `spot-instances-request` . If the instance does not include the resource type that you specify, the instance launch fails. For example, not all instance types include an Elastic GPU.\n\nTo tag a resource after it has been created, see [CreateTags](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html) .", "title": "ResourceType", "type": "string" }, @@ -64453,7 +64887,7 @@ "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -64461,7 +64895,7 @@ "items": { "type": "string" }, - "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n> `SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", + "markdownDescription": "Secondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide* .\n\n`SecondaryPrivateIpAddressCount` and `SecondaryPrivateIpAddresses` cannot be set at the same time.", "title": "SecondaryPrivateIpAddresses", "type": "array" }, @@ -66027,16 +66461,20 @@ "type": "string" }, "Ipv4PrefixCount": { + "markdownDescription": "The number of IPv4 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4PrefixCount", "type": "number" }, "Ipv4Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv4PrefixSpecification" }, + "markdownDescription": "The IPv4 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.", + "title": "Ipv4Prefixes", "type": "array" }, "Ipv6AddressCount": { - "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.", + "markdownDescription": "The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the `Ipv6Addresses` property and don't specify this property.\n\nWhen creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6AddressCount", "type": "number" }, @@ -66044,17 +66482,21 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.InstanceIpv6Address" }, - "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.", + "markdownDescription": "One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the `Ipv6AddressCount` property and don't specify this property.\n\nWhen creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.", "title": "Ipv6Addresses", "type": "array" }, "Ipv6PrefixCount": { + "markdownDescription": "The number of IPv6 prefixes to be automatically assigned to the network interface.\n\nWhen creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6PrefixCount", "type": "number" }, "Ipv6Prefixes": { "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.Ipv6PrefixSpecification" }, + "markdownDescription": "The IPv6 delegated prefixes that are assigned to the network interface.\n\nWhen creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.", + "title": "Ipv6Prefixes", "type": "array" }, "PrivateIpAddress": { @@ -66066,12 +66508,12 @@ "items": { "$ref": "#/definitions/AWS::EC2::NetworkInterface.PrivateIpAddressSpecification" }, - "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.", + "markdownDescription": "Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the `Primary` property to `true` in the `PrivateIpAddressSpecification` property. If you want EC2 to automatically assign private IP addresses, use the `SecondaryPrivateIpAddressCount` property and do not specify this property.\n\nWhen creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "PrivateIpAddresses", "type": "array" }, "SecondaryPrivateIpAddressCount": { - "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nYou can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", + "markdownDescription": "The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using `privateIpAddresses` .\n\nWhen creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.", "title": "SecondaryPrivateIpAddressCount", "type": "number" }, @@ -66138,6 +66580,8 @@ "additionalProperties": false, "properties": { "Ipv4Prefix": { + "markdownDescription": "The IPv4 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv4Prefix", "type": "string" } }, @@ -66150,6 +66594,8 @@ "additionalProperties": false, "properties": { "Ipv6Prefix": { + "markdownDescription": "The IPv6 prefix. For information, see [Assigning prefixes to Amazon EC2 network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) in the *Amazon Elastic Compute Cloud User Guide* .", + "title": "Ipv6Prefix", "type": "string" } }, @@ -66672,6 +67118,8 @@ "type": "string" }, "DestinationPrefixListId": { + "markdownDescription": "The ID of a prefix list used for the destination match.", + "title": "DestinationPrefixListId", "type": "string" }, "EgressOnlyInternetGatewayId": { @@ -68111,7 +68559,7 @@ "type": "string" }, "OnDemandMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the `onDemandMaxTotalPrice` parameter, the `spotMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `onDemandMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `onDemandMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "OnDemandMaxTotalPrice", "type": "string" }, @@ -68131,7 +68579,7 @@ "title": "SpotMaintenanceStrategies" }, "SpotMaxTotalPrice": { - "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotdMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.", + "markdownDescription": "The maximum amount per hour for Spot Instances that you're willing to pay. You can use the `spotMaxTotalPrice` parameter, the `onDemandMaxTotalPrice` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn\u2019t met the target capacity.\n\n> If your fleet includes T instances that are configured as `unlimited` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The `spotMaxTotalPrice` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for `spotMaxTotalPrice` . For more information, see [Surplus credits can incur charges](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits) in the *EC2 User Guide* .", "title": "SpotMaxTotalPrice", "type": "string" }, @@ -68144,7 +68592,7 @@ "items": { "$ref": "#/definitions/AWS::EC2::SpotFleet.SpotFleetTagSpecification" }, - "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tagging Your Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", + "markdownDescription": "The key-value pair for tagging the Spot Fleet request on creation. The value for `ResourceType` must be `spot-fleet-request` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the [launch template](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template) (valid only if you use `LaunchTemplateConfigs` ) or in the `[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)` (valid only if you use `LaunchSpecifications` ). For information about tagging after launch, see [Tag your resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) .", "title": "TagSpecifications", "type": "array" }, @@ -68932,7 +69380,7 @@ "type": "string" }, "PacketLength": { - "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.", + "markdownDescription": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet, set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target.\n\nIf you do not want to mirror the entire packet, use the `PacketLength` parameter to specify the number of bytes in each packet to mirror.\n\nFor sessions with Network Load Balancer (NLB) Traffic Mirror targets the default `PacketLength` will be set to 8500. Valid values are 1-8500. Setting a `PacketLength` greater than 8500 will result in an error response.", "title": "PacketLength", "type": "number" }, @@ -71548,7 +71996,9 @@ "type": "array" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessEndpoint.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71649,9 +72099,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71708,7 +72162,9 @@ "type": "boolean" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessGroup.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -71754,9 +72210,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -71803,11 +72263,13 @@ "type": "string" }, "FipsEnabled": { + "markdownDescription": "Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.", + "title": "FipsEnabled", "type": "boolean" }, "LoggingConfigurations": { "$ref": "#/definitions/AWS::EC2::VerifiedAccessInstance.VerifiedAccessLogs", - "markdownDescription": "The current logging configuration for the Verified Access instances.", + "markdownDescription": "The logging configuration for the Verified Access instances.", "title": "LoggingConfigurations" }, "Tags": { @@ -71924,7 +72386,7 @@ "title": "CloudWatchLogs" }, "IncludeTrustContext": { - "markdownDescription": "Include trust data sent by trust providers into the logs.", + "markdownDescription": "Indicates whether to include trust data sent by trust providers in the logs.", "title": "IncludeTrustContext", "type": "boolean" }, @@ -71934,7 +72396,7 @@ "title": "KinesisDataFirehose" }, "LogVersion": { - "markdownDescription": "The logging version to use.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", + "markdownDescription": "The logging version.\n\nValid values: `ocsf-0.1` | `ocsf-1.0.0-rc.2`", "title": "LogVersion", "type": "string" }, @@ -72038,7 +72500,9 @@ "type": "string" }, "SseSpecification": { - "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification" + "$ref": "#/definitions/AWS::EC2::VerifiedAccessTrustProvider.SseSpecification", + "markdownDescription": "The options for additional server side encryption.", + "title": "SseSpecification" }, "Tags": { "items": { @@ -72142,9 +72606,13 @@ "additionalProperties": false, "properties": { "CustomerManagedKeyEnabled": { + "markdownDescription": "Enable or disable the use of customer managed KMS keys for server side encryption.\n\nValid values: `True` | `False`", + "title": "CustomerManagedKeyEnabled", "type": "boolean" }, "KmsKeyArn": { + "markdownDescription": "The ARN of the KMS key.", + "title": "KmsKeyArn", "type": "string" } }, @@ -72390,7 +72858,7 @@ "properties": { "RepositoryCatalogData": { "$ref": "#/definitions/AWS::ECR::PublicRepository.RepositoryCatalogData", - "markdownDescription": "", + "markdownDescription": "The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide* .", "title": "RepositoryCatalogData" }, "RepositoryName": { @@ -72791,6 +73259,8 @@ "additionalProperties": false, "properties": { "EmptyOnDelete": { + "markdownDescription": "If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.", + "title": "EmptyOnDelete", "type": "boolean" }, "EncryptionConfiguration": { @@ -72984,7 +73454,7 @@ "additionalProperties": false, "properties": { "AutoScalingGroupArn": { - "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.", + "markdownDescription": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.", "title": "AutoScalingGroupArn", "type": "string" }, @@ -73013,7 +73483,7 @@ "type": "number" }, "MaximumScalingStepSize": { - "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `1` is used.", + "markdownDescription": "The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in process is not affected by this parameter. If this parameter is omitted, the default value of `10000` is used.", "title": "MaximumScalingStepSize", "type": "number" }, @@ -73244,7 +73714,7 @@ "additionalProperties": false, "properties": { "Namespace": { - "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the service with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", + "markdownDescription": "The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/).\n\nIf you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region.\n\nIf you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the \"API calls\" method of instance discovery only. This instance discovery method is the \"HTTP\" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect.\n\nIf you update the cluster with an empty string `\"\"` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.\n\nFor more information about AWS Cloud Map , see [Working with Services](https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html) in the *AWS Cloud Map Developer Guide* .", "title": "Namespace", "type": "string" } @@ -73773,12 +74243,12 @@ "type": "number" }, "LoadBalancerName": { - "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", + "markdownDescription": "The name of the load balancer to associate with the Amazon ECS service or task set.\n\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.", "title": "LoadBalancerName", "type": "string" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -73913,7 +74383,7 @@ }, "LogConfiguration": { "$ref": "#/definitions/AWS::ECS::Service.LogConfiguration", - "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", + "markdownDescription": "The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .\n\nBy default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.\n\nUnderstand the following when specifying a log configuration for your containers.\n\n- Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.\n\nFor tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .\n\nFor tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .\n- This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.\n- For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .\n- For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.", "title": "LogConfiguration" }, "Namespace": { @@ -74080,7 +74550,7 @@ "type": "string" }, "PidMode": { - "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . If `host` is specified, then all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance. If `task` is specified, all containers within the specified task share the same process namespace. If no value is specified, the default is a private namespace. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, be aware that there is a heightened risk of undesired process namespace expose. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers or tasks run on AWS Fargate .", + "markdownDescription": "The process namespace to use for the containers in the task. The valid values are `host` or `task` . On Fargate for Linux containers, the only valid value is `task` . For example, monitoring sidecars might need `pidMode` to access information about other containers running in the same task.\n\nIf `host` is specified, all containers within the tasks that specified the `host` PID mode on the same container instance share the same process namespace with the host Amazon EC2 instance.\n\nIf `task` is specified, all containers within the specified task share the same process namespace.\n\nIf no value is specified, the default is a private namespace for each container. For more information, see [PID settings](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#pid-settings---pid) in the *Docker run reference* .\n\nIf the `host` PID mode is used, there's a heightened risk of undesired process namespace exposure. For more information, see [Docker security](https://docs.aws.amazon.com/https://docs.docker.com/engine/security/security/) .\n\n> This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "PidMode", "type": "string" }, @@ -74395,7 +74865,7 @@ "items": { "$ref": "#/definitions/AWS::ECS::TaskDefinition.SystemControl" }, - "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) .\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers.", + "markdownDescription": "A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--sysctl` option to [docker run](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration) . For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections.\n\n> We don't recommended that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network modes. For tasks that use the `awsvpc` network mode, the container that's started last determines which `systemControls` parameters take effect. For tasks that use the `host` network mode, it changes the container instance's namespaced kernel parameters as well as the containers. > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate.", "title": "SystemControls", "type": "array" }, @@ -74818,7 +75288,7 @@ "additionalProperties": false, "properties": { "AppProtocol": { - "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", + "markdownDescription": "The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch.\n\nIf you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP.\n\n`appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.\n\nTasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see [Service Connect](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html) in the *Amazon Elastic Container Service Developer Guide* .", "title": "AppProtocol", "type": "string" }, @@ -74828,12 +75298,12 @@ "type": "number" }, "ContainerPortRange": { - "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", + "markdownDescription": "The port number range on the container that's bound to the dynamically mapped host port range.\n\nThe following rules apply when you specify a `containerPortRange` :\n\n- You must use either the `bridge` network mode or the `awsvpc` network mode.\n- This parameter is available for both the EC2 and AWS Fargate launch types.\n- This parameter is available for both the Linux and Windows operating systems.\n- The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the `ecs-init` package\n- You can specify a maximum of 100 port ranges per container.\n- You do not specify a `hostPortRange` . The value of the `hostPortRange` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPortRange` is set to the same value as the `containerPortRange` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports.\n- The `containerPortRange` valid values are between 1 and 65535.\n- A port can only be included in one port mapping per container.\n- You cannot specify overlapping port ranges.\n- The first port in the range must be less than last port in the range.\n- Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports.\n\nFor more information, see [Issue #11185](https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185) on the Github website.\n\nFor information about how to turn off the docker-proxy in the Docker daemon config file, see [Docker daemon](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon) in the *Amazon ECS Developer Guide* .\n\nYou can call [`DescribeTasks`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html) to view the `hostPortRange` which are the host ports that are bound to the container ports.", "title": "ContainerPortRange", "type": "string" }, "HostPort": { - "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", + "markdownDescription": "The port number on the container instance to reserve for your container.\n\nIf you specify a `containerPortRange` , leave this field empty and the value of the `hostPort` is set as follows:\n\n- For containers in a task with the `awsvpc` network mode, the `hostPort` is set to the same value as the `containerPort` . This is a static mapping strategy.\n- For containers in a task with the `bridge` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.\n\nIf you use containers in a task with the `awsvpc` or `host` network mode, the `hostPort` can either be left blank or set to the same value as the `containerPort` .\n\nIf you use containers in a task with the `bridge` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the `hostPort` (or set it to `0` ) while specifying a `containerPort` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.\n\nThe default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under `/proc/sys/net/ipv4/ip_local_port_range` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.\n\nThe default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the `remainingResources` of [DescribeContainerInstances](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html) output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.", "title": "HostPort", "type": "number" }, @@ -74843,7 +75313,7 @@ "type": "string" }, "Protocol": { - "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` .", + "markdownDescription": "The protocol used for the port mapping. Valid values are `tcp` and `udp` . The default is `tcp` . `protocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.", "title": "Protocol", "type": "string" } @@ -74953,7 +75423,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the namespaced kernel parameter that's specified in `namespace` .", + "markdownDescription": "The namespaced kernel parameter to set a `value` for.\n\nValid IPC namespace values: `\"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\" | \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" | \"kernel.shmmni\" | \"kernel.shm_rmid_forced\"` , and `Sysctls` that start with `\"fs.mqueue.*\"`\n\nValid network namespace values: `Sysctls` that start with `\"net.*\"`\n\nAll of these values are supported by Fargate.", "title": "Value", "type": "string" } @@ -75051,7 +75521,7 @@ "title": "Host" }, "Name": { - "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .", + "markdownDescription": "The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the `sourceVolume` parameter of container definition `mountPoints` .\n\nThis is required wwhen you use an Amazon EFS volume.", "title": "Name", "type": "string" } @@ -75238,7 +75708,7 @@ "type": "number" }, "TargetGroupArn": { - "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a Classic Load Balancer, omit the target group ARN.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", + "markdownDescription": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.\n\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.\n\nFor services using the `ECS` deployment controller, you can specify one or multiple target groups. For more information, see [Registering multiple target groups with a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html) in the *Amazon Elastic Container Service Developer Guide* .\n\nFor services using the `CODE_DEPLOY` deployment controller, you're required to define two target groups for the load balancer. For more information, see [Blue/green deployment with CodeDeploy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html) in the *Amazon Elastic Container Service Developer Guide* .\n\n> If your service's task definition uses the `awsvpc` network mode, you must choose `ip` as the target type, not `instance` . Do this when creating your target groups because tasks that use the `awsvpc` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.", "title": "TargetGroupArn", "type": "string" } @@ -75556,7 +76026,7 @@ "type": "array" }, "PerformanceMode": { - "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for most file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created.\n\n> The `maxIO` mode is not supported on file systems using One Zone storage classes. \n\nDefault is `generalPurpose` .", + "markdownDescription": "The performance mode of the file system. We recommend `generalPurpose` performance mode for all file systems. File systems using the `maxIO` performance mode can scale to higher levels of aggregate throughput and operations per second with a tradeoff of slightly higher latencies for most file operations. The performance mode can't be changed after the file system has been created. The `maxIO` mode is not supported on file systems using One Zone storage classes.\n\n> Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems. \n\nDefault is `generalPurpose` .", "title": "PerformanceMode", "type": "string" }, @@ -75566,10 +76036,12 @@ "type": "number" }, "ReplicationConfiguration": { - "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration" + "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationConfiguration", + "markdownDescription": "Describes the replication configuration for a specific file system.", + "title": "ReplicationConfiguration" }, "ThroughputMode": { - "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `elastic` .", + "markdownDescription": "Specifies the throughput mode for the file system. The mode can be `bursting` , `provisioned` , or `elastic` . If you set `ThroughputMode` to `provisioned` , you must also set a value for `ProvisionedThroughputInMibps` . After you create the file system, you can decrease your file system's throughput in Provisioned Throughput mode or change between the throughput modes, with certain time restrictions. For more information, see [Specifying throughput with provisioned mode](https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput) in the *Amazon EFS User Guide* .\n\nDefault is `bursting` .", "title": "ThroughputMode", "type": "string" } @@ -75653,6 +76125,8 @@ "items": { "$ref": "#/definitions/AWS::EFS::FileSystem.ReplicationDestination" }, + "markdownDescription": "An array of destination objects. Only one destination object is supported.", + "title": "Destinations", "type": "array" } }, @@ -75662,15 +76136,23 @@ "additionalProperties": false, "properties": { "AvailabilityZoneName": { + "markdownDescription": "The AWS Availability Zone in which to create the file system.\n\n> For file systems using One Zone storage classes, the replication configuration must specify the Availability Zone in which the destination file system is located. \n\nUse the format `us-east-1a` to specify the Availability Zone. For more information about One Zone storage classes, see [Using EFS storage classes](https://docs.aws.amazon.com/efs/latest/ug/storage-classes.html) in the *Amazon EFS User Guide* .\n\n> One Zone storage classes are not available in all Availability Zones in AWS Regions where Amazon EFS is available.", + "title": "AvailabilityZoneName", "type": "string" }, "FileSystemId": { + "markdownDescription": "The ID of the destination Amazon EFS file system.", + "title": "FileSystemId", "type": "string" }, "KmsKeyId": { + "markdownDescription": "The ID of an AWS KMS key used to protect the encrypted file system.", + "title": "KmsKeyId", "type": "string" }, "Region": { + "markdownDescription": "The AWS Region in which the destination file system is located.\n\n> For file systems using Standard storage classes, the replication configuration must specify the AWS Region in which the destination file system is located.", + "title": "Region", "type": "string" } }, @@ -75934,7 +76416,7 @@ }, "ResourcesVpcConfig": { "$ref": "#/definitions/AWS::EKS::Cluster.ResourcesVpcConfig", - "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.\n\n> Updates require replacement of the `SecurityGroupIds` and `SubnetIds` sub-properties.", + "markdownDescription": "The VPC configuration that's used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see [Cluster VPC Considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and [Cluster Security Group Considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) in the *Amazon EKS User Guide* . You must specify at least two subnets. You can specify up to five security groups. However, we recommend that you use a dedicated security group for your cluster control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets.", "title": "ResourcesVpcConfig" }, "RoleArn": { @@ -76142,7 +76624,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.", + "markdownDescription": "Specify subnets for your Amazon EKS nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your nodes and the Kubernetes control plane.\n\n> All subnets that you add must be in the same set of AZs as originally provided when you created the cluster. New subnets must satisfy all of the other requirements, for example they must have sufficient IP addresses.\n> \n> For example, assume that you made a cluster and specified four subnets. In the order that you specified them, the first subnet is in the `us-west-2a` Availability Zone, the second and third subnets are in `us-west-2b` Availability Zone, and the fourth subnet is in `us-west-2c` Availability Zone. If you want to change the subnets, you must provide at least one subnet in each of the three Availability Zones, and the subnets must be in the same VPC as the original subnets.", "title": "SubnetIds", "type": "array" } @@ -76787,7 +77269,7 @@ }, "AutoTerminationPolicy": { "$ref": "#/definitions/AWS::EMR::Cluster.AutoTerminationPolicy", - "markdownDescription": "", + "markdownDescription": "An auto-termination policy defines the amount of idle time in seconds after which a cluster automatically terminates. For alternative cluster termination options, see [Control cluster termination](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-termination.html)", "title": "AutoTerminationPolicy" }, "BootstrapActions": { @@ -76852,7 +77334,7 @@ "type": "string" }, "OSReleaseLabel": { - "markdownDescription": "", + "markdownDescription": "The Amazon Linux release specified in a cluster launch RunJobFlow request. If no Amazon Linux release was specified, the default Amazon Linux release is shown in the response.", "title": "OSReleaseLabel", "type": "string" }, @@ -76994,7 +77476,7 @@ "additionalProperties": false, "properties": { "IdleTimeout": { - "markdownDescription": "", + "markdownDescription": "Specifies the amount of idle time in seconds after which the cluster automatically terminates. You can specify a minimum of 60 seconds and a maximum of 604800 seconds (seven days).", "title": "IdleTimeout", "type": "number" } @@ -77795,6 +78277,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78099,6 +78583,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -78529,6 +79015,8 @@ "type": "number" }, "Throughput": { + "markdownDescription": "The throughput, in mebibyte per second (MiB/s). This optional parameter can be a number from 125 - 1000 and is valid only for gp3 volumes.", + "title": "Throughput", "type": "number" }, "VolumeType": { @@ -79015,9 +79503,13 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "You can add tags when you create a new workspace. You can add, remove, or list tags from an active workspace, but you can't update tags. Instead, remove the tag and add a new one. For more information, see see [Tag your Amazon EMR WAL workspaces](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html#emr-hbase-wal-tagging) .", + "title": "Tags", "type": "array" }, "WALWorkspaceName": { + "markdownDescription": "The name of the WAL workspace.", + "title": "WALWorkspaceName", "type": "string" } }, @@ -79214,7 +79706,7 @@ "additionalProperties": false, "properties": { "Architecture": { - "markdownDescription": "The CPU architecture type of the application. Allowed values: `X86_64` or `ARM64`", + "markdownDescription": "The CPU architecture of an application.", "title": "Architecture", "type": "string" }, @@ -79230,7 +79722,7 @@ }, "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration applied to all worker types.", "title": "ImageConfiguration" }, "InitialCapacity": { @@ -79250,7 +79742,7 @@ "$ref": "#/definitions/AWS::EMRServerless::Application.MonitoringConfiguration" }, "Name": { - "markdownDescription": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "markdownDescription": "The name of the application.", "title": "Name", "type": "string" }, @@ -79260,7 +79752,7 @@ "title": "NetworkConfiguration" }, "ReleaseLabel": { - "markdownDescription": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "markdownDescription": "The Amazon EMR release associated with the application.", "title": "ReleaseLabel", "type": "string" }, @@ -79285,7 +79777,7 @@ }, "WorkerTypeSpecifications": { "additionalProperties": false, - "markdownDescription": "", + "markdownDescription": "The specification applied to each worker type.", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::EMRServerless::Application.WorkerTypeSpecificationInput" @@ -79326,7 +79818,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically start on job submission. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" } @@ -79337,12 +79829,12 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "IdleTimeoutMinutes": { - "markdownDescription": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080", + "markdownDescription": "", "title": "IdleTimeoutMinutes", "type": "number" } @@ -79380,7 +79872,7 @@ "additionalProperties": false, "properties": { "ImageUri": { - "markdownDescription": "", + "markdownDescription": "The URI of an image in the Amazon ECR registry. This field is required when you create a new application. If you leave this field blank in an update, Amazon EMR will remove the image configuration.", "title": "ImageUri", "type": "string" } @@ -79396,7 +79888,7 @@ "title": "WorkerConfiguration" }, "WorkerCount": { - "markdownDescription": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000", + "markdownDescription": "The number of workers in the initial capacity configuration.", "title": "WorkerCount", "type": "number" } @@ -79411,13 +79903,13 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", + "markdownDescription": "", "title": "Key", "type": "string" }, "Value": { "$ref": "#/definitions/AWS::EMRServerless::Application.InitialCapacityConfig", - "markdownDescription": "The value for the initial capacity configuration per worker.", + "markdownDescription": "", "title": "Value" } }, @@ -79443,17 +79935,17 @@ "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "The maximum allowed CPU for an application.", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "The maximum allowed disk for an application.", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "The maximum allowed resources for an application.", "title": "Memory", "type": "string" } @@ -79483,7 +79975,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of security group Ids for customer VPC connectivity.", "title": "SecurityGroupIds", "type": "array" }, @@ -79491,7 +79983,7 @@ "items": { "type": "string" }, - "markdownDescription": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "markdownDescription": "The array of subnet Ids for customer VPC connectivity.", "title": "SubnetIds", "type": "array" } @@ -79514,17 +80006,17 @@ "additionalProperties": false, "properties": { "Cpu": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "markdownDescription": "", "title": "Cpu", "type": "string" }, "Disk": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "markdownDescription": "", "title": "Disk", "type": "string" }, "Memory": { - "markdownDescription": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`", + "markdownDescription": "", "title": "Memory", "type": "string" } @@ -79540,7 +80032,7 @@ "properties": { "ImageConfiguration": { "$ref": "#/definitions/AWS::EMRServerless::Application.ImageConfigurationInput", - "markdownDescription": "", + "markdownDescription": "The image configuration for a worker type.", "title": "ImageConfiguration" } }, @@ -79610,12 +80102,12 @@ "type": "array" }, "CacheSubnetGroupName": { - "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see [AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .", + "markdownDescription": "The name of the subnet group to be used for the cluster.\n\nUse this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon VPC).\n\n> If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group before you start creating a cluster. For more information, see `[AWS::ElastiCache::SubnetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-subnetgroup.html) .`", "title": "CacheSubnetGroupName", "type": "string" }, "ClusterName": { - "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", + "markdownDescription": "A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the cache cluster. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .\n\nThe name must contain 1 to 50 alphanumeric characters or hyphens. The name must start with a letter and cannot end with a hyphen or contain two consecutive hyphens.", "title": "ClusterName", "type": "string" }, @@ -80286,8 +80778,6 @@ "type": "string" }, "ReplicationGroupId": { - "markdownDescription": "The replication group identifier. This parameter is stored as a lowercase string.\n\nConstraints:\n\n- A name must contain from 1 to 40 alphanumeric characters or hyphens.\n- The first character must be a letter.\n- A name cannot end with a hyphen or contain two consecutive hyphens.", - "title": "ReplicationGroupId", "type": "string" }, "SecurityGroupIds": { @@ -81585,16 +82075,16 @@ }, "ConnectionDrainingPolicy": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionDrainingPolicy", - "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure Connection Draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy instance.\n\nFor more information, see [Configure connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionDrainingPolicy" }, "ConnectionSettings": { "$ref": "#/definitions/AWS::ElasticLoadBalancing::LoadBalancer.ConnectionSettings", - "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure Idle Connection Timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer allows the connections to remain idle (no data is sent over the connection) for the specified duration.\n\nBy default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-end and back-end connections of your load balancer. For more information, see [Configure idle connection timeout](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html) in the *User Guide for Classic Load Balancers* .", "title": "ConnectionSettings" }, "CrossZone": { - "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure Cross-Zone Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *Classic Load Balancers Guide* .", + "markdownDescription": "If enabled, the load balancer routes the request traffic evenly across all instances regardless of the Availability Zones.\n\nFor more information, see [Configure cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html) in the *User Guide for Classic Load Balancers* .", "title": "CrossZone", "type": "boolean" }, @@ -83031,7 +83521,7 @@ "items": { "type": "string" }, - "markdownDescription": "[Application Load Balancers] The IDs of the security groups for the load balancer.", + "markdownDescription": "[Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.", "title": "SecurityGroups", "type": "array" }, @@ -83091,7 +83581,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false` . The default is `false` .\n- `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false` . The default for Network Load Balancers and Gateway Load Balancers is `false` . The default for Application Load Balancers is `true` , and cannot be changed.\n\nThe following attributes are supported by both Application Load Balancers and Network Load Balancers:\n\n- `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false` . The default is `false` .\n- `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.\n- `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.\n- `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.\n\nThe following attributes are supported by only Application Load Balancers:\n\n- `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.\n- `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive` .\n- `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( `true` ) or routed to targets ( `false` ). The default is `false` .\n- `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers ( `x-amzn-tls-version` and `x-amzn-tls-cipher-suite` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false` . The default is `false` .\n- `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false` . The default is `false` .\n- `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append` , `preserve` , and `remove` . The default is `append` .\n\n- If the value is `append` , the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.\n- If the value is `remove` , the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.\n- `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false` . The default is `true` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.\n- `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are `true` and `false` . The default is `false` .\n\nThe following attributes are supported by only Network Load Balancers:\n\n- `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.", "title": "Key", "type": "string" }, @@ -83338,7 +83828,7 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . The default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", + "markdownDescription": "The name of the attribute.\n\nThe following attributes are supported by all load balancers:\n\n- `deregistration_delay.timeout_seconds` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from `draining` to `unused` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported.\n- `stickiness.enabled` - Indicates whether target stickiness is enabled. The value is `true` or `false` . The default is `false` .\n- `stickiness.type` - Indicates the type of stickiness. The possible values are:\n\n- `lb_cookie` and `app_cookie` for Application Load Balancers.\n- `source_ip` for Network Load Balancers.\n- `source_ip_dest_ip` and `source_ip_dest_ip_proto` for Gateway Load Balancers.\n\nThe following attributes are supported by Application Load Balancers and Network Load Balancers:\n\n- `load_balancing.cross_zone.enabled` - Indicates whether cross zone load balancing is enabled. The value is `true` , `false` or `use_load_balancer_configuration` . The default is `use_load_balancer_configuration` .\n- `target_group_health.dns_failover.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to the maximum number of targets. The default is `off` .\n- `target_group_health.dns_failover.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.count` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.\n- `target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are `off` or an integer from 1 to 100. The default is `off` .\n\nThe following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address:\n\n- `load_balancing.algorithm.type` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is `round_robin` or `least_outstanding_requests` . The default is `round_robin` .\n- `slow_start.duration_seconds` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).\n- `stickiness.app_cookie.cookie_name` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: `AWSALB` , `AWSALBAPP` , and `AWSALBTG` ; they're reserved for use by the load balancer.\n- `stickiness.app_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n- `stickiness.lb_cookie.duration_seconds` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).\n\nThe following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function:\n\n- `lambda.multi_value_headers.enabled` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is `true` or `false` . The default is `false` . If the value is `false` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client.\n\nThe following attributes are supported only by Network Load Balancers:\n\n- `deregistration_delay.connection_termination.enabled` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is `true` or `false` . For new UDP/TCP_UDP target groups the default is `true` . Otherwise, the default is `false` .\n- `preserve_client_ip.enabled` - Indicates whether client IP preservation is enabled. The value is `true` or `false` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups.\n- `proxy_protocol_v2.enabled` - Indicates whether Proxy Protocol version 2 is enabled. The value is `true` or `false` . The default is `false` .\n- `target_health_state.unhealthy.connection_termination.enabled` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is `true` or `false` . The default is `true` .\n\nThe following attributes are supported only by Gateway Load Balancers:\n\n- `target_failover.on_deregistration` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) can't be set independently. The value you set for both attributes must be the same.\n- `target_failover.on_unhealthy` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are `rebalance` and `no_rebalance` . The default is `no_rebalance` . The two attributes ( `target_failover.on_deregistration` and `target_failover.on_unhealthy` ) cannot be set independently. The value you set for both attributes must be the same.", "title": "Key", "type": "string" }, @@ -83823,33 +84313,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "IdMappingTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingTechniques", + "markdownDescription": "An object which defines the `idMappingType` and the `providerProperties` .", + "title": "IdMappingTechniques" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowInputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IdMappingWorkflowOutputSource" }, + "markdownDescription": "A list of `IdMappingWorkflowOutputSource` objects, each of which contains fields `OutputS3Path` and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `IdMappingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -83887,10 +84391,14 @@ "additionalProperties": false, "properties": { "IdMappingType": { + "markdownDescription": "The type of ID mapping.", + "title": "IdMappingType", "type": "string" }, "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.ProviderProperties", + "markdownDescription": "An object which defines any additional configurations required by the provider service.", + "title": "ProviderProperties" } }, "type": "object" @@ -83899,9 +84407,13 @@ "additionalProperties": false, "properties": { "InputSourceARN": { + "markdownDescription": "An AWS Glue table ARN for the input source table.", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The ARN (Amazon Resource Name) that AWS Entity Resolution generated for the `SchemaMapping` .", + "title": "SchemaArn", "type": "string" } }, @@ -83915,9 +84427,13 @@ "additionalProperties": false, "properties": { "KMSArn": { + "markdownDescription": "Customer AWS KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -83930,6 +84446,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -83942,18 +84460,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::IdMappingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -83998,33 +84522,47 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the workflow.", + "title": "Description", "type": "string" }, "InputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.InputSource" }, + "markdownDescription": "A list of `InputSource` objects, which have the fields `InputSourceARN` and `SchemaName` .", + "title": "InputSourceConfig", "type": "array" }, "OutputSourceConfig": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputSource" }, + "markdownDescription": "A list of `OutputSource` objects, each of which contains fields `OutputS3Path` , `ApplyNormalization` , and `Output` .", + "title": "OutputSourceConfig", "type": "array" }, "ResolutionTechniques": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ResolutionTechniques", + "markdownDescription": "An object which defines the `resolutionType` and the `ruleBasedProperties` .", + "title": "ResolutionTechniques" }, "RoleArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role. AWS Entity Resolution assumes this role to create resources on your behalf as part of workflow execution.", + "title": "RoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" }, "WorkflowName": { + "markdownDescription": "The name of the workflow. There can't be multiple `MatchingWorkflows` with the same name.", + "title": "WorkflowName", "type": "string" } }, @@ -84062,12 +84600,18 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "InputSourceARN": { + "markdownDescription": "An object containing `InputSourceARN` , `SchemaName` , and `ApplyNormalization` .", + "title": "InputSourceARN", "type": "string" }, "SchemaArn": { + "markdownDescription": "The name of the schema.", + "title": "SchemaArn", "type": "string" } }, @@ -84081,6 +84625,8 @@ "additionalProperties": false, "properties": { "IntermediateS3Path": { + "markdownDescription": "The Amazon S3 location (bucket and prefix). For example: `s3://provider_bucket/DOC-EXAMPLE-BUCKET`", + "title": "IntermediateS3Path", "type": "string" } }, @@ -84093,9 +84639,13 @@ "additionalProperties": false, "properties": { "Hashed": { + "markdownDescription": "Enables the ability to hash the column values in the output.", + "title": "Hashed", "type": "boolean" }, "Name": { + "markdownDescription": "A name of a column to be written to the output. This must be an `InputField` name in the schema mapping.", + "title": "Name", "type": "string" } }, @@ -84108,18 +84658,26 @@ "additionalProperties": false, "properties": { "ApplyNormalization": { + "markdownDescription": "Normalizes the attributes defined in the schema in the input data. For example, if an attribute has an `AttributeType` of `PHONE_NUMBER` , and the data in the input table is in a format of 1234567890, AWS Entity Resolution will normalize this field in the output to (123)-456-7890.", + "title": "ApplyNormalization", "type": "boolean" }, "KMSArn": { + "markdownDescription": "Customer KMS ARN for encryption at rest. If not provided, system will use an AWS Entity Resolution managed KMS key.", + "title": "KMSArn", "type": "string" }, "Output": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.OutputAttribute" }, + "markdownDescription": "A list of `OutputAttribute` objects, each of which have the fields `Name` and `Hashed` . Each of these objects selects a column to be included in the output table, and whether the values of the column should be hashed.", + "title": "Output", "type": "array" }, "OutputS3Path": { + "markdownDescription": "The S3 path to which AWS Entity Resolution will write the output table.", + "title": "OutputS3Path", "type": "string" } }, @@ -84133,18 +84691,24 @@ "additionalProperties": false, "properties": { "IntermediateSourceConfiguration": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.IntermediateSourceConfiguration", + "markdownDescription": "The Amazon S3 location that temporarily stores your data while it processes. Your information won't be saved permanently.", + "title": "IntermediateSourceConfiguration" }, "ProviderConfiguration": { "additionalProperties": true, + "markdownDescription": "The required configuration fields to use with the provider service.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "ProviderConfiguration", "type": "object" }, "ProviderServiceArn": { + "markdownDescription": "The ARN of the provider service.", + "title": "ProviderServiceArn", "type": "string" } }, @@ -84157,13 +84721,19 @@ "additionalProperties": false, "properties": { "ProviderProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.ProviderProperties", + "markdownDescription": "The properties of the provider service.", + "title": "ProviderProperties" }, "ResolutionType": { + "markdownDescription": "The type of matching. There are two types of matching: `RULE_MATCHING` and `ML_MATCHING` .", + "title": "ResolutionType", "type": "string" }, "RuleBasedProperties": { - "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties" + "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.RuleBasedProperties", + "markdownDescription": "An object which defines the list of matching rules to run and has a field `Rules` , which is a list of rule objects.", + "title": "RuleBasedProperties" } }, "type": "object" @@ -84175,9 +84745,13 @@ "items": { "type": "string" }, + "markdownDescription": "A list of `MatchingKeys` . The `MatchingKeys` must have been defined in the `SchemaMapping` . Two records are considered to match according to this rule if all of the `MatchingKeys` match.", + "title": "MatchingKeys", "type": "array" }, "RuleName": { + "markdownDescription": "A name for the matching rule.", + "title": "RuleName", "type": "string" } }, @@ -84191,12 +84765,16 @@ "additionalProperties": false, "properties": { "AttributeMatchingModel": { + "markdownDescription": "The comparison type. You can either choose `ONE_TO_ONE` or `MANY_TO_MANY` as the AttributeMatchingModel. When choosing `MANY_TO_MANY` , the system can match attributes across the sub-types of an attribute type. For example, if the value of the `Email` field of Profile A and the value of `BusinessEmail` field of Profile B matches, the two profiles are matched on the `Email` type. When choosing `ONE_TO_ONE` ,the system can only match if the sub-types are exact matches. For example, only when the value of the `Email` field of Profile A and the value of the `Email` field of Profile B matches, the two profiles are matched on the `Email` type.", + "title": "AttributeMatchingModel", "type": "string" }, "Rules": { "items": { "$ref": "#/definitions/AWS::EntityResolution::MatchingWorkflow.Rule" }, + "markdownDescription": "A list of `Rule` objects, each of which have fields `RuleName` and `MatchingKeys` .", + "title": "Rules", "type": "array" } }, @@ -84242,21 +84820,29 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A description of the schema.", + "title": "Description", "type": "string" }, "MappedInputFields": { "items": { "$ref": "#/definitions/AWS::EntityResolution::SchemaMapping.SchemaInputAttribute" }, + "markdownDescription": "A list of `MappedInputFields` . Each `MappedInputField` corresponds to a column the source data table, and contains column name plus additional information that AWS Entity Resolution uses for matching.", + "title": "MappedInputFields", "type": "array" }, "SchemaName": { + "markdownDescription": "The name of the schema. There can't be multiple `SchemaMappings` with the same name.", + "title": "SchemaName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags used to organize, track, or control access for this resource.", + "title": "Tags", "type": "array" } }, @@ -84291,18 +84877,28 @@ "additionalProperties": false, "properties": { "FieldName": { + "markdownDescription": "A string containing the field name.", + "title": "FieldName", "type": "string" }, "GroupName": { + "markdownDescription": "Instruct AWS Entity Resolution to combine several columns into a unified column with the identical attribute type. For example, when working with columns such as first_name, middle_name, and last_name, assigning them a common `GroupName` will prompt AWS Entity Resolution to concatenate them into a single value.", + "title": "GroupName", "type": "string" }, "MatchKey": { + "markdownDescription": "A key that allows grouping of multiple input attributes into a unified matching group. For example, let's consider a scenario where the source table contains various addresses, such as `business_address` and `shipping_address` . By assigning the `MatchKey` *Address* to both attributes, AWS Entity Resolution will match records across these fields to create a consolidated matching group. If no `MatchKey` is specified for a column, it won't be utilized for matching purposes but will still be included in the output table.", + "title": "MatchKey", "type": "string" }, "SubType": { + "markdownDescription": "The subtype of the attribute, selected from a list of values.", + "title": "SubType", "type": "string" }, "Type": { + "markdownDescription": "The type of the attribute, selected from a list of values.", + "title": "Type", "type": "string" } }, @@ -84401,12 +84997,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84497,12 +85093,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -84692,12 +85288,12 @@ "additionalProperties": false, "properties": { "Key": { - "markdownDescription": "They key of a key-value pair.", + "markdownDescription": "The key of a key-value pair.", "title": "Key", "type": "string" }, "Value": { - "markdownDescription": "They value of a key-value pair.", + "markdownDescription": "The value of a key-value pair.", "title": "Value", "type": "string" } @@ -85371,6 +85967,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "The permissions policy of the event bus, describing which other AWS accounts can write events to this event bus.", + "title": "Policy", "type": "object" }, "Tags": { @@ -85975,6 +86573,8 @@ "items": { "type": "string" }, + "markdownDescription": "One or more SQL statements to run. The SQL statements are run as a single transaction. They run serially in the order of the array. Subsequent SQL statements don't start until the previous statement in the array completes. If any SQL statement fails, then because they are run as one transaction, all work is rolled back.", + "title": "Sqls", "type": "array" }, "StatementName": { @@ -86271,7 +86871,7 @@ "type": "number" }, "Segment": { - "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "Specifies an audience *segment* to use in the experiment. When a segment is used in an experiment, only user sessions that match the segment pattern are used in the experiment.\n\nFor more information, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Segment", "type": "string" }, @@ -87110,7 +87710,7 @@ "type": "string" }, "Pattern": { - "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments-syntax.html) .", + "markdownDescription": "The pattern to use for the segment. For more information about pattern syntax, see [Segment rule pattern syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-segments.html#CloudWatch-Evidently-segments-syntax) .", "title": "Pattern", "type": "string" }, @@ -87196,7 +87796,7 @@ "type": "object" }, "Description": { - "markdownDescription": "A description for the experiment template.", + "markdownDescription": "The description for the experiment template.", "title": "Description", "type": "string" }, @@ -87206,7 +87806,7 @@ "title": "LogConfiguration" }, "RoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.", + "markdownDescription": "The Amazon Resource Name (ARN) of an IAM role.", "title": "RoleArn", "type": "string" }, @@ -87214,13 +87814,13 @@ "items": { "$ref": "#/definitions/AWS::FIS::ExperimentTemplate.ExperimentTemplateStopCondition" }, - "markdownDescription": "The stop conditions.", + "markdownDescription": "The stop conditions for the experiment.", "title": "StopConditions", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags to apply to the experiment template.", + "markdownDescription": "The tags for the experiment template.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -87289,7 +87889,7 @@ "additionalProperties": false, "properties": { "ActionId": { - "markdownDescription": "The ID of the action. The format of the action ID is: aws: *service-name* : *action-type* .", + "markdownDescription": "The ID of the action.", "title": "ActionId", "type": "string" }, @@ -87300,32 +87900,28 @@ }, "Parameters": { "additionalProperties": true, - "markdownDescription": "The parameters for the action, if applicable.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Parameters", "type": "object" }, "StartAfter": { "items": { "type": "string" }, - "markdownDescription": "The name of the action that must be completed before the current action starts. Omit this parameter to run the action at the start of the experiment.", + "markdownDescription": "The name of the action that must be completed before the current action starts.", "title": "StartAfter", "type": "array" }, "Targets": { "additionalProperties": true, - "markdownDescription": "The targets for the action.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, - "title": "Targets", "type": "object" } }, @@ -87362,12 +87958,12 @@ "additionalProperties": false, "properties": { "Source": { - "markdownDescription": "The source for the stop condition. Specify `aws:cloudwatch:alarm` if the stop condition is defined by a CloudWatch alarm. Specify `none` if there is no stop condition.", + "markdownDescription": "The source for the stop condition.", "title": "Source", "type": "string" }, "Value": { - "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm. This is required if the source is a CloudWatch alarm.", + "markdownDescription": "The Amazon Resource Name (ARN) of the CloudWatch alarm, if applicable.", "title": "Value", "type": "string" } @@ -87403,7 +87999,7 @@ "items": { "type": "string" }, - "markdownDescription": "The Amazon Resource Names (ARNs) of the resources.", + "markdownDescription": "The Amazon Resource Names (ARNs) of the targets.", "title": "ResourceArns", "type": "array" }, @@ -87419,12 +88015,12 @@ "type": "object" }, "ResourceType": { - "markdownDescription": "The resource type. The resource type must be supported for the specified action.", + "markdownDescription": "The resource type.", "title": "ResourceType", "type": "string" }, "SelectionMode": { - "markdownDescription": "Scopes the identified resources to a specific count of the resources at random, or a percentage of the resources. All identified resources are included in the target.\n\n- ALL - Run the action on all identified targets. This is the default.\n- COUNT(n) - Run the action on the specified number of targets, chosen from the identified targets at random. For example, COUNT(1) selects one of the targets.\n- PERCENT(n) - Run the action on the specified percentage of targets, chosen from the identified targets at random. For example, PERCENT(25) selects 25% of the targets.", + "markdownDescription": "Scopes the identified resources to a specific count or percentage.", "title": "SelectionMode", "type": "string" } @@ -87637,7 +88233,7 @@ "type": "array" }, "ResourceType": { - "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nFor AWS WAF and Shield Advanced, example resource types include `AWS::ElasticLoadBalancingV2::LoadBalancer` and `AWS::CloudFront::Distribution` . For a security group common policy, valid values are `AWS::EC2::NetworkInterface` and `AWS::EC2::Instance` . For a security group content audit policy, valid values are `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . For a security group usage audit policy, the value is `AWS::EC2::SecurityGroup` . For an AWS Network Firewall policy or DNS Firewall policy, the value is `AWS::EC2::VPC` .", + "markdownDescription": "The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .\n\nThe following are valid resource types for each Firewall Manager policy type:\n\n- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .\n- AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .\n- DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .\n- AWS Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .\n- Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .\n- Security group usage audit - `AWS::EC2::SecurityGroup` .", "title": "ResourceType", "type": "string" }, @@ -87656,7 +88252,7 @@ }, "SecurityServicePolicyData": { "$ref": "#/definitions/AWS::FMS::Policy.SecurityServicePolicyData", - "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the security service that is being used to protect the resources.\n\nThis contains the following settings:\n\n- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .\n\nValid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`\n- ManagedServiceData - Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the third-party firewall name.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "SecurityServicePolicyData" }, "Tags": { @@ -87792,7 +88388,7 @@ "additionalProperties": false, "properties": { "ManagedServiceData": { - "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"PALO_ALTO_NETWORKS_CLOUD_NGFW\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", + "markdownDescription": "Details about the service that are specific to the service type, in JSON format.\n\n- Example: `DNS_FIREWALL`\n\n`\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"`\n\n> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.\n- Example: `NETWORK_FIREWALL` - Centralized deployment model\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nWith automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nWith custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management\n\n`\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .\n- Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions\n\n`\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"`\n\nFor example: `\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"`\n\nThe default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .\n\nFor other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.\n- Example: `THIRD_PARTY_FIREWALL` - Centralized deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{ \\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\", \\\"thirdPartyFirewall\\\":\\\"\\THIRD_PARTY_FIREWALL_NAME\\\", \\\"thirdPartyFirewallConfig\\\":{ \\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .\n- Example: `THIRD_PARTY_FIREWALL` - Distributed deployment model\n\nReplace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.\n\n`\"{\\\"type\\\":\\\"THIRD_PARTY_FIREWALL\\\",\\\"thirdPartyFirewall\\\":\\\"THIRD_PARTY_FIREWALL_NAME\\\",\\\"thirdPartyFirewallConfig\\\":{\\\"thirdPartyFirewallPolicyList\\\":[\\\"global-1\\\"] },\\\"firewallDeploymentModel\\\":{ \\\"distributedFirewallDeploymentModel\\\":{ \\\"distributedFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\\\"availabilityZoneName\\\":\\\"${AvailabilityZone}\\\" } ] } }, \\\"allowedIPV4CidrList\\\":[ ] } } } }\"`\n\nTo use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .\n- Example: `WAFV2`\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]},\\\"optimizeUnassociatedWebACL\\\":true}\"`\n\nIn the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .\n- Example: `AWS WAF Classic`\n\n`\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"`\n- Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning\n\n`\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"`\n\nTo use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.\n- Example: `SECURITY_GROUPS_COMMON`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"`\n- Example: `SECURITY_GROUPS_CONTENT_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"`\n\nThe security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.\n- Example: `SECURITY_GROUPS_USAGE_AUDIT`\n\n`\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"`", "title": "ManagedServiceData", "type": "string" }, @@ -87883,7 +88479,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources included in the resource set.", + "markdownDescription": "", "title": "Resources", "type": "array" }, @@ -87891,7 +88487,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A collection of key:value pairs associated with a resource set. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each AWS resource.", + "markdownDescription": "", "title": "Tags", "type": "array" } @@ -88121,7 +88717,7 @@ "type": "string" }, "FileSystemTypeVersion": { - "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` and `2.12` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 is supported by all Lustre deployment types. `2.12` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", + "markdownDescription": "(Optional) For FSx for Lustre file systems, sets the Lustre version for the file system that you're creating. Valid values are `2.10` , `2.12` , and `2.15` :\n\n- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.\n- 2.12 and 2.15 are supported by all Lustre deployment types. `2.12` or `2.15` is required when setting FSx for Lustre `DeploymentType` to `PERSISTENT_2` .\n\nDefault value = `2.10` , except when `DeploymentType` is set to `PERSISTENT_2` , then the default is `2.12` .\n\n> If you set `FileSystemTypeVersion` to `2.10` for a `PERSISTENT_2` Lustre deployment type, the `CreateFileSystem` operation fails.", "title": "FileSystemTypeVersion", "type": "string" }, @@ -88394,7 +88990,7 @@ "items": { "type": "string" }, - "markdownDescription": "(Multi-AZ only) Specifies the virtual private cloud (VPC) route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", "title": "RouteTableIds", "type": "array" }, @@ -88438,16 +89034,18 @@ "type": "string" }, "DeploymentType": { - "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `SINGLE_AZ_1` - (Default) Creates file systems with throughput capacities of 64 - 4,096 MBps. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) AWS Regions .\n\nFor more information, see: [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", + "markdownDescription": "Specifies the file system deployment type. Single AZ deployment types are configured for redundancy within a single Availability Zone in an AWS Region . Valid values are the following:\n\n- `MULTI_AZ_1` - Creates file systems with high availability that are configured for Multi-AZ redundancy to tolerate temporary unavailability in Availability Zones (AZs). `Multi_AZ_1` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n- `SINGLE_AZ_1` - Creates file systems with throughput capacities of 64 - 4,096 MB/s. `Single_AZ_1` is available in all AWS Regions where Amazon FSx for OpenZFS is available.\n- `SINGLE_AZ_2` - Creates file systems with throughput capacities of 160 - 10,240 MB/s using an NVMe L2ARC cache. `Single_AZ_2` is available only in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Europe (Ireland) AWS Regions .\n\nFor more information, see [Deployment type availability](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/availability-durability.html#available-aws-regions) and [File system performance](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/performance.html#zfs-fs-performance) in the *Amazon FSx for OpenZFS User Guide* .", "title": "DeploymentType", "type": "string" }, "DiskIopsConfiguration": { "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", - "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, or FSx for OpenZFS file system. By default, Amazon FSx automatically provisions 3 IOPS per GB of storage capacity. You can provision additional IOPS per GB of storage. The configuration consists of the total number of provisioned SSD IOPS and how it is was provisioned, or the mode (by the customer or by Amazon FSx).", "title": "DiskIopsConfiguration" }, "EndpointIpAddressRange": { + "markdownDescription": "(Multi-AZ only) Specifies the IP address range in which the endpoints to access your file system will be created. By default in the Amazon FSx API and Amazon FSx console, Amazon FSx selects an available /28 IP address range for you from one of the VPC's CIDR ranges. You can have overlapping endpoint IP addresses for file systems deployed in the same VPC/route tables.", + "title": "EndpointIpAddressRange", "type": "string" }, "Options": { @@ -88459,6 +89057,8 @@ "type": "array" }, "PreferredSubnetId": { + "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located.", + "title": "PreferredSubnetId", "type": "string" }, "RootVolumeConfiguration": { @@ -88470,10 +89070,12 @@ "items": { "type": "string" }, + "markdownDescription": "(Multi-AZ only) Specifies the route tables in which Amazon FSx creates the rules for routing traffic to the correct file server. You should specify all virtual private cloud (VPC) route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.", + "title": "RouteTableIds", "type": "array" }, "ThroughputCapacity": { - "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n- For `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n\nYou pay for additional throughput capacity that you provision.", + "markdownDescription": "Specifies the throughput of an Amazon FSx for OpenZFS file system, measured in megabytes per second (MBps). Valid values depend on the DeploymentType you choose, as follows:\n\n- For `MULTI_AZ_1` and `SINGLE_AZ_2` , valid values are 160, 320, 640, 1280, 2560, 3840, 5120, 7680, or 10240 MBps.\n- For `SINGLE_AZ_1` , valid values are 64, 128, 256, 512, 1024, 2048, 3072, or 4096 MBps.\n\nYou pay for additional throughput capacity that you provision.", "title": "ThroughputCapacity", "type": "number" }, @@ -88632,7 +89234,9 @@ "type": "string" }, "DiskIopsConfiguration": { - "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration" + "$ref": "#/definitions/AWS::FSx::FileSystem.DiskIopsConfiguration", + "markdownDescription": "The SSD IOPS (input/output operations per second) configuration for an Amazon FSx for Windows file system. By default, Amazon FSx automatically provisions 3 IOPS per GiB of storage capacity. You can provision additional IOPS per GiB of storage, up to the maximum limit associated with your chosen throughput capacity.", + "title": "DiskIopsConfiguration" }, "PreferredSubnetId": { "markdownDescription": "Required when `DeploymentType` is set to `MULTI_AZ_1` . This specifies the subnet in which you want the preferred file server to be located. For in- AWS applications, we recommend that you launch your clients in the same availability zone as your preferred file server to reduce cross-availability zone data transfer costs and minimize latency.", @@ -88991,9 +89595,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. Setting this value to `NONE` disables autocommit. The default value is `NONE` .", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the autocommit period of a file in an FSx for ONTAP SnapLock volume. The following ranges are valid:\n\n- `Minutes` : 5 - 65,535\n- `Hours` : 1 - 65,535\n- `Days` : 1 - 3,650\n- `Months` : 1 - 120\n- `Years` : 1 - 10", + "title": "Value", "type": "number" } }, @@ -89071,7 +89679,9 @@ "type": "string" }, "SnaplockConfiguration": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockConfiguration", + "markdownDescription": "The SnapLock configuration object for an FSx for ONTAP SnapLock volume.", + "title": "SnaplockConfiguration" }, "SnapshotPolicy": { "markdownDescription": "Specifies the snapshot policy for the volume. There are three built-in snapshot policies:\n\n- `default` : This is the default policy. A maximum of six hourly snapshots taken five minutes past the hour. A maximum of two daily snapshots taken Monday through Saturday at 10 minutes after midnight. A maximum of two weekly snapshots taken every Sunday at 15 minutes after midnight.\n- `default-1weekly` : This policy is the same as the `default` policy except that it only retains one snapshot from the weekly schedule.\n- `none` : This policy does not take any snapshots. This policy can be assigned to volumes to prevent automatic snapshots from being taken.\n\nYou can also provide the name of a custom policy that you created with the ONTAP CLI or REST API.\n\nFor more information, see [Snapshot policies](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snapshots-ontap.html#snapshot-policies) in the *Amazon FSx for NetApp ONTAP User Guide* .", @@ -89197,9 +89807,13 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "Defines the type of time for the retention period of an FSx for ONTAP SnapLock volume. Set it to one of the valid types. If you set it to `INFINITE` , the files are retained forever. If you set it to `UNSPECIFIED` , the files are retained until you set an explicit retention period.", + "title": "Type", "type": "string" }, "Value": { + "markdownDescription": "Defines the amount of time for the retention period of an FSx for ONTAP SnapLock volume. You can't set a value for `INFINITE` or `UNSPECIFIED` . For all other options, the following ranges are valid:\n\n- `Seconds` : 0 - 65,535\n- `Minutes` : 0 - 65,535\n- `Hours` : 0 - 24\n- `Days` : 0 - 365\n- `Months` : 0 - 12\n- `Years` : 0 - 100", + "title": "Value", "type": "number" } }, @@ -89212,21 +89826,33 @@ "additionalProperties": false, "properties": { "AuditLogVolume": { + "markdownDescription": "Enables or disables the audit log volume for an FSx for ONTAP SnapLock volume. The default value is `false` . If you set `AuditLogVolume` to `true` , the SnapLock volume is created as an audit log volume. The minimum retention period for an audit log volume is six months.\n\nFor more information, see [SnapLock audit log volumes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/how-snaplock-works.html#snaplock-audit-log-volume) .", + "title": "AuditLogVolume", "type": "string" }, "AutocommitPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.AutocommitPeriod", + "markdownDescription": "The configuration object for setting the autocommit period of files in an FSx for ONTAP SnapLock volume.", + "title": "AutocommitPeriod" }, "PrivilegedDelete": { + "markdownDescription": "Enables, disables, or permanently disables privileged delete on an FSx for ONTAP SnapLock Enterprise volume. Enabling privileged delete allows SnapLock administrators to delete write once, read many (WORM) files even if they have active retention periods. `PERMANENTLY_DISABLED` is a terminal state. If privileged delete is permanently disabled on a SnapLock volume, you can't re-enable it. The default value is `DISABLED` .\n\nFor more information, see [Privileged delete](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html#privileged-delete) .", + "title": "PrivilegedDelete", "type": "string" }, "RetentionPeriod": { - "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.SnaplockRetentionPeriod", + "markdownDescription": "Specifies the retention period of an FSx for ONTAP SnapLock volume.", + "title": "RetentionPeriod" }, "SnaplockType": { + "markdownDescription": "Specifies the retention mode of an FSx for ONTAP SnapLock volume. After it is set, it can't be changed. You can choose one of the following retention modes:\n\n- `COMPLIANCE` : Files transitioned to write once, read many (WORM) on a Compliance volume can't be deleted until their retention periods expire. This retention mode is used to address government or industry-specific mandates or to protect against ransomware attacks. For more information, see [SnapLock Compliance](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-compliance.html) .\n- `ENTERPRISE` : Files transitioned to WORM on an Enterprise volume can be deleted by authorized users before their retention periods expire using privileged delete. This retention mode is used to advance an organization's data integrity and internal compliance or to test retention settings before using SnapLock Compliance. For more information, see [SnapLock Enterprise](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/snaplock-enterprise.html) .", + "title": "SnaplockType", "type": "string" }, "VolumeAppendModeEnabled": { + "markdownDescription": "Enables or disables volume-append mode on an FSx for ONTAP SnapLock volume. Volume-append mode allows you to create WORM-appendable files and write data to them incrementally. The default value is `false` .\n\nFor more information, see [Volume-append mode](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/worm-state.html#worm-state-append) .", + "title": "VolumeAppendModeEnabled", "type": "string" } }, @@ -89239,13 +89865,19 @@ "additionalProperties": false, "properties": { "DefaultRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The retention period assigned to a write once, read many (WORM) file by default if an explicit retention period is not set for an FSx for ONTAP SnapLock volume. The default retention period must be greater than or equal to the minimum retention period and less than or equal to the maximum retention period.", + "title": "DefaultRetention" }, "MaximumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The longest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MaximumRetention" }, "MinimumRetention": { - "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod" + "$ref": "#/definitions/AWS::FSx::Volume.RetentionPeriod", + "markdownDescription": "The shortest retention period that can be assigned to a WORM file on an FSx for ONTAP SnapLock volume.", + "title": "MinimumRetention" } }, "required": [ @@ -90068,7 +90700,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the model.", "title": "Arn", "type": "string" } @@ -90148,7 +90780,7 @@ "type": "string" }, "Language": { - "markdownDescription": "The rule language.", + "markdownDescription": "The rule language.\n\nValid Value: DETECTORPL", "title": "Language", "type": "string" }, @@ -91024,12 +91656,12 @@ "type": "string" }, "OperatingSystem": { - "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> The Amazon Linux 2023 OS is not available in the China Regions. > Support is ending in 2023 for the Windows Server 2012 and Amazon Linux (AL1) operating systems. If you have active fleets using these operating systems, you can continue to create new builds using these until their end of support. All other users must use Windows Server 2016, Amazon Linux 2, or Amazon Linux 2023. For more information, including specific end-of-support dates, see the Amazon GameLift FAQs for [Windows Server](https://docs.aws.amazon.com/gamelift/faq/win2012/) and [Linux Server](https://docs.aws.amazon.com/gamelift/faq/al1/) .", + "markdownDescription": "The operating system that your game server binaries run on. This value determines the type of fleet resources that you use for this build. If your game build contains multiple executables, they all must run on the same operating system. You must specify a valid operating system in this request. There is no default value. You can't change a build's operating system later.\n\n> If you have active fleets using the Windows Server 2012 operating system, you can continue to create new builds using this OS until October 10, 2023, when Microsoft ends its support. All others must use Windows Server 2016 when creating new Windows-based builds.", "title": "OperatingSystem", "type": "string" }, "ServerSdkVersion": { - "markdownDescription": "The Amazon GameLift Server SDK version used to develop your game server.", + "markdownDescription": "A server SDK version you used when integrating your game server build with Amazon GameLift. For more information see [Integrate games with custom game servers](https://docs.aws.amazon.com/gamelift/latest/developerguide/integration-custom-intro.html) . By default Amazon GameLift sets this value to `4.0.2` .", "title": "ServerSdkVersion", "type": "string" }, @@ -91070,22 +91702,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "An Amazon S3 bucket identifier. Thename of the S3 bucket.\n\n> Amazon GameLift doesn't support uploading from Amazon S3 buckets with names that contain a dot (.).", "title": "Bucket", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The name of the zip file that contains the build files or script files.", "title": "Key", "type": "string" }, "ObjectVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this information when retrieving files from your S3 bucket. To retrieve a specific version of the file, provide an object version. To retrieve the latest version of the file, do not set this parameter.", "title": "ObjectVersion", "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name ( [ARN](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html) ) for an IAM role that allows Amazon GameLift to access the S3 bucket.", "title": "RoleArn", "type": "string" } @@ -91134,7 +91766,7 @@ "properties": { "AnywhereConfiguration": { "$ref": "#/definitions/AWS::GameLift::Fleet.AnywhereConfiguration", - "markdownDescription": "", + "markdownDescription": "Amazon GameLift Anywhere configuration options for your Anywhere fleets.", "title": "AnywhereConfiguration" }, "BuildId": { @@ -91176,16 +91808,18 @@ "type": "string" }, "FleetType": { - "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This property cannot be changed after the fleet is created.", + "markdownDescription": "Indicates whether to use On-Demand or Spot instances for this fleet. By default, this property is set to `ON_DEMAND` . Learn more about when to use [On-Demand versus Spot Instances](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-ec2-instances.html#gamelift-ec2-instances-spot) . This fleet property can't be changed after the fleet is created.", "title": "FleetType", "type": "string" }, "InstanceRoleARN": { - "markdownDescription": "A unique identifier for an IAM role that manages access to your AWS services. With an instance role ARN set, any application that runs on an instance in this fleet can assume the role, including install scripts, server processes, and daemons (background processes). Create a role or look up a role's ARN by using the [IAM dashboard](https://docs.aws.amazon.com/iam/) in the AWS Management Console . Learn more about using on-box credentials for your game servers at [Access external resources from a game server](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) . This property cannot be changed after the fleet is created.", + "markdownDescription": "A unique identifier for an IAM role with access permissions to other AWS services. Any application that runs on an instance in the fleet--including install scripts, server processes, and other processes--can use these permissions to interact with AWS resources that you own or have access to. For more information about using the role with your game server builds, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", "title": "InstanceRoleARN", "type": "string" }, "InstanceRoleCredentialsProvider": { + "markdownDescription": "Indicates that fleet instances maintain a shared credentials file for the IAM role defined in `InstanceRoleArn` . Shared credentials allow applications that are deployed with the game server executable to communicate with other AWS resources. This property is used only when the game server is integrated with the server SDK version 5.x. For more information about using shared credentials, see [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html) .", + "title": "InstanceRoleCredentialsProvider", "type": "string" }, "Locations": { @@ -91340,7 +91974,7 @@ "additionalProperties": false, "properties": { "DesiredEC2Instances": { - "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits.", + "markdownDescription": "The number of Amazon EC2 instances you want to maintain in the specified fleet location. This value must fall between the minimum and maximum size limits. Changes in desired instance value can take up to 1 minute to be reflected when viewing the fleet's capacity settings.", "title": "DesiredEC2Instances", "type": "number" }, @@ -91430,7 +92064,7 @@ "type": "number" }, "LaunchPath": { - "markdownDescription": "The location of a game build executable or the Realtime script file that contains the `Init()` function. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"", + "markdownDescription": "The location of a game build executable or Realtime script. Game builds and Realtime scripts are installed on instances at the root:\n\n- Windows (custom game builds only): `C:\\game` . Example: \" `C:\\game\\MyGame\\server.exe` \"\n- Linux: `/local/game` . Examples: \" `/local/game/MyGame/server.exe` \" or \" `/local/game/MyRealtimeScript.js` \"\n\n> Amazon GameLift doesn't support the use of setup scripts that launch the game executable. For custom game builds, this parameter must indicate the executable that calls the server SDK operations `initSDK()` and `ProcessReady()` .", "title": "LaunchPath", "type": "string" }, @@ -92493,7 +93127,7 @@ "type": "boolean" }, "EndpointId": { - "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nAn Application Load Balancer can be either internal or internet-facing.", + "markdownDescription": "An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID. For Amazon EC2 instances, this is the EC2 instance ID. A resource must be valid and active when you add it as an endpoint.\n\nFor cross-account endpoints, this must be the ARN of the resource.", "title": "EndpointId", "type": "string" }, @@ -92725,6 +93359,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ContainsCustomDatatype", "type": "array" }, "ContainsHeader": { @@ -92733,6 +93369,8 @@ "type": "string" }, "CustomDatatypeConfigured": { + "markdownDescription": "Enables the custom datatype to be configured.", + "title": "CustomDatatypeConfigured", "type": "boolean" }, "Delimiter": { @@ -93188,21 +93826,29 @@ "additionalProperties": false, "properties": { "ConnectionName": { + "markdownDescription": "The name of the connection to use to connect to the Iceberg target.", + "title": "ConnectionName", "type": "string" }, "Exclusions": { "items": { "type": "string" }, + "markdownDescription": "A list of glob patterns used to exclude from the crawl. For more information, see [Catalog Tables with a Crawler](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) .", + "title": "Exclusions", "type": "array" }, "MaximumTraversalDepth": { + "markdownDescription": "The maximum depth of Amazon S3 paths that the crawler can traverse to discover the Iceberg metadata folder in your Amazon S3 path. Used to limit the crawler run time.", + "title": "MaximumTraversalDepth", "type": "number" }, "Paths": { "items": { "type": "string" }, + "markdownDescription": "One or more Amazon S3 paths that contains Iceberg metadata folders as `s3://bucket/prefix` .", + "title": "Paths", "type": "array" } }, @@ -93356,6 +94002,8 @@ "items": { "$ref": "#/definitions/AWS::Glue::Crawler.IcebergTarget" }, + "markdownDescription": "", + "title": "IcebergTargets", "type": "array" }, "JdbcTargets": { @@ -93708,6 +94356,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target database.", + "title": "Region", "type": "string" } }, @@ -95327,7 +95977,9 @@ "type": "string" }, "OpenTableFormatInput": { - "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput" + "$ref": "#/definitions/AWS::Glue::Table.OpenTableFormatInput", + "markdownDescription": "A structure representing an open format table.", + "title": "OpenTableFormatInput" }, "TableInput": { "$ref": "#/definitions/AWS::Glue::Table.TableInput", @@ -95391,9 +96043,13 @@ "additionalProperties": false, "properties": { "MetadataOperation": { - "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation" + "$ref": "#/definitions/AWS::Glue::Table.MetadataOperation", + "markdownDescription": "A required metadata operation. Can only be set to `CREATE` .", + "title": "MetadataOperation" }, "Version": { + "markdownDescription": "The table version for the Iceberg table. Defaults to 2.", + "title": "Version", "type": "string" } }, @@ -95408,7 +96064,9 @@ "additionalProperties": false, "properties": { "IcebergInput": { - "$ref": "#/definitions/AWS::Glue::Table.IcebergInput" + "$ref": "#/definitions/AWS::Glue::Table.IcebergInput", + "markdownDescription": "Specifies an `IcebergInput` structure that defines an Apache Iceberg metadata table.", + "title": "IcebergInput" } }, "type": "object" @@ -95622,6 +96280,8 @@ "type": "string" }, "Region": { + "markdownDescription": "Region of the target table.", + "title": "Region", "type": "string" } }, @@ -96050,7 +96710,7 @@ "items": { "type": "string" }, - "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center (successor to AWS Single Sign-On) , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", + "markdownDescription": "Specifies whether this workspace uses SAML 2.0, AWS IAM Identity Center , or both to authenticate users for using the Grafana console within a workspace. For more information, see [User authentication in Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html) .", "title": "AuthenticationProviders", "type": "array" }, @@ -96073,7 +96733,7 @@ "type": "string" }, "GrafanaVersion": { - "markdownDescription": "Specifies the version of Grafana to support in the new workspace.\n\nSupported values are `8.4` and `9.4` .", + "markdownDescription": "Specifies the version of Grafana to support in the workspace. Defaults to the latest version on create (for example, 9.4), or the current version of the workspace on update.\n\nCan only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).\n\nTo know what versions are available to upgrade to for a specific workspace, see the [ListVersions](https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) operation.", "title": "GrafanaVersion", "type": "string" }, @@ -99718,7 +100378,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The decoding settings are in JSON format and define a set of steps to perform to decode the data.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -99729,7 +100389,7 @@ "additionalProperties": false, "properties": { "UnvalidatedJSON": { - "markdownDescription": "The demodulation settings are in JSON format and define parameters for demodulation, for example which modulation scheme (e.g. PSK, QPSK, etc.) and matched filter to use.", + "markdownDescription": "", "title": "UnvalidatedJSON", "type": "string" } @@ -100013,7 +100673,7 @@ "title": "Address" }, "Mtu": { - "markdownDescription": "Maximum transmission unit (MTU) size in bytes of a dataflow endpoint. Valid values are between 1400 and 1500. A default value of 1500 is used if not set.", + "markdownDescription": "", "title": "Mtu", "type": "number" }, @@ -100403,9 +101063,13 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "Name of the additional configuration.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the additional configuration.", + "title": "Status", "type": "string" } }, @@ -100418,12 +101082,18 @@ "items": { "$ref": "#/definitions/AWS::GuardDuty::Detector.CFNFeatureAdditionalConfiguration" }, + "markdownDescription": "Information about the additional configuration of a feature in your account.", + "title": "AdditionalConfiguration", "type": "array" }, "Name": { + "markdownDescription": "Name of the feature.", + "title": "Name", "type": "string" }, "Status": { + "markdownDescription": "Status of the feature configuration.", + "title": "Status", "type": "string" } }, @@ -100501,9 +101171,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "", + "title": "Value", "type": "string" } }, @@ -100700,7 +101374,7 @@ "additionalProperties": false, "properties": { "Criterion": { - "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor a mapping of JSON criterion to their console equivalent see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- region\n- confidence\n- id\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.outpostArn\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.resourceType\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.additionalInfo.threatListName\n- service.archived\n\nWhen this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.\n- service.resourceRole\n- severity\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.", + "markdownDescription": "Represents a map of finding properties that match specified conditions and values when querying findings.\n\nFor information about JSON criterion mapping to their console equivalent, see [Finding criteria](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) . The following are the available criterion:\n\n- accountId\n- id\n- region\n- severity\n\nTo filter on the basis of severity, API and CFN use the following input list for the condition:\n\n- *Low* : `[\"1\", \"2\", \"3\"]`\n- *Medium* : `[\"4\", \"5\", \"6\"]`\n- *High* : `[\"7\", \"8\", \"9\"]`\n\nFor more information, see [Severity levels for GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity) .\n- type\n- updatedAt\n\nType: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.\n- resource.accessKeyDetails.accessKeyId\n- resource.accessKeyDetails.principalId\n- resource.accessKeyDetails.userName\n- resource.accessKeyDetails.userType\n- resource.instanceDetails.iamInstanceProfile.id\n- resource.instanceDetails.imageId\n- resource.instanceDetails.instanceId\n- resource.instanceDetails.tags.key\n- resource.instanceDetails.tags.value\n- resource.instanceDetails.networkInterfaces.ipv6Addresses\n- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress\n- resource.instanceDetails.networkInterfaces.publicDnsName\n- resource.instanceDetails.networkInterfaces.publicIp\n- resource.instanceDetails.networkInterfaces.securityGroups.groupId\n- resource.instanceDetails.networkInterfaces.securityGroups.groupName\n- resource.instanceDetails.networkInterfaces.subnetId\n- resource.instanceDetails.networkInterfaces.vpcId\n- resource.instanceDetails.outpostArn\n- resource.resourceType\n- resource.s3BucketDetails.publicAccess.effectivePermissions\n- resource.s3BucketDetails.name\n- resource.s3BucketDetails.tags.key\n- resource.s3BucketDetails.tags.value\n- resource.s3BucketDetails.type\n- service.action.actionType\n- service.action.awsApiCallAction.api\n- service.action.awsApiCallAction.callerType\n- service.action.awsApiCallAction.errorCode\n- service.action.awsApiCallAction.remoteIpDetails.city.cityName\n- service.action.awsApiCallAction.remoteIpDetails.country.countryName\n- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.awsApiCallAction.remoteIpDetails.organization.asn\n- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\n- service.action.awsApiCallAction.serviceName\n- service.action.dnsRequestAction.domain\n- service.action.networkConnectionAction.blocked\n- service.action.networkConnectionAction.connectionDirection\n- service.action.networkConnectionAction.localPortDetails.port\n- service.action.networkConnectionAction.protocol\n- service.action.networkConnectionAction.remoteIpDetails.city.cityName\n- service.action.networkConnectionAction.remoteIpDetails.country.countryName\n- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\n- service.action.networkConnectionAction.remoteIpDetails.organization.asn\n- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\n- service.action.networkConnectionAction.remotePortDetails.port\n- service.action.awsApiCallAction.remoteAccountDetails.affiliated\n- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4\n- service.action.kubernetesApiCallAction.requestUri\n- service.action.networkConnectionAction.localIpDetails.ipAddressV4\n- service.action.networkConnectionAction.protocol\n- service.action.awsApiCallAction.serviceName\n- service.action.awsApiCallAction.remoteAccountDetails.accountId\n- service.additionalInfo.threatListName\n- service.resourceRole\n- resource.eksClusterDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.name\n- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace\n- resource.kubernetesDetails.kubernetesUserDetails.username\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image\n- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix\n- service.ebsVolumeScanDetails.scanId\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity\n- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash\n- resource.ecsClusterDetails.name\n- resource.ecsClusterDetails.taskDetails.containers.image\n- resource.ecsClusterDetails.taskDetails.definitionArn\n- resource.containerDetails.image\n- resource.rdsDbInstanceDetails.dbInstanceIdentifier\n- resource.rdsDbInstanceDetails.dbClusterIdentifier\n- resource.rdsDbInstanceDetails.engine\n- resource.rdsDbUserDetails.user\n- resource.rdsDbInstanceDetails.tags.key\n- resource.rdsDbInstanceDetails.tags.value\n- service.runtimeDetails.process.executableSha256\n- service.runtimeDetails.process.name\n- service.runtimeDetails.process.name\n- resource.lambdaDetails.functionName\n- resource.lambdaDetails.functionArn\n- resource.lambdaDetails.tags.key\n- resource.lambdaDetails.tags.value", "title": "Criterion", "type": "object" }, @@ -100856,8 +101530,6 @@ "type": "string" }, "MasterId": { - "markdownDescription": "The AWS account ID of the account designated as the GuardDuty administrator account.", - "title": "MasterId", "type": "string" } }, @@ -100939,8 +101611,6 @@ "type": "string" }, "MemberId": { - "markdownDescription": "The AWS account ID of the account to designate as a member.", - "title": "MemberId", "type": "string" }, "Message": { @@ -101116,18 +101786,24 @@ "additionalProperties": false, "properties": { "DatastoreName": { + "markdownDescription": "The data store name.", + "title": "DatastoreName", "type": "string" }, "KmsKeyArn": { + "markdownDescription": "The Amazon Resource Name (ARN) assigned to the Key Management Service (KMS) key for accessing encrypted data.", + "title": "KmsKeyArn", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "The tags provided when creating a data store.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -101189,28 +101865,28 @@ "additionalProperties": false, "properties": { "DatastoreName": { - "markdownDescription": "The user generated name for the Data Store.", + "markdownDescription": "The user generated name for the data store.", "title": "DatastoreName", "type": "string" }, "DatastoreTypeVersion": { - "markdownDescription": "The FHIR version of the Data Store. The only supported version is R4.", + "markdownDescription": "The FHIR version of the data store. The only supported version is R4.", "title": "DatastoreTypeVersion", "type": "string" }, "IdentityProviderConfiguration": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.IdentityProviderConfiguration", - "markdownDescription": "", + "markdownDescription": "The identity provider configuration that you gave when the data store was created.", "title": "IdentityProviderConfiguration" }, "PreloadDataConfig": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.PreloadDataConfig", - "markdownDescription": "The preloaded data configuration for the Data Store. Only data preloaded from Synthea is supported.", + "markdownDescription": "The preloaded data configuration for the data store. Only data preloaded from Synthea is supported.", "title": "PreloadDataConfig" }, "SseConfiguration": { "$ref": "#/definitions/AWS::HealthLake::FHIRDatastore.SseConfiguration", - "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a Data Store.", + "markdownDescription": "The server-side encryption key configuration for a customer provided encryption key specified for creating a data store.", "title": "SseConfiguration" }, "Tags": { @@ -101272,22 +101948,22 @@ "additionalProperties": false, "properties": { "AuthorizationStrategy": { - "markdownDescription": "", + "markdownDescription": "The authorization strategy that you selected when you created the data store.", "title": "AuthorizationStrategy", "type": "string" }, "FineGrainedAuthorizationEnabled": { - "markdownDescription": "", + "markdownDescription": "If you enabled fine-grained authorization when you created the data store.", "title": "FineGrainedAuthorizationEnabled", "type": "boolean" }, "IdpLambdaArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the Lambda function that you want to use to decode the access token created by the authorization server.", "title": "IdpLambdaArn", "type": "string" }, "Metadata": { - "markdownDescription": "", + "markdownDescription": "The JSON metadata elements that you want to use in your identity provider configuration. Required elements are listed based on the launch specification of the SMART application. For more information on all possible elements, see [Metadata](https://docs.aws.amazon.com/https://build.fhir.org/ig/HL7/smart-app-launch/conformance.html#metadata) in SMART's App Launch specification.\n\n`authorization_endpoint` : The URL to the OAuth2 authorization endpoint.\n\n`grant_types_supported` : An array of grant types that are supported at the token endpoint. You must provide at least one grant type option. Valid options are `authorization_code` and `client_credentials` .\n\n`token_endpoint` : The URL to the OAuth2 token endpoint.\n\n`capabilities` : An array of strings of the SMART capabilities that the authorization server supports.\n\n`code_challenge_methods_supported` : An array of strings of supported PKCE code challenge methods. You must include the `S256` method in the array of PKCE code challenge methods.", "title": "Metadata", "type": "string" } @@ -101306,7 +101982,7 @@ "type": "string" }, "KmsKeyId": { - "markdownDescription": "The KMS encryption key id/alias used to encrypt the Data Store contents at rest.", + "markdownDescription": "The KMS encryption key id/alias used to encrypt the data store contents at rest.", "title": "KmsKeyId", "type": "string" } @@ -101561,12 +102237,18 @@ "additionalProperties": false, "properties": { "GroupName": { + "markdownDescription": "The name of the group to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", + "title": "GroupName", "type": "string" }, "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" } }, @@ -102143,12 +102825,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "RoleName": { + "markdownDescription": "The name of the role to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "RoleName", "type": "string" } }, @@ -102608,12 +103296,18 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "The policy document.\n\nYou must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\u00FF` )\n- The special characters tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` )", + "title": "PolicyDocument", "type": "object" }, "PolicyName": { + "markdownDescription": "The name of the policy document.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "PolicyName", "type": "string" }, "UserName": { + "markdownDescription": "The name of the user to associate the policy with.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", + "title": "UserName", "type": "string" } }, @@ -102877,7 +103571,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-channel-tag.html) .", "title": "Tags", "type": "array" }, @@ -102958,7 +103652,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-playbackkeypair-tag.html) .", "title": "Tags", "type": "array" } @@ -103022,7 +103716,7 @@ "properties": { "DestinationConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.DestinationConfiguration", - "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the [DestinationConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-destinationconfiguration.html) property type for more information.", + "markdownDescription": "A destination configuration contains information about where recorded video will be stored. See the DestinationConfiguration property type for more information.", "title": "DestinationConfiguration" }, "Name": { @@ -103036,19 +103730,21 @@ "type": "number" }, "RenditionConfiguration": { - "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration" + "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.RenditionConfiguration", + "markdownDescription": "A rendition configuration describes which renditions should be recorded for a stream. See the RenditionConfiguration property type for more information.", + "title": "RenditionConfiguration" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-tag.html) .", "title": "Tags", "type": "array" }, "ThumbnailConfiguration": { "$ref": "#/definitions/AWS::IVS::RecordingConfiguration.ThumbnailConfiguration", - "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the [ThumbnailConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thunbnailconfiguration.html) property type for more information.", + "markdownDescription": "A thumbnail configuration enables/disables the recording of thumbnails for a live session and controls the interval at which thumbnails are generated for the live session. See the ThumbnailConfiguration property type for more information.", "title": "ThumbnailConfiguration" } }, @@ -103093,12 +103789,16 @@ "additionalProperties": false, "properties": { "RenditionSelection": { + "markdownDescription": "The set of renditions are recorded for a stream. For `BASIC` channels, the `CUSTOM` value has no effect. If `CUSTOM` is specified, a set of renditions can be specified in the `renditions` field. Default: `ALL` .", + "title": "RenditionSelection", "type": "string" }, "Renditions": { "items": { "type": "string" }, + "markdownDescription": "A list of which renditions are recorded for a stream, if `renditionSelection` is `CUSTOM` ; otherwise, this field is irrelevant. The selected renditions are recorded if they are available during the stream. If a selected rendition is unavailable, the best available rendition is recorded. For details on the resolution dimensions of each rendition, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Renditions", "type": "array" } }, @@ -103127,16 +103827,20 @@ "type": "string" }, "Resolution": { + "markdownDescription": "The desired resolution of recorded thumbnails for a stream. Thumbnails are recorded at the selected resolution if the corresponding rendition is available during the stream; otherwise, they are recorded at source resolution. For more information about resolution values and their corresponding height and width dimensions, see [Auto-Record to Amazon S3](https://docs.aws.amazon.com//ivs/latest/userguide/record-to-s3.html) .", + "title": "Resolution", "type": "string" }, "Storage": { "items": { "type": "string" }, + "markdownDescription": "The format in which thumbnails are recorded for a stream. `SEQUENTIAL` records all generated thumbnails in a serial manner, to the media/thumbnails directory. `LATEST` saves the latest thumbnail in media/thumbnails/latest/thumb.jpg and overwrites it at the interval specified by `targetIntervalSeconds` . You can enable both `SEQUENTIAL` and `LATEST` . Default: `SEQUENTIAL` .", + "title": "Storage", "type": "array" }, "TargetIntervalSeconds": { - "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 5. Maximum value of 60.", + "markdownDescription": "The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if [RecordingMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-recordingconfiguration-thumbnailconfiguration.html#cfn-ivs-recordingconfiguration-thumbnailconfiguration-recordingmode) is `INTERVAL` .\n\n> Setting a value for `TargetIntervalSeconds` does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the `TargetIntervalSeconds` interval, the `IDR/Keyframe` value for the input video must be less than the `TargetIntervalSeconds` value. See [Amazon IVS Streaming Configuration](https://docs.aws.amazon.com/ivs/latest/userguide/streaming-config.html) for information on setting `IDR/Keyframe` to the recommended value in video-encoder settings. \n\n*Default* : 60\n\n*Valid Range* : Minumum value of 1. Maximum value of 60.", "title": "TargetIntervalSeconds", "type": "number" } @@ -103187,7 +103891,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-streamkey-tag.html) .", "title": "Tags", "type": "array" } @@ -103267,7 +103971,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-loggingconfiguration-tag.html) .", "title": "Tags", "type": "array" } @@ -103428,7 +104132,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivschat-room-tag.html) .", "title": "Tags", "type": "array" } @@ -103928,7 +104632,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::ContainerRecipe.ComponentParameter" }, - "markdownDescription": "", + "markdownDescription": "A group of parameter settings that Image Builder uses to configure the component for a specific recipe.", "title": "Parameters", "type": "array" } @@ -103939,7 +104643,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the component parameter to set.", "title": "Name", "type": "string" }, @@ -103947,7 +104651,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Sets the value for the named component parameter.", "title": "Value", "type": "array" } @@ -104243,7 +104947,7 @@ "items": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchConfiguration" }, - "markdownDescription": "", + "markdownDescription": "The Windows faster-launching configurations to use for AMI distribution.", "title": "FastLaunchConfigurations", "type": "array" }, @@ -104278,28 +104982,28 @@ "additionalProperties": false, "properties": { "AccountId": { - "markdownDescription": "", + "markdownDescription": "The owner account ID for the fast-launch enabled Windows AMI.", "title": "AccountId", "type": "string" }, "Enabled": { - "markdownDescription": "", + "markdownDescription": "A Boolean that represents the current state of faster launching for the Windows AMI. Set to `true` to start using Windows faster launching, or `false` to stop using it.", "title": "Enabled", "type": "boolean" }, "LaunchTemplate": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchLaunchTemplateSpecification", - "markdownDescription": "", + "markdownDescription": "The launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots.", "title": "LaunchTemplate" }, "MaxParallelLaunches": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel instances that are launched for creating resources.", "title": "MaxParallelLaunches", "type": "number" }, "SnapshotConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::DistributionConfiguration.FastLaunchSnapshotConfiguration", - "markdownDescription": "", + "markdownDescription": "Configuration settings for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled.", "title": "SnapshotConfiguration" } }, @@ -104309,17 +105013,17 @@ "additionalProperties": false, "properties": { "LaunchTemplateId": { - "markdownDescription": "", + "markdownDescription": "The ID of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateId", "type": "string" }, "LaunchTemplateName": { - "markdownDescription": "", + "markdownDescription": "The name of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateName", "type": "string" }, "LaunchTemplateVersion": { - "markdownDescription": "", + "markdownDescription": "The version of the launch template to use for faster launching for a Windows AMI.", "title": "LaunchTemplateVersion", "type": "string" } @@ -104330,7 +105034,7 @@ "additionalProperties": false, "properties": { "TargetResourceCount": { - "markdownDescription": "", + "markdownDescription": "The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.", "title": "TargetResourceCount", "type": "number" } @@ -104469,7 +105173,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104527,12 +105231,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104544,11 +105248,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::Image.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -104633,7 +105337,7 @@ }, "ImageScanningConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.ImageScanningConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains settings for vulnerability scans.", "title": "ImageScanningConfiguration" }, "ImageTestsConfiguration": { @@ -104707,12 +105411,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "Tags for Image Builder to apply to the output container image that &INS; scans. Tags can help you identify and manage your scanned images.", "title": "ContainerTags", "type": "array" }, "RepositoryName": { - "markdownDescription": "", + "markdownDescription": "The name of the container repository that Amazon Inspector scans to identify findings for your container images. The name includes the path for the repository location. If you don\u2019t provide this information, Image Builder creates a repository in your account named `image-builder-image-scanning-repository` for vulnerability scans of your output container images.", "title": "RepositoryName", "type": "string" } @@ -104724,11 +105428,11 @@ "properties": { "EcrConfiguration": { "$ref": "#/definitions/AWS::ImageBuilder::ImagePipeline.EcrConfiguration", - "markdownDescription": "", + "markdownDescription": "Contains Amazon ECR settings for vulnerability scans.", "title": "EcrConfiguration" }, "ImageScanningEnabled": { - "markdownDescription": "", + "markdownDescription": "A setting that indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the build instance when you create a new image.", "title": "ImageScanningEnabled", "type": "boolean" } @@ -105955,7 +106659,7 @@ "properties": { "HealthEventsConfig": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.HealthEventsConfig", - "markdownDescription": "", + "markdownDescription": "A complex type with the configuration information that determines the threshold and other conditions for when Internet Monitor creates a health event for an overall performance or availability issue, across an application's geographies.\n\nDefines the percentages, for overall performance scores and availability scores for an application, that are the thresholds for when Amazon CloudWatch Internet Monitor creates a health event. You can override the defaults to set a custom threshold for overall performance or availability scores, or both.\n\nYou can also set thresholds for local health scores,, where Internet Monitor creates a health event when scores cross a threshold for one or more city-networks, in addition to creating an event when an overall score crosses a threshold.\n\nIf you don't set a health event threshold, the default value is 95%.\n\nFor local thresholds, you also set a minimum percentage of overall traffic that is impacted by an issue before Internet Monitor creates an event. In addition, you can disable local thresholds, for performance scores, availability scores, or both.\n\nFor more information, see [Change health event thresholds](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-overview.html#IMUpdateThresholdFromOverview) in the Internet Monitor section of the *CloudWatch User Guide* .", "title": "HealthEventsConfig" }, "InternetMeasurementsLogDelivery": { @@ -105977,7 +106681,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs).", + "markdownDescription": "The resources that have been added for the monitor, listed by their Amazon Resource Names (ARNs). Use this option to add or remove resources when making an update.\n\n> Be aware that if you include content in the `Resources` field when you update a monitor, the `ResourcesToAdd` and `ResourcesToRemove` fields must be empty.", "title": "Resources", "type": "array" }, @@ -105985,7 +106689,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to add to a monitor, which you provide as a set of Amazon Resource Names (ARNs).\n\nYou can add a combination of Virtual Private Clouds (VPCs) and Amazon CloudFront distributions, or you can add WorkSpaces directories. You can't add all three types of resources.\n\n> If you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.", + "markdownDescription": "The resources to include in a monitor, which you provide as a set of Amazon Resource Names (ARNs). Resources can be Amazon Virtual Private Cloud VPCs, Network Load Balancers (NLBs), Amazon CloudFront distributions, or Amazon WorkSpaces directories.\n\nYou can add a combination of VPCs and CloudFront distributions, or you can add WorkSpaces directories, or you can add NLBs. You can't add NLBs or WorkSpaces directories together with any other resources.\n\nIf you add only VPC resources, at least one VPC must have an Internet Gateway attached to it, to make sure that it has internet connectivity.\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToAdd", "type": "array" }, @@ -105993,7 +106697,7 @@ "items": { "type": "string" }, - "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs).", + "markdownDescription": "The resources to remove from a monitor, which you provide as a set of Amazon Resource Names (ARNs)\n\n> You can specify this field for a monitor update only if the `Resources` field is empty.", "title": "ResourcesToRemove", "type": "array" }, @@ -106046,18 +106750,22 @@ "additionalProperties": false, "properties": { "AvailabilityLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local availability issue.", + "title": "AvailabilityLocalHealthEventsConfig" }, "AvailabilityScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for availability scores. When the overall availability score is at or below this percentage, Internet Monitor creates a health event.", "title": "AvailabilityScoreThreshold", "type": "number" }, "PerformanceLocalHealthEventsConfig": { - "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig" + "$ref": "#/definitions/AWS::InternetMonitor::Monitor.LocalHealthEventsConfig", + "markdownDescription": "The configuration that determines the threshold and other conditions for when Internet Monitor creates a health event for a local performance issue.", + "title": "PerformanceLocalHealthEventsConfig" }, "PerformanceScoreThreshold": { - "markdownDescription": "", + "markdownDescription": "The health event threshold percentage set for performance scores. When the overall performance score is at or below this percentage, Internet Monitor creates a health event.", "title": "PerformanceScoreThreshold", "type": "number" } @@ -106069,7 +106777,7 @@ "properties": { "S3Config": { "$ref": "#/definitions/AWS::InternetMonitor::Monitor.S3Config", - "markdownDescription": "The configuration information for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to an S3 bucket, and `DISABLED` otherwise.", + "markdownDescription": "The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3.", "title": "S3Config" } }, @@ -106079,12 +106787,18 @@ "additionalProperties": false, "properties": { "HealthScoreThreshold": { + "markdownDescription": "The health event threshold percentage set for a local health score.", + "title": "HealthScoreThreshold", "type": "number" }, "MinTrafficImpact": { + "markdownDescription": "The minimum percentage of overall traffic for an application that must be impacted by an issue before Internet Monitor creates an event when a threshold is crossed for a local health score.\n\nIf you don't set a minimum traffic impact threshold, the default value is 0.01%.", + "title": "MinTrafficImpact", "type": "number" }, "Status": { + "markdownDescription": "The status of whether Internet Monitor creates a health event based on a threshold percentage set for a local health score. The status can be `ENABLED` or `DISABLED` .", + "title": "Status", "type": "string" } }, @@ -106510,12 +107224,12 @@ }, "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if device certificates are still active despite being revoked by an intermediate CA.", "title": "IntermediateCaRevokedForActiveDeviceCertificatesCheck" }, "IoTPolicyPotentialMisConfigurationCheck": { "$ref": "#/definitions/AWS::IoT::AccountAuditConfiguration.AuditCheckConfiguration", - "markdownDescription": "", + "markdownDescription": "Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.", "title": "IoTPolicyPotentialMisConfigurationCheck" }, "IotPolicyOverlyPermissiveCheck": { @@ -107518,6 +108232,8 @@ "items": { "type": "string" }, + "markdownDescription": "The package version Amazon Resource Names (ARNs) that are installed on the device\u2019s reserved named shadow ( `$package` ) when the job successfully completes.\n\n*Note:* Up to 25 package version ARNS are allowed.", + "title": "DestinationPackageVersions", "type": "array" }, "Document": { @@ -108138,6 +108854,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -108761,7 +109479,7 @@ "properties": { "Criteria": { "$ref": "#/definitions/AWS::IoT::SecurityProfile.BehaviorCriteria", - "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .", + "markdownDescription": "The criteria that determine if a device is behaving normally in regard to the `metric` .\n\n> In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.", "title": "Criteria" }, "Metric": { @@ -108975,15 +109693,21 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "A summary of the package being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the new software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package.", + "title": "Tags", "type": "array" } }, @@ -109046,26 +109770,36 @@ "properties": { "Attributes": { "additionalProperties": true, + "markdownDescription": "Metadata that can be used to define a package version\u2019s configuration. For example, the S3 file location, configuration options that are being sent to the device or fleet.\n\nThe combined size of all the attributes on a package version is limited to 3KB.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Attributes", "type": "object" }, "Description": { + "markdownDescription": "A summary of the package version being created. This can be used to outline the package's contents or purpose.", + "title": "Description", "type": "string" }, "PackageName": { + "markdownDescription": "The name of the associated software package.", + "title": "PackageName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "Metadata that can be used to manage the package version.", + "title": "Tags", "type": "array" }, "VersionName": { + "markdownDescription": "The name of the new package version.", + "title": "VersionName", "type": "string" } }, @@ -110143,6 +110877,8 @@ "items": { "$ref": "#/definitions/AWS::IoT::TopicRule.KafkaActionHeader" }, + "markdownDescription": "The list of Kafka headers that you specify.", + "title": "Headers", "type": "array" }, "Key": { @@ -110172,9 +110908,13 @@ "additionalProperties": false, "properties": { "Key": { + "markdownDescription": "The key of the Kafka header.", + "title": "Key", "type": "string" }, "Value": { + "markdownDescription": "The value of the Kafka header.", + "title": "Value", "type": "string" } }, @@ -112323,12 +113063,12 @@ "additionalProperties": false, "properties": { "CertificateArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's certificate ARN.", "title": "CertificateArn", "type": "string" }, "ThingArn": { - "markdownDescription": "", + "markdownDescription": "Lists device's thing ARN.", "title": "ThingArn", "type": "string" } @@ -112339,7 +113079,7 @@ "additionalProperties": false, "properties": { "DevicePermissionRoleArn": { - "markdownDescription": "", + "markdownDescription": "Gets the device permission ARN. This is a required parameter.", "title": "DevicePermissionRoleArn", "type": "string" }, @@ -112347,22 +113087,22 @@ "items": { "$ref": "#/definitions/AWS::IoTCoreDeviceAdvisor::SuiteDefinition.DeviceUnderTest" }, - "markdownDescription": "", + "markdownDescription": "Gets the devices configured.", "title": "Devices", "type": "array" }, "IntendedForQualification": { - "markdownDescription": "", + "markdownDescription": "Gets the tests intended for qualification in a suite.", "title": "IntendedForQualification", "type": "boolean" }, "RootGroup": { - "markdownDescription": "", + "markdownDescription": "Gets the test suite root group. This is a required parameter. For updating or creating the latest qualification suite, if `intendedForQualification` is set to true, `rootGroup` can be an empty string. If `intendedForQualification` is false, `rootGroup` cannot be an empty string. If `rootGroup` is empty, and `intendedForQualification` is set to true, all the qualification tests are included, and the configuration is default.\n\nFor a qualification suite, the minimum length is 0, and the maximum is 2048. For a non-qualification suite, the minimum length is 1, and the maximum is 2048.", "title": "RootGroup", "type": "string" }, "SuiteDefinitionName": { - "markdownDescription": "", + "markdownDescription": "Gets the suite definition name. This is a required parameter.", "title": "SuiteDefinitionName", "type": "string" } @@ -114388,23 +115128,15 @@ "additionalProperties": false, "properties": { "CanInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the Controller Area Network (CAN) protocol.", - "title": "CanInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanInterface" }, "InterfaceId": { - "markdownDescription": "The ID of the network interface.", - "title": "InterfaceId", "type": "string" }, "ObdInterface": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface", - "markdownDescription": "(Optional) Information about a network interface specified by the On-board diagnostic (OBD) II protocol.", - "title": "ObdInterface" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdInterface" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -114523,28 +115255,18 @@ "additionalProperties": false, "properties": { "CanSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal", - "markdownDescription": "(Optional) Information about a single controller area network (CAN) signal and the messages it receives and transmits.", - "title": "CanSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.CanSignal" }, "FullyQualifiedName": { - "markdownDescription": "The fully qualified name of a signal decoder as defined in a vehicle model.", - "title": "FullyQualifiedName", "type": "string" }, "InterfaceId": { - "markdownDescription": "The ID of a network interface that specifies what network protocol a vehicle follows.", - "title": "InterfaceId", "type": "string" }, "ObdSignal": { - "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal", - "markdownDescription": "(Optional) Information about signal messages using the on-board diagnostics (OBD) II protocol in a vehicle.", - "title": "ObdSignal" + "$ref": "#/definitions/AWS::IoTFleetWise::DecoderManifest.ObdSignal" }, "Type": { - "markdownDescription": "The network protocol for the vehicle. For example, `CAN_SIGNAL` specifies a protocol that defines how data is communicated between electronic control units (ECUs). `OBD_SIGNAL` specifies a protocol that defines how self-diagnostic data is communicated between ECUs.", - "title": "Type", "type": "string" } }, @@ -116145,7 +116867,7 @@ "type": "string" }, "PortalAuthMode": { - "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", + "markdownDescription": "The service to use to authenticate users to the portal. Choose from the following options:\n\n- `SSO` \u2013 The portal uses AWS IAM Identity Center to authenticate users and manage user permissions. Before you can create a portal that uses IAM Identity Center , you must enable IAM Identity Center . For more information, see [Enabling IAM Identity Center](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/monitor-get-started.html#mon-gs-sso) in the *AWS IoT SiteWise User Guide* . This option is only available in AWS Regions other than the China Regions.\n- `IAM` \u2013 The portal uses AWS Identity and Access Management ( IAM ) to authenticate users and manage user permissions.\n\nYou can't change this value after you create a portal.\n\nDefault: `SSO`", "title": "PortalAuthMode", "type": "string" }, @@ -116503,7 +117225,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -116727,7 +117449,7 @@ "title": "DefaultValue" }, "IsExternalId": { - "markdownDescription": "A boolean value that specifies whether the property ID comes from an external data store.", + "markdownDescription": "", "title": "IsExternalId", "type": "boolean" }, @@ -116777,7 +117499,7 @@ "type": "string" }, "TargetComponentTypeId": { - "markdownDescription": "The ID of the target component type associated with this relationship.", + "markdownDescription": "", "title": "TargetComponentTypeId", "type": "string" } @@ -116868,7 +117590,7 @@ "type": "string" }, "EntityId": { - "markdownDescription": "The entity ID.", + "markdownDescription": "The ID of the entity.", "title": "EntityId", "type": "string" }, @@ -116894,7 +117616,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -116935,7 +117657,7 @@ "type": "string" }, "ComponentTypeId": { - "markdownDescription": "The ID of the ComponentType.", + "markdownDescription": "", "title": "ComponentTypeId", "type": "string" }, @@ -117288,7 +118010,7 @@ "type": "string" }, "SceneId": { - "markdownDescription": "The scene ID.", + "markdownDescription": "The ID of the scene.", "title": "SceneId", "type": "string" }, @@ -117315,7 +118037,7 @@ "type": "object" }, "WorkspaceId": { - "markdownDescription": "The ID of the workspace.", + "markdownDescription": "", "title": "WorkspaceId", "type": "string" } @@ -118224,6 +118946,8 @@ "additionalProperties": false, "properties": { "AccountLinked": { + "markdownDescription": "Whether the partner account is linked to the AWS account.", + "title": "AccountLinked", "type": "boolean" }, "PartnerAccountId": { @@ -118232,6 +118956,8 @@ "type": "string" }, "PartnerType": { + "markdownDescription": "The partner type.", + "title": "PartnerType", "type": "string" }, "Sidewalk": { @@ -118240,10 +118966,14 @@ "title": "Sidewalk" }, "SidewalkResponse": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkAccountInfoWithFingerprint", + "markdownDescription": "", + "title": "SidewalkResponse" }, "SidewalkUpdate": { - "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount" + "$ref": "#/definitions/AWS::IoTWireless::PartnerAccount.SidewalkUpdateAccount", + "markdownDescription": "Sidewalk update.", + "title": "SidewalkUpdate" }, "Tags": { "items": { @@ -118540,7 +119270,9 @@ "type": "boolean" }, "LoRaWANUpdateGatewayTaskEntry": { - "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry" + "$ref": "#/definitions/AWS::IoTWireless::TaskDefinition.LoRaWANUpdateGatewayTaskEntry", + "markdownDescription": "LoRaWANUpdateGatewayTaskEntry object.", + "title": "LoRaWANUpdateGatewayTaskEntry" }, "Name": { "markdownDescription": "The name of the new resource.", @@ -118556,6 +119288,8 @@ "type": "array" }, "TaskDefinitionType": { + "markdownDescription": "A filter to list only the wireless gateway task definitions that use this task definition type.", + "title": "TaskDefinitionType", "type": "string" }, "Update": { @@ -118784,13 +119518,13 @@ "additionalProperties": false, "properties": { "DevAddr": { - "markdownDescription": "The DevAddr value.", + "markdownDescription": "", "title": "DevAddr", "type": "string" }, "SessionKeys": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.SessionKeysAbpV10x", - "markdownDescription": "Session keys for ABP v1.0.x", + "markdownDescription": "", "title": "SessionKeys" } }, @@ -118825,7 +119559,7 @@ "properties": { "AbpV10x": { "$ref": "#/definitions/AWS::IoTWireless::WirelessDevice.AbpV10x", - "markdownDescription": "LoRaWAN object for create APIs.", + "markdownDescription": "", "title": "AbpV10x" }, "AbpV11": { @@ -118865,12 +119599,12 @@ "additionalProperties": false, "properties": { "AppEui": { - "markdownDescription": "The AppEUI value, with pattern of `[a-fA-F0-9]{16}` .", + "markdownDescription": "", "title": "AppEui", "type": "string" }, "AppKey": { - "markdownDescription": "The AppKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppKey", "type": "string" } @@ -118911,12 +119645,12 @@ "additionalProperties": false, "properties": { "AppSKey": { - "markdownDescription": "The AppSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the AppSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "AppSKey", "type": "string" }, "NwkSKey": { - "markdownDescription": "The NwkSKey is a secret key, which you should handle in a similar way as you would an application password. You can protect the NwkSKey value by storing it in the AWS Secrets Manager and use the [secretsmanager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager) to reference this value.", + "markdownDescription": "", "title": "NwkSKey", "type": "string" } @@ -119225,7 +119959,7 @@ "additionalProperties": false, "properties": { "AliasName": { - "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .\n\n*Pattern* : `^alias/[a-zA-Z0-9/_-]+$`\n\n*Minimum* : `1`\n\n*Maximum* : `256`", + "markdownDescription": "Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias` .\n\n> If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). \n\nThe alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/` . The `alias/aws/` prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .", "title": "AliasName", "type": "string" }, @@ -119298,6 +120032,8 @@ "additionalProperties": false, "properties": { "BypassPolicyLockoutSafetyCheck": { + "markdownDescription": "Skips (\"bypasses\") the key policy lockout safety check. The default value is false.\n\n> Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.\n> \n> For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *AWS Key Management Service Developer Guide* . \n\nUse this parameter only when you intend to prevent the principal that is making the request from making a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key.", + "title": "BypassPolicyLockoutSafetyCheck", "type": "boolean" }, "Description": { @@ -119306,7 +120042,7 @@ "type": "string" }, "EnableKeyRotation": { - "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys and HMAC KMS keys, omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled.\n\nAWS KMS supports automatic rotation only for symmetric encryption KMS keys ( `KeySpec` = `SYMMETRIC_DEFAULT` ). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin `EXTERNAL` , omit the `EnableKeyRotation` property or set it to `false` .\n\nTo enable automatic key rotation of the key material for a multi-Region KMS key, set `EnableKeyRotation` to `true` on the primary key (created by using `AWS::KMS::Key` ). AWS KMS copies the rotation status to all replica keys. For details, see [Rotating multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate) in the *AWS Key Management Service Developer Guide* .\n\nWhen you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "EnableKeyRotation", "type": "boolean" }, @@ -119316,7 +120052,7 @@ "type": "boolean" }, "KeyPolicy": { - "markdownDescription": "The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section of the **AWS Key Management Service Developer Guide** .\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", + "markdownDescription": "The key policy to attach to the KMS key.\n\nIf you provide a key policy, it must meet the following criteria:\n\n- The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) in the *AWS Key Management Service Developer Guide* . (To omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)\n- Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see [Changes that I make are not always immediately visible](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the *AWS Identity and Access Management User Guide* .\n\nIf you do not provide a key policy, AWS KMS attaches a default key policy to the KMS key. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the *AWS Key Management Service Developer Guide* .\n\nA key policy document can include only the following characters:\n\n- Printable ASCII characters\n- Printable characters in the Basic Latin and Latin-1 Supplement character set\n- The tab ( `\\u0009` ), line feed ( `\\u000A` ), and carriage return ( `\\u000D` ) special characters\n\n*Minimum* : `1`\n\n*Maximum* : `32768`", "title": "KeyPolicy", "type": "object" }, @@ -119336,10 +120072,12 @@ "type": "boolean" }, "Origin": { + "markdownDescription": "The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS` , which means that AWS KMS creates the key material.\n\nTo [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to `EXTERNAL` . For more information about importing key material into AWS KMS , see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) in the *AWS Key Management Service Developer Guide* .\n\nYou can ignore `ENABLED` when Origin is `EXTERNAL` . When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false` . After you import the key material, `ENABLED` updated to `true` . The KMS key can then be used for Cryptographic Operations.\n\n> AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.", + "title": "Origin", "type": "string" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a KMS key from a CloudFormation stack, AWS KMS schedules the KMS key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of KMS key is `Pending Deletion` or `Pending Replica Deletion` , which prevents the KMS key from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the KMS key.\n\nAWS KMS will not delete a [multi-Region primary key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) that has replica keys. If you remove a multi-Region primary key from a CloudFormation stack, its key state changes to `PendingReplicaDeletion` so it cannot be replicated or used in cryptographic operations. This state can persist indefinitely. When the last of its replica keys is deleted, the key state of the primary key changes to `PendingDeletion` and the waiting period specified by `PendingWindowInDays` begins. When this waiting period expires, AWS KMS deletes the primary key. For details, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nYou cannot use a CloudFormation template to cancel deletion of the KMS key after you remove it from the stack, regardless of the waiting period. If you specify a KMS key in your template, even one with the same name, CloudFormation creates a new KMS key. To cancel deletion of a KMS key, use the AWS KMS console or the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation.\n\nFor information about the `Pending Deletion` and `Pending Replica Deletion` key states, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -119425,7 +120163,7 @@ "type": "object" }, "PendingWindowInDays": { - "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .\n\n*Minimum* : 7\n\n*Maximum* : 30", + "markdownDescription": "Specifies the number of days in the waiting period before AWS KMS deletes a replica key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.\n\nWhen you remove a replica key from a CloudFormation stack, AWS KMS schedules the replica key for deletion and starts the mandatory waiting period. The `PendingWindowInDays` property determines the length of waiting period. During the waiting period, the key state of replica key is `Pending Deletion` , which prevents it from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the replica key.\n\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.\n\nYou cannot use a CloudFormation template to cancel deletion of the replica after you remove it from the stack, regardless of the waiting period. However, if you specify a replica key in your template that is based on the same primary key as the original replica key, CloudFormation creates a new replica key with the same key ID, key material, and other shared properties of the original replica key. This new replica key can decrypt ciphertext that was encrypted under the original replica key, or any related multi-Region key.\n\nFor detailed information about deleting multi-Region keys, see [Deleting multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) in the *AWS Key Management Service Developer Guide* .\n\nFor information about the `PendingDeletion` key state, see [Key state: Effect on your KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the *AWS Key Management Service Developer Guide* . For more information about deleting KMS keys, see the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation in the *AWS Key Management Service API Reference* and [Deleting KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide* .", "title": "PendingWindowInDays", "type": "number" }, @@ -120005,6 +120743,8 @@ "type": "string" }, "LanguageCode": { + "markdownDescription": "The code for a language. This shows a supported language for all documents in the data source. English is supported by default. For more information on supported languages, including their codes, see [Adding documents in languages other than English](https://docs.aws.amazon.com/kendra/latest/dg/in-adding-languages.html) .", + "title": "LanguageCode", "type": "string" }, "Name": { @@ -120512,17 +121252,17 @@ "additionalProperties": false, "properties": { "DataSourceFieldName": { - "markdownDescription": "The name of the column or attribute in the data source.", + "markdownDescription": "The name of the field in the data source. You must first create the index field using the `UpdateIndex` API.", "title": "DataSourceFieldName", "type": "string" }, "DateFieldFormat": { - "markdownDescription": "The type of data stored in the column or attribute.", + "markdownDescription": "The format for date fields in the data source. If the field specified in `DataSourceFieldName` is a date field, you must specify the date format. If the field is not a date field, an exception is thrown.", "title": "DateFieldFormat", "type": "string" }, "IndexFieldName": { - "markdownDescription": "The name of the field in the index.", + "markdownDescription": "The name of the index field to map to the data source field. The index field type must match the data source field type.", "title": "IndexFieldName", "type": "string" } @@ -121804,7 +122544,7 @@ "properties": { "CapacityUnits": { "$ref": "#/definitions/AWS::Kendra::Index.CapacityUnitsConfiguration", - "markdownDescription": "", + "markdownDescription": "Specifies additional capacity units configured for your Enterprise Edition index. You can add and remove capacity units to fit your usage requirements.", "title": "CapacityUnits" }, "Description": { @@ -123218,7 +123958,7 @@ }, "RunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.RunConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the starting parameters for an Managed Service for Apache Flink application.", "title": "RunConfiguration" }, "RuntimeEnvironment": { @@ -123292,27 +124032,27 @@ "properties": { "ApplicationCodeConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationCodeConfiguration", - "markdownDescription": "The code location and type parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The code location and type parameters for a Managed Service for Apache Flink application.", "title": "ApplicationCodeConfiguration" }, "ApplicationSnapshotConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.ApplicationSnapshotConfiguration", - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "ApplicationSnapshotConfiguration" }, "EnvironmentProperties": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.EnvironmentProperties", - "markdownDescription": "Describes execution properties for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes execution properties for a Managed Service for Apache Flink application.", "title": "EnvironmentProperties" }, "FlinkApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a Managed Service for Apache Flink application.", "title": "FlinkApplicationConfiguration" }, "SqlApplicationConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.SqlApplicationConfiguration", - "markdownDescription": "The creation and update parameters for a SQL-based Kinesis Data Analytics application.", + "markdownDescription": "The creation and update parameters for a SQL-based Managed Service for Apache Flink application.", "title": "SqlApplicationConfiguration" }, "VpcConfigurations": { @@ -123368,7 +124108,7 @@ "additionalProperties": false, "properties": { "SnapshotsEnabled": { - "markdownDescription": "Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes whether snapshots are enabled for a Managed Service for Apache Flink application.", "title": "SnapshotsEnabled", "type": "boolean" } @@ -123418,12 +124158,12 @@ "type": "number" }, "CheckpointingEnabled": { - "markdownDescription": "Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", + "markdownDescription": "Describes whether checkpointing is enabled for a Managed Service for Apache Flink application.\n\n> If `CheckpointConfiguration.ConfigurationType` is `DEFAULT` , the application will use a `CheckpointingEnabled` value of `true` , even if this value is set to another value using this API or in application code.", "title": "CheckpointingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", + "markdownDescription": "Describes whether the application uses Managed Service for Apache Flink' default checkpointing behavior. You must set this property to `CUSTOM` in order to set the `CheckpointingEnabled` , `CheckpointInterval` , or `MinPauseBetweenCheckpoints` parameters.\n\n> If this value is set to `DEFAULT` , the application will use the following values, even if they are set to other values using APIs or application code:\n> \n> - *CheckpointingEnabled:* true\n> - *CheckpointInterval:* 60000\n> - *MinPauseBetweenCheckpoints:* 5000", "title": "ConfigurationType", "type": "string" }, @@ -123447,12 +124187,12 @@ "title": "S3ContentLocation" }, "TextContent": { - "markdownDescription": "The text-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The text-format code for a Managed Service for Apache Flink application.", "title": "TextContent", "type": "string" }, "ZipFileContent": { - "markdownDescription": "The zip-format code for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "The zip-format code for a Managed Service for Apache Flink application.", "title": "ZipFileContent", "type": "string" } @@ -123564,7 +124304,7 @@ }, "InputProcessingConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputProcessingConfiguration", - "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) .", + "markdownDescription": "The [InputProcessingConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputProcessingConfiguration.html) for the input. An input processor transforms records as they are received from the stream, before the application's SQL code executes. Currently, the only input processing configuration available is [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) .", "title": "InputProcessingConfiguration" }, "InputSchema": { @@ -123583,7 +124323,7 @@ "title": "KinesisStreamsInput" }, "NamePrefix": { - "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Kinesis Data Analytics then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", + "markdownDescription": "The name prefix to use when creating an in-application stream. Suppose that you specify a prefix \" `MyInApplicationStream` .\" Managed Service for Apache Flink then creates one or more (as per the `InputParallelism` count you specified) in-application streams with the names \" `MyInApplicationStream_001` ,\" \" `MyInApplicationStream_002` ,\" and so on.", "title": "NamePrefix", "type": "string" } @@ -123624,7 +124364,7 @@ "properties": { "InputLambdaProcessor": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.InputLambdaProcessor", - "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", + "markdownDescription": "The [InputLambdaProcessor](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_InputLambdaProcessor.html) that is used to preprocess the records in the stream before being processed by your application code.", "title": "InputLambdaProcessor" } }, @@ -123770,17 +124510,17 @@ "additionalProperties": false, "properties": { "AutoScalingEnabled": { - "markdownDescription": "Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.", + "markdownDescription": "Describes whether the Managed Service for Apache Flink service can increase the parallelism of the application in response to increased throughput.", "title": "AutoScalingEnabled", "type": "boolean" }, "ConfigurationType": { - "markdownDescription": "Describes whether the application uses the default parallelism for the Kinesis Data Analytics service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", + "markdownDescription": "Describes whether the application uses the default parallelism for the Managed Service for Apache Flink service. You must set this property to `CUSTOM` in order to change your application's `AutoScalingEnabled` , `Parallelism` , or `ParallelismPerKPU` properties.", "title": "ConfigurationType", "type": "string" }, "Parallelism": { - "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", + "markdownDescription": "Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application can perform. The Kinesis Data Analytics service can increase this number automatically if [ParallelismConfiguration:AutoScalingEnabled](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_ParallelismConfiguration.html#kinesisanalytics-Type-ParallelismConfiguration-AutoScalingEnabled.html) is set to `true` .", "title": "Parallelism", "type": "number" }, @@ -123871,7 +124611,7 @@ }, "FlinkRunConfiguration": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.FlinkRunConfiguration", - "markdownDescription": "Describes the starting parameters for a Flink-based Kinesis Data Analytics application.", + "markdownDescription": "Describes the starting parameters for a Managed Service for Apache Flink application.", "title": "FlinkRunConfiguration" } }, @@ -123928,7 +124668,7 @@ "items": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::Application.Input" }, - "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", + "markdownDescription": "The array of [Input](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_Input.html) objects describing the input streams used by the application.", "title": "Inputs", "type": "array" } @@ -124130,7 +124870,7 @@ }, "Output": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationOutput.Output", - "markdownDescription": "Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", + "markdownDescription": "Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.", "title": "Output" } }, @@ -124290,7 +125030,7 @@ }, "ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.ReferenceDataSource", - "markdownDescription": "For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", + "markdownDescription": "For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.", "title": "ReferenceDataSource" } }, @@ -124425,7 +125165,7 @@ }, "S3ReferenceDataSource": { "$ref": "#/definitions/AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource.S3ReferenceDataSource", - "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/kinesisanalytics/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", + "markdownDescription": "Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) operation to trigger reloading of data into your application.", "title": "S3ReferenceDataSource" }, "TableName": { @@ -124524,7 +125264,7 @@ "properties": { "AmazonOpenSearchServerlessDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessDestinationConfiguration", - "markdownDescription": "", + "markdownDescription": "Describes the configuration of a destination in the Serverless offering for Amazon OpenSearch Service.", "title": "AmazonOpenSearchServerlessDestinationConfiguration" }, "AmazonopensearchserviceDestinationConfiguration": { @@ -124568,7 +125308,9 @@ "title": "KinesisStreamSourceConfiguration" }, "MSKSourceConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.MSKSourceConfiguration", + "markdownDescription": "The configuration for the Amazon MSK cluster to be used as the source for a delivery stream.", + "title": "MSKSourceConfiguration" }, "RedshiftDestinationConfiguration": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.RedshiftDestinationConfiguration", @@ -124620,12 +125362,12 @@ "additionalProperties": false, "properties": { "IntervalInSeconds": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300 (5 minutes).", "title": "IntervalInSeconds", "type": "number" }, "SizeInMBs": { - "markdownDescription": "", + "markdownDescription": "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.\n\nWe recommend setting this parameter to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec, the value should be 10 MB or higher.", "title": "SizeInMBs", "type": "number" } @@ -124637,7 +125379,7 @@ "properties": { "BufferingHints": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessBufferingHints", - "markdownDescription": "", + "markdownDescription": "The buffering options. If no value is specified, the default values for AmazonopensearchserviceBufferingHints are used.", "title": "BufferingHints" }, "CloudWatchLoggingOptions": { @@ -124646,12 +125388,12 @@ "title": "CloudWatchLoggingOptions" }, "CollectionEndpoint": { - "markdownDescription": "", + "markdownDescription": "The endpoint to use when communicating with the collection in the Serverless offering for Amazon OpenSearch Service.", "title": "CollectionEndpoint", "type": "string" }, "IndexName": { - "markdownDescription": "", + "markdownDescription": "The Serverless offering for Amazon OpenSearch Service index name.", "title": "IndexName", "type": "string" }, @@ -124662,16 +125404,16 @@ }, "RetryOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AmazonOpenSearchServerlessRetryOptions", - "markdownDescription": "", + "markdownDescription": "The retry behavior in case Kinesis Data Firehose is unable to deliver documents to the Serverless offering for Amazon OpenSearch Service. The default value is 300 (5 minutes).", "title": "RetryOptions" }, "RoleARN": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the IAM role to be assumed by Kinesis Data Firehose for calling the Serverless offering for Amazon OpenSearch Service Configuration API and for indexing documents.", "title": "RoleARN", "type": "string" }, "S3BackupMode": { - "markdownDescription": "", + "markdownDescription": "Defines how documents should be delivered to Amazon S3. When it is set to FailedDocumentsOnly, Kinesis Data Firehose writes any documents that could not be indexed to the configured Amazon S3 destination, with AmazonOpenSearchService-failed/ appended to the key prefix. When set to AllDocuments, Kinesis Data Firehose delivers all incoming records to Amazon S3, and also writes failed documents with AmazonOpenSearchService-failed/ appended to the prefix.", "title": "S3BackupMode", "type": "string" }, @@ -124697,7 +125439,7 @@ "additionalProperties": false, "properties": { "DurationInSeconds": { - "markdownDescription": "", + "markdownDescription": "After an initial failure to deliver to the Serverless offering for Amazon OpenSearch Service, the total amount of time during which Kinesis Data Firehose retries delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. Default value is 300 seconds (5 minutes). A value of 0 (zero) results in no retries.", "title": "DurationInSeconds", "type": "number" } @@ -124740,7 +125482,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -124816,9 +125558,13 @@ "additionalProperties": false, "properties": { "Connectivity": { + "markdownDescription": "The type of connectivity used to access the Amazon MSK cluster.", + "title": "Connectivity", "type": "string" }, "RoleARN": { + "markdownDescription": "The ARN of the role used to access the Amazon MSK cluster.", + "title": "RoleARN", "type": "string" } }, @@ -124954,7 +125700,7 @@ "additionalProperties": false, "properties": { "DefaultDocumentIdFormat": { - "markdownDescription": "", + "markdownDescription": "When the `FIREHOSE_DEFAULT` option is chosen, Kinesis Data Firehose generates a unique document ID for each record based on a unique internal identifier. The generated document ID is stable across multiple delivery attempts, which helps prevent the same record from being indexed multiple times with different document IDs.\n\nWhen the `NO_DOCUMENT_ID` option is chosen, Kinesis Data Firehose does not include any document IDs in the requests it sends to the Amazon OpenSearch Service. This causes the Amazon OpenSearch Service domain to generate document IDs. In case of multiple delivery attempts, this may cause the same record to be indexed more than once with different document IDs. This option enables write-heavy operations, such as the ingestion of logs and observability data, to consume less resources in the Amazon OpenSearch Service domain, resulting in improved performance.", "title": "DefaultDocumentIdFormat", "type": "string" } @@ -125016,7 +125762,7 @@ }, "DocumentIdOptions": { "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.DocumentIdOptions", - "markdownDescription": "", + "markdownDescription": "Indicates the method for setting up document ID. The supported methods are Kinesis Data Firehose generated document ID and OpenSearch Service generated document ID.", "title": "DocumentIdOptions" }, "DomainARN": { @@ -125360,12 +126106,18 @@ "additionalProperties": false, "properties": { "AuthenticationConfiguration": { - "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration" + "$ref": "#/definitions/AWS::KinesisFirehose::DeliveryStream.AuthenticationConfiguration", + "markdownDescription": "The authentication configuration of the Amazon MSK cluster.", + "title": "AuthenticationConfiguration" }, "MSKClusterARN": { + "markdownDescription": "The ARN of the Amazon MSK cluster.", + "title": "MSKClusterARN", "type": "string" }, "TopicName": { + "markdownDescription": "The topic name within the Amazon MSK cluster.", + "title": "TopicName", "type": "string" } }, @@ -126214,6 +126966,8 @@ "type": "boolean" }, "AllowFullTableExternalDataAccess": { + "markdownDescription": "Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.\n\nFor more information, see [](https://docs.aws.amazon.com/lake-formation/latest/dg/using-cred-vending.html)", + "title": "AllowFullTableExternalDataAccess", "type": "boolean" }, "AuthorizedSessionTagValueList": { @@ -126240,6 +126994,8 @@ "title": "ExternalDataFilteringAllowList" }, "MutationType": { + "markdownDescription": "Specifies whether the data lake settings are updated by adding new values to the current settings ( `APPEND` ) or by replacing the current settings with new settings ( `REPLACE` ).\n\n> If you choose `REPLACE` , your current data lake settings will be replaced with the new values in your template.", + "title": "MutationType", "type": "string" }, "Parameters": { @@ -126892,7 +127648,7 @@ "additionalProperties": false, "properties": { "CatalogId": { - "markdownDescription": "", + "markdownDescription": "The identifier for the Data Catalog. By default, it is the account ID of the caller.", "title": "CatalogId", "type": "string" }, @@ -128163,7 +128919,7 @@ "type": "array" }, "MemorySize": { - "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.", + "markdownDescription": "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", "title": "MemorySize", "type": "number" }, @@ -128173,6 +128929,8 @@ "type": "string" }, "Policy": { + "markdownDescription": "", + "title": "Policy", "type": "object" }, "ReservedConcurrentExecutions": { @@ -128435,6 +129193,8 @@ "additionalProperties": false, "properties": { "Ipv6AllowedForDualStack": { + "markdownDescription": "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", + "title": "Ipv6AllowedForDualStack", "type": "boolean" }, "SecurityGroupIds": { @@ -128959,7 +129719,9 @@ "title": "ProvisionedConcurrencyConfig" }, "RuntimePolicy": { - "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy" + "$ref": "#/definitions/AWS::Lambda::Version.RuntimePolicy", + "markdownDescription": "", + "title": "RuntimePolicy" } }, "required": [ @@ -129006,9 +129768,13 @@ "additionalProperties": false, "properties": { "RuntimeVersionArn": { + "markdownDescription": "", + "title": "RuntimeVersionArn", "type": "string" }, "UpdateRuntimeOn": { + "markdownDescription": "", + "title": "UpdateRuntimeOn", "type": "string" } }, @@ -132429,7 +133195,9 @@ "type": "string" }, "PrivateRegistryAccess": { - "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess" + "$ref": "#/definitions/AWS::Lightsail::Container.PrivateRegistryAccess", + "markdownDescription": "An object that describes the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.\n\nFor more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .", + "title": "PrivateRegistryAccess" }, "PublicDomainNames": { "items": { @@ -132549,9 +133317,13 @@ "additionalProperties": false, "properties": { "IsActive": { + "markdownDescription": "A boolean value that indicates whether the `ECRImagePullerRole` is active.", + "title": "IsActive", "type": "boolean" }, "PrincipalArn": { + "markdownDescription": "The principle Amazon Resource Name (ARN) of the role. This property is read-only.", + "title": "PrincipalArn", "type": "string" } }, @@ -132629,7 +133401,9 @@ "additionalProperties": false, "properties": { "EcrImagePullerRole": { - "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole" + "$ref": "#/definitions/AWS::Lightsail::Container.EcrImagePullerRole", + "markdownDescription": "An object that describes the activation status of the role that you can use to grant a Lightsail container service access to Amazon ECR private repositories. If the role is activated, the Amazon Resource Name (ARN) of the role is also listed.", + "title": "EcrImagePullerRole" } }, "type": "object" @@ -132922,7 +133696,7 @@ }, "Location": { "$ref": "#/definitions/AWS::Lightsail::Disk.Location", - "markdownDescription": "", + "markdownDescription": "The AWS Region and Availability Zone where the disk is located.", "title": "Location" }, "SizeInGb": { @@ -133005,12 +133779,12 @@ "additionalProperties": false, "properties": { "AvailabilityZone": { - "markdownDescription": "", + "markdownDescription": "The Availability Zone where the disk is located.", "title": "AvailabilityZone", "type": "string" }, "RegionName": { - "markdownDescription": "", + "markdownDescription": "The AWS Region where the disk is located.", "title": "RegionName", "type": "string" } @@ -134483,15 +135257,23 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "Specify the data protection policy, in JSON.\n\nThis policy must include two JSON blocks:\n\n- The first block must include both a `DataIdentifer` array and an `Operation` property with an `Audit` action. The `DataIdentifer` array lists the types of sensitive data that you want to mask. For more information about the available options, see [Types of data that you can mask](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html) .\n\nThe `Operation` property with an `Audit` action is required to find the sensitive data terms. This `Audit` action must contain a `FindingsDestination` object. You can optionally use that `FindingsDestination` object to list one or more destinations to send audit findings to. If you specify destinations such as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist.\n- The second block must include both a `DataIdentifer` array and an `Operation` property with an `Deidentify` action. The `DataIdentifer` array must exactly match the `DataIdentifer` array in the first block of the policy.\n\nThe `Operation` property with the `Deidentify` action is what actually masks the data, and it must contain the `\"MaskConfig\": {}` object. The `\"MaskConfig\": {}` object must be empty.\n\n> The contents of the two `DataIdentifer` arrays must match exactly.", + "title": "PolicyDocument", "type": "string" }, "PolicyName": { + "markdownDescription": "A name for the policy. This must be unique within the account.", + "title": "PolicyName", "type": "string" }, "PolicyType": { + "markdownDescription": "Currently the only valid value for this parameter is `DATA_PROTECTION_POLICY` .", + "title": "PolicyType", "type": "string" }, "Scope": { + "markdownDescription": "Currently the only valid value for this parameter is `ALL` , which specifies that the data protection policy applies to all log groups in the account. If you omit this parameter, the default of `ALL` is used.", + "title": "Scope", "type": "string" } }, @@ -135225,7 +136007,7 @@ "type": "string" }, "ModelName": { - "markdownDescription": "The name of the ML model used for the inference scheduler.", + "markdownDescription": "The name of the machine learning model used for the inference scheduler.", "title": "ModelName", "type": "string" }, @@ -136166,7 +136948,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the role associated with the application.", "title": "RoleArn", "type": "string" }, @@ -136557,7 +137339,7 @@ }, "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::Cluster.ClientAuthentication", - "markdownDescription": "Includes all client authentication related information.", + "markdownDescription": "VPC connection control settings for brokers.", "title": "ClientAuthentication" }, "ClusterName": { @@ -136694,7 +137476,7 @@ "title": "ConnectivityInfo" }, "InstanceType": { - "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, and kafka.m5.24xlarge, and kafka.t3.small.", + "markdownDescription": "The type of Amazon EC2 instances to use for brokers. The following instance types are allowed: kafka.m5.large, kafka.m5.xlarge, kafka.m5.2xlarge, kafka.m5.4xlarge, kafka.m5.8xlarge, kafka.m5.12xlarge, kafka.m5.16xlarge, kafka.m5.24xlarge, and kafka.t3.small.", "title": "InstanceType", "type": "string" }, @@ -136814,7 +137596,7 @@ "additionalProperties": false, "properties": { "DataVolumeKMSKeyId": { - "markdownDescription": "The ARN of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", + "markdownDescription": "The Amazon Resource Name (ARN) of the Amazon KMS key for encrypting data at rest. If you don't specify a KMS key, MSK creates one for you and uses it.", "title": "DataVolumeKMSKeyId", "type": "string" } @@ -136865,7 +137647,7 @@ "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether broker logs get send to the specified Kinesis Data Firehose delivery stream.", + "markdownDescription": "Specifies whether broker logs get sent to the specified Kinesis Data Firehose delivery stream.", "title": "Enabled", "type": "boolean" } @@ -137060,7 +137842,7 @@ "items": { "type": "string" }, - "markdownDescription": "List of AWS Private CA ARNs.", + "markdownDescription": "List of AWS Private CA Amazon Resource Name (ARN)s.", "title": "CertificateAuthorityArnList", "type": "array" }, @@ -137293,7 +138075,9 @@ "type": "array" }, "LatestRevision": { - "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision" + "$ref": "#/definitions/AWS::MSK::Configuration.LatestRevision", + "markdownDescription": "Latest revision of the configuration.", + "title": "LatestRevision" }, "Name": { "markdownDescription": "The name of the configuration. Configuration names are strings that match the regex \"^[0-9A-Za-z][0-9A-Za-z-]{0,}$\".", @@ -137337,12 +138121,18 @@ "additionalProperties": false, "properties": { "CreationTime": { + "markdownDescription": "", + "title": "CreationTime", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "Revision": { + "markdownDescription": "", + "title": "Revision", "type": "number" } }, @@ -137384,33 +138174,47 @@ "additionalProperties": false, "properties": { "CurrentVersion": { + "markdownDescription": "", + "title": "CurrentVersion", "type": "string" }, "Description": { + "markdownDescription": "", + "title": "Description", "type": "string" }, "KafkaClusters": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.KafkaCluster" }, + "markdownDescription": "", + "title": "KafkaClusters", "type": "array" }, "ReplicationInfoList": { "items": { "$ref": "#/definitions/AWS::MSK::Replicator.ReplicationInfo" }, + "markdownDescription": "", + "title": "ReplicationInfoList", "type": "array" }, "ReplicatorName": { + "markdownDescription": "", + "title": "ReplicatorName", "type": "string" }, "ServiceExecutionRoleArn": { + "markdownDescription": "", + "title": "ServiceExecutionRoleArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "", + "title": "Tags", "type": "array" } }, @@ -137447,6 +138251,8 @@ "additionalProperties": false, "properties": { "MskClusterArn": { + "markdownDescription": "", + "title": "MskClusterArn", "type": "string" } }, @@ -137462,18 +138268,26 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToExclude", "type": "array" }, "ConsumerGroupsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "ConsumerGroupsToReplicate", "type": "array" }, "DetectAndCopyNewConsumerGroups": { + "markdownDescription": "", + "title": "DetectAndCopyNewConsumerGroups", "type": "boolean" }, "SynchroniseConsumerGroupOffsets": { + "markdownDescription": "", + "title": "SynchroniseConsumerGroupOffsets", "type": "boolean" } }, @@ -137486,10 +138300,14 @@ "additionalProperties": false, "properties": { "AmazonMskCluster": { - "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster" + "$ref": "#/definitions/AWS::MSK::Replicator.AmazonMskCluster", + "markdownDescription": "", + "title": "AmazonMskCluster" }, "VpcConfig": { - "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig" + "$ref": "#/definitions/AWS::MSK::Replicator.KafkaClusterClientVpcConfig", + "markdownDescription": "", + "title": "VpcConfig" } }, "required": [ @@ -137505,12 +138323,16 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "SubnetIds", "type": "array" } }, @@ -137523,19 +138345,29 @@ "additionalProperties": false, "properties": { "ConsumerGroupReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.ConsumerGroupReplication", + "markdownDescription": "", + "title": "ConsumerGroupReplication" }, "SourceKafkaClusterArn": { + "markdownDescription": "", + "title": "SourceKafkaClusterArn", "type": "string" }, "TargetCompressionType": { + "markdownDescription": "", + "title": "TargetCompressionType", "type": "string" }, "TargetKafkaClusterArn": { + "markdownDescription": "", + "title": "TargetKafkaClusterArn", "type": "string" }, "TopicReplication": { - "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication" + "$ref": "#/definitions/AWS::MSK::Replicator.TopicReplication", + "markdownDescription": "", + "title": "TopicReplication" } }, "required": [ @@ -137551,24 +138383,34 @@ "additionalProperties": false, "properties": { "CopyAccessControlListsForTopics": { + "markdownDescription": "", + "title": "CopyAccessControlListsForTopics", "type": "boolean" }, "CopyTopicConfigurations": { + "markdownDescription": "", + "title": "CopyTopicConfigurations", "type": "boolean" }, "DetectAndCopyNewTopics": { + "markdownDescription": "", + "title": "DetectAndCopyNewTopics", "type": "boolean" }, "TopicsToExclude": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToExclude", "type": "array" }, "TopicsToReplicate": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "TopicsToReplicate", "type": "array" } }, @@ -137614,7 +138456,7 @@ "properties": { "ClientAuthentication": { "$ref": "#/definitions/AWS::MSK::ServerlessCluster.ClientAuthentication", - "markdownDescription": "", + "markdownDescription": "Includes all client authentication information.", "title": "ClientAuthentication" }, "ClusterName": { @@ -137886,7 +138728,7 @@ "type": "object" }, "AirflowVersion": { - "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` (latest)", + "markdownDescription": "The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version.\n\nIf you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.\n\n*Allowed Values* : `2.0.2` | `1.10.12` | `2.2.2` | `2.4.3` | `2.5.1` | `2.6.3` (latest)", "title": "AirflowVersion", "type": "string" }, @@ -137976,7 +138818,7 @@ "type": "string" }, "Tags": { - "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .", + "markdownDescription": "The key-value tag pairs associated to your environment. For example, `\"Environment\": \"Staging\"` . To learn more, see [Tagging](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) .\n\nIf you specify new tags for an existing environment, the update requires service interruption before taking effect.", "title": "Tags", "type": "object" }, @@ -138145,7 +138987,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "markdownDescription": "An array of key-value pairs to apply to the allow list.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", "title": "Tags", "type": "array" } @@ -138288,6 +139130,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the custom data identifier.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138374,7 +139218,7 @@ "type": "string" }, "Position": { - "markdownDescription": "The position of the findings filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", + "markdownDescription": "The position of the findings filter in the list of saved filter rules on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to findings.", "title": "Position", "type": "number" }, @@ -138382,6 +139226,8 @@ "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "An array of key-value pairs to apply to the findings filter.\n\nFor more information, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "title": "Tags", "type": "array" } }, @@ -138891,7 +139737,7 @@ "type": "string" }, "NetworkId": { - "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`\n- `n-ethereum-rinkeby`", + "markdownDescription": "The unique identifier of the network for the node.\n\nEthereum public networks have the following `NetworkId` s:\n\n- `n-ethereum-mainnet`\n- `n-ethereum-goerli`", "title": "NetworkId", "type": "string" }, @@ -138994,7 +139840,7 @@ "title": "IngressGatewayBridge" }, "Name": { - "markdownDescription": "The network output name. This name is used to reference the output and must be unique among outputs in this bridge.", + "markdownDescription": "The name of the bridge. This name can not be modified after the bridge is created.", "title": "Name", "type": "string" }, @@ -139430,7 +140276,7 @@ "title": "FlowSource" }, "Name": { - "markdownDescription": "The name of the network source. This name is used to reference the source and must be unique among sources in this bridge.", + "markdownDescription": "The name of the flow source. This name is used to reference the source and must be unique among sources in this bridge.", "title": "Name", "type": "string" }, @@ -139696,13 +140542,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::Flow.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -139731,7 +140577,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::Flow.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestIp": { @@ -139835,7 +140681,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140074,7 +140920,7 @@ "type": "number" }, "Name": { - "markdownDescription": "The name of the VPC interface.", + "markdownDescription": "The name of the output. This value must be unique within the current flow.", "title": "Name", "type": "string" }, @@ -140234,7 +141080,7 @@ }, "GatewayBridgeSource": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.GatewayBridgeSource", - "markdownDescription": "", + "markdownDescription": "The source configuration for cloud flows receiving a stream from a bridge.", "title": "GatewayBridgeSource" }, "IngestPort": { @@ -140388,13 +141234,13 @@ "additionalProperties": false, "properties": { "BridgeArn": { - "markdownDescription": "", + "markdownDescription": "The ARN of the bridge feeding this flow.", "title": "BridgeArn", "type": "string" }, "VpcInterfaceAttachment": { "$ref": "#/definitions/AWS::MediaConnect::FlowSource.VpcInterfaceAttachment", - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface attachment to use for this bridge source.", "title": "VpcInterfaceAttachment" } }, @@ -140407,7 +141253,7 @@ "additionalProperties": false, "properties": { "VpcInterfaceName": { - "markdownDescription": "", + "markdownDescription": "The name of the VPC interface that you want to send your output to.", "title": "VpcInterfaceName", "type": "string" } @@ -140552,7 +141398,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the gateway. This name can not be modified after the gateway is created.", + "markdownDescription": "The name of the network. This name is used to reference the network and must be unique among networks in this gateway.", "title": "Name", "type": "string" }, @@ -140672,7 +141518,7 @@ "type": "array" }, "Name": { - "markdownDescription": "The name of the job template you are creating.", + "markdownDescription": "Name of the output group", "title": "Name", "type": "string" }, @@ -141011,7 +141857,7 @@ }, "Maintenance": { "$ref": "#/definitions/AWS::MediaLive::Channel.MaintenanceCreateSettings", - "markdownDescription": "", + "markdownDescription": "Maintenance settings for this channel.", "title": "Maintenance" }, "Name": { @@ -141112,6 +141958,8 @@ "additionalProperties": false, "properties": { "AttenuationControl": { + "markdownDescription": "", + "title": "AttenuationControl", "type": "string" }, "Bitrate": { @@ -142447,7 +143295,9 @@ "type": "array" }, "ThumbnailConfiguration": { - "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration" + "$ref": "#/definitions/AWS::MediaLive::Channel.ThumbnailConfiguration", + "markdownDescription": "", + "title": "ThumbnailConfiguration" }, "TimecodeConfig": { "$ref": "#/definitions/AWS::MediaLive::Channel.TimecodeConfig", @@ -143427,7 +144277,7 @@ "type": "string" }, "ProgramDateTimeClock": { - "markdownDescription": "", + "markdownDescription": "Specifies the algorithm used to drive the HLS EXT-X-PROGRAM-DATE-TIME clock. Options include: INITIALIZE_FROM_OUTPUT_TIMECODE: The PDT clock is initialized as a function of the first output timecode, then incremented by the EXTINF duration of each encoded segment. SYSTEM_CLOCK: The PDT clock is initialized as a function of the UTC wall clock, then incremented by the EXTINF duration of each encoded segment. If the PDT clock diverges from the wall clock by more than 500ms, it is resynchronized to the wall clock.", "title": "ProgramDateTimeClock", "type": "string" }, @@ -144114,9 +144964,13 @@ "type": "string" }, "KlvBehavior": { + "markdownDescription": "", + "title": "KlvBehavior", "type": "string" }, "KlvDataPids": { + "markdownDescription": "", + "title": "KlvDataPids", "type": "string" }, "NielsenId3Behavior": { @@ -144196,12 +145050,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", + "markdownDescription": "Choose one day of the week for maintenance. The chosen day is used for all future maintenance windows.", "title": "MaintenanceDay", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", + "markdownDescription": "Choose the hour that maintenance will start. The chosen time is used for all future maintenance windows.", "title": "MaintenanceStartTime", "type": "string" } @@ -144212,18 +145066,12 @@ "additionalProperties": false, "properties": { "MaintenanceDay": { - "markdownDescription": "", - "title": "MaintenanceDay", "type": "string" }, "MaintenanceScheduledDate": { - "markdownDescription": "", - "title": "MaintenanceScheduledDate", "type": "string" }, "MaintenanceStartTime": { - "markdownDescription": "", - "title": "MaintenanceStartTime", "type": "string" } }, @@ -144953,6 +145801,8 @@ "type": "string" }, "IncludeFillerNalUnits": { + "markdownDescription": "", + "title": "IncludeFillerNalUnits", "type": "string" }, "InputLossAction": { @@ -145156,6 +146006,8 @@ "additionalProperties": false, "properties": { "State": { + "markdownDescription": "", + "title": "State", "type": "string" } }, @@ -145625,8 +146477,6 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "This property is not used. Ignore it.", - "title": "Id", "type": "string" } }, @@ -146917,9 +147767,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "A collection of video encryption presets.\n\nValue description:\n\n- `PRESET-VIDEO-1` - Use one content key to encrypt all of the video tracks in your stream.\n- `PRESET-VIDEO-2` - Use one content key to encrypt all of the SD video tracks and one content key for all HD and higher resolutions video tracks.\n- `PRESET-VIDEO-3` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-4` - Use one content key to encrypt all of the SD video tracks, one content key for HD video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-5` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `PRESET-VIDEO-6` - Use one content key to encrypt all of the SD video tracks, one content key for HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-7` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks and one content key for all UHD video tracks.\n- `PRESET-VIDEO-8` - Use one content key to encrypt all of the SD+HD1 video tracks, one content key for HD2 video tracks, one content key for all UHD1 video tracks and one content key for all UHD2 video tracks.\n- `SHARED` - Use the same content key for all of the video and audio tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the video tracks in your stream.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147290,18 +148144,26 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "Description": { + "markdownDescription": "The description of the channel.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel.", + "title": "Tags", "type": "array" } }, @@ -147331,9 +148193,13 @@ "additionalProperties": false, "properties": { "Id": { + "markdownDescription": "The identifier associated with the ingest endpoint of the channel.", + "title": "Id", "type": "string" }, "Url": { + "markdownDescription": "The URL associated with the ingest endpoint of the channel.", + "title": "Url", "type": "string" } }, @@ -147375,15 +148241,21 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group.", + "title": "ChannelGroupName", "type": "string" }, "Description": { + "markdownDescription": "The configuration for a MediaPackage V2 channel group.", + "title": "Description", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the channel group.", + "title": "Tags", "type": "array" } }, @@ -147445,12 +148317,18 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the channel policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The name of the channel associated with the channel policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the channel.", + "title": "Policy", "type": "object" } }, @@ -147516,42 +148394,62 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint configuration.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint.", + "title": "ChannelName", "type": "string" }, "ContainerType": { + "markdownDescription": "The container type associated with the origin endpoint configuration.", + "title": "ContainerType", "type": "string" }, "Description": { + "markdownDescription": "The description associated with the origin endpoint.", + "title": "Description", "type": "string" }, "HlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.HlsManifestConfiguration" }, + "markdownDescription": "The HLS manfiests associated with the origin endpoint configuration.", + "title": "HlsManifests", "type": "array" }, "LowLatencyHlsManifests": { "items": { "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.LowLatencyHlsManifestConfiguration" }, + "markdownDescription": "The low-latency HLS (LL-HLS) manifests associated with the origin endpoint.", + "title": "LowLatencyHlsManifests", "type": "array" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint configuration.", + "title": "OriginEndpointName", "type": "string" }, "Segment": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Segment", + "markdownDescription": "The segment associated with the origin endpoint.", + "title": "Segment" }, "StartoverWindowSeconds": { + "markdownDescription": "The size of the window (in seconds) to specify a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window.", + "title": "StartoverWindowSeconds", "type": "number" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags associated with the origin endpoint.", + "title": "Tags", "type": "array" } }, @@ -147585,16 +148483,24 @@ "additionalProperties": false, "properties": { "ConstantInitializationVector": { + "markdownDescription": "A 128-bit, 16-byte hex value represented by a 32-character string, used in conjunction with the key for encrypting content. If you don't specify a value, then MediaPackage creates the constant initialization vector (IV).", + "title": "ConstantInitializationVector", "type": "string" }, "EncryptionMethod": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionMethod", + "markdownDescription": "The encryption method to use.", + "title": "EncryptionMethod" }, "KeyRotationIntervalSeconds": { + "markdownDescription": "The interval, in seconds, to rotate encryption keys for the origin endpoint.", + "title": "KeyRotationIntervalSeconds", "type": "number" }, "SpekeKeyProvider": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.SpekeKeyProvider", + "markdownDescription": "The SPEKE key provider to use for encryption.", + "title": "SpekeKeyProvider" } }, "required": [ @@ -147607,9 +148513,13 @@ "additionalProperties": false, "properties": { "PresetSpeke20Audio": { + "markdownDescription": "A collection of audio encryption presets.\n\nValue description:\n\n- `PRESET-AUDIO-1` - Use one content key to encrypt all of the audio tracks in your stream.\n- `PRESET-AUDIO-2` - Use one content key to encrypt all of the stereo audio tracks and one content key to encrypt all of the multichannel audio tracks.\n- `PRESET-AUDIO-3` - Use one content key to encrypt all of the stereo audio tracks, one content key to encrypt all of the multichannel audio tracks with 3 to 6 channels, and one content key to encrypt all of the multichannel audio tracks with more than 6 channels.\n- `SHARED` - Use the same content key for all of the audio and video tracks in your stream.\n- `UNENCRYPTED` - Don't encrypt any of the audio tracks in your stream.", + "title": "PresetSpeke20Audio", "type": "string" }, "PresetSpeke20Video": { + "markdownDescription": "The SPEKE Version 2.0 preset video associated with the encryption contract configuration of the origin endpoint.", + "title": "PresetSpeke20Video", "type": "string" } }, @@ -147623,9 +148533,13 @@ "additionalProperties": false, "properties": { "CmafEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "CmafEncryptionMethod", "type": "string" }, "TsEncryptionMethod": { + "markdownDescription": "The encryption method to use.", + "title": "TsEncryptionMethod", "type": "string" } }, @@ -147635,21 +148549,33 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the HLS manifest configuration.", + "title": "ChildManifestName", "type": "string" }, "ManifestName": { + "markdownDescription": "The name of the manifest associated with the HLS manifest configuration.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The duration of the manifest window, in seconds, for the HLS manifest configuration.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "The `EXT-X-PROGRAM-DATE-TIME` interval, in seconds, associated with the HLS manifest configuration.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "THE SCTE-35 HLS configuration associated with the HLS manifest configuration.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the HLS manifest configuration.", + "title": "Url", "type": "string" } }, @@ -147662,21 +148588,33 @@ "additionalProperties": false, "properties": { "ChildManifestName": { + "markdownDescription": "The name of the child manifest associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ChildManifestName", "type": "string" }, "ManifestName": { + "markdownDescription": "A short short string that's appended to the endpoint URL. The manifest name creates a unique path to this endpoint. If you don't enter a value, MediaPackage uses the default manifest name, `index` . MediaPackage automatically inserts the format extension, such as `.m3u8` . You can't use the same manifest name if you use HLS manifest and low-latency HLS manifest. The `manifestName` on the `HLSManifest` object overrides the `manifestName` you provided on the `originEndpoint` object.", + "title": "ManifestName", "type": "string" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of the manifest's content.", + "title": "ManifestWindowSeconds", "type": "number" }, "ProgramDateTimeIntervalSeconds": { + "markdownDescription": "Inserts `EXT-X-PROGRAM-DATE-TIME` tags in the output manifest at the interval that you specify. If you don't enter an interval, `EXT-X-PROGRAM-DATE-TIME` tags aren't included in the manifest. The tags sync the stream to the wall clock so that viewers can seek to a specific time in the playback timeline on the player. `ID3Timed` metadata messages generate every 5 seconds whenever MediaPackage ingests the content.\n\nIrrespective of this parameter, if any `ID3Timed` metadata is in the HLS input, MediaPackage passes through that metadata to the HLS output.", + "title": "ProgramDateTimeIntervalSeconds", "type": "number" }, "ScteHls": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.ScteHls", + "markdownDescription": "The SCTE-35 HLS configuration associated with the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "ScteHls" }, "Url": { + "markdownDescription": "The URL of the low-latency HLS (LL-HLS) manifest configuration of the origin endpoint.", + "title": "Url", "type": "string" } }, @@ -147692,6 +148630,8 @@ "items": { "type": "string" }, + "markdownDescription": "The filter associated with the SCTE-35 configuration.", + "title": "ScteFilter", "type": "array" } }, @@ -147701,6 +148641,8 @@ "additionalProperties": false, "properties": { "AdMarkerHls": { + "markdownDescription": "The SCTE-35 HLS ad-marker configuration.", + "title": "AdMarkerHls", "type": "string" } }, @@ -147710,24 +148652,38 @@ "additionalProperties": false, "properties": { "Encryption": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Encryption", + "markdownDescription": "Whether to use encryption for the segment.", + "title": "Encryption" }, "IncludeIframeOnlyStreams": { + "markdownDescription": "Whether the segment includes I-frame-only streams.", + "title": "IncludeIframeOnlyStreams", "type": "boolean" }, "Scte": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.Scte", + "markdownDescription": "The SCTE-35 configuration associated with the segment.", + "title": "Scte" }, "SegmentDurationSeconds": { + "markdownDescription": "The duration of the segment, in seconds.", + "title": "SegmentDurationSeconds", "type": "number" }, "SegmentName": { + "markdownDescription": "The name of the segment associated with the origin endpoint.", + "title": "SegmentName", "type": "string" }, "TsIncludeDvbSubtitles": { + "markdownDescription": "Whether the segment includes DVB subtitles.", + "title": "TsIncludeDvbSubtitles", "type": "boolean" }, "TsUseAudioRenditionGroup": { + "markdownDescription": "Whether the segment is an audio rendition group.", + "title": "TsUseAudioRenditionGroup", "type": "boolean" } }, @@ -147740,18 +148696,28 @@ "items": { "type": "string" }, + "markdownDescription": "The DRM solution provider you're using to protect your content during distribution.", + "title": "DrmSystems", "type": "array" }, "EncryptionContractConfiguration": { - "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration" + "$ref": "#/definitions/AWS::MediaPackageV2::OriginEndpoint.EncryptionContractConfiguration", + "markdownDescription": "The encryption contract configuration associated with the SPEKE key provider.", + "title": "EncryptionContractConfiguration" }, "ResourceId": { + "markdownDescription": "The unique identifier for the content. The service sends this identifier to the key server to identify the current endpoint. How unique you make this identifier depends on how fine-grained you want access controls to be. The service does not permit you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID.\n\nThe following example shows a resource ID: `MovieNight20171126093045`", + "title": "ResourceId", "type": "string" }, "RoleArn": { + "markdownDescription": "The ARN for the IAM role granted by the key provider that provides access to the key provider API. This role must have a trust policy that allows MediaPackage to assume the role, and it must have a sufficient permissions policy to allow access to the specific key retrieval URL. Get this from your DRM solution provider.\n\nValid format: `arn:aws:iam::{accountID}:role/{name}` . The following example shows a role ARN: `arn:aws:iam::444455556666:role/SpekeAccess`", + "title": "RoleArn", "type": "string" }, "Url": { + "markdownDescription": "The URL of the SPEKE key provider.", + "title": "Url", "type": "string" } }, @@ -147800,15 +148766,23 @@ "additionalProperties": false, "properties": { "ChannelGroupName": { + "markdownDescription": "The name of the channel group associated with the origin endpoint policy.", + "title": "ChannelGroupName", "type": "string" }, "ChannelName": { + "markdownDescription": "The channel name associated with the origin endpoint policy.", + "title": "ChannelName", "type": "string" }, "OriginEndpointName": { + "markdownDescription": "The name of the origin endpoint associated with the origin endpoint policy.", + "title": "OriginEndpointName", "type": "string" }, "Policy": { + "markdownDescription": "The policy associated with the origin endpoint.", + "title": "Policy", "type": "object" } }, @@ -147898,7 +148872,7 @@ }, "MetricPolicy": { "$ref": "#/definitions/AWS::MediaStore::Container.MetricPolicy", - "markdownDescription": "", + "markdownDescription": "The metric policy that is associated with the container. A metric policy allows AWS Elemental MediaStore to send metrics to Amazon CloudWatch. In the policy, you must indicate whether you want MediaStore to send container-level metrics. You can also include rules to define groups of objects that you want MediaStore to send object-level metrics for.\n\nTo view examples of how to construct a metric policy for your use case, see [Example Metric Policies](https://docs.aws.amazon.com/mediastore/latest/ug/policies-metric-examples.html) .", "title": "MetricPolicy" }, "Policy": { @@ -148062,30 +149036,44 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel.", + "title": "ChannelName", "type": "string" }, "FillerSlate": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource" + "$ref": "#/definitions/AWS::MediaTailor::Channel.SlateSource", + "markdownDescription": "The slate used to fill gaps between programs in the schedule. You must configure filler slate if your channel uses the `LINEAR` `PlaybackMode` . MediaTailor doesn't support filler slate for channels using the `LOOP` `PlaybackMode` .", + "title": "FillerSlate" }, "LogConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel" + "$ref": "#/definitions/AWS::MediaTailor::Channel.LogConfigurationForChannel", + "markdownDescription": "The log configuration.", + "title": "LogConfiguration" }, "Outputs": { "items": { "$ref": "#/definitions/AWS::MediaTailor::Channel.RequestOutputItem" }, + "markdownDescription": "The channel's output properties.", + "title": "Outputs", "type": "array" }, "PlaybackMode": { + "markdownDescription": "The type of playback mode for this channel.\n\n`LINEAR` - Programs play back-to-back only once.\n\n`LOOP` - Programs play back-to-back in an endless loop. When the last program in the schedule plays, playback loops back to the first program in the schedule.", + "title": "PlaybackMode", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to assign to the channel. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "Tier": { + "markdownDescription": "The tier for this channel. STANDARD tier channels can contain live programs.", + "title": "Tier", "type": "string" } }, @@ -148121,15 +149109,23 @@ "additionalProperties": false, "properties": { "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" }, "MinBufferTimeSeconds": { + "markdownDescription": "Minimum amount of content (measured in seconds) that a player must keep available in the buffer. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinBufferTimeSeconds", "type": "number" }, "MinUpdatePeriodSeconds": { + "markdownDescription": "Minimum amount of time (in seconds) that the player should wait before requesting updates to the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "MinUpdatePeriodSeconds", "type": "number" }, "SuggestedPresentationDelaySeconds": { + "markdownDescription": "Amount of time (in seconds) that the player should be from the live point at the end of the manifest. Minimum value: `2` seconds. Maximum value: `60` seconds.", + "title": "SuggestedPresentationDelaySeconds", "type": "number" } }, @@ -148142,9 +149138,13 @@ "items": { "type": "string" }, + "markdownDescription": "Determines the type of SCTE 35 tags to use in ad markup. Specify `DATERANGE` to use `DATERANGE` tags (for live or VOD content). Specify `SCTE35_ENHANCED` to use `EXT-X-CUE-OUT` and `EXT-X-CUE-IN` tags (for VOD content only).", + "title": "AdMarkupType", "type": "array" }, "ManifestWindowSeconds": { + "markdownDescription": "The total duration (in seconds) of each manifest. Minimum value: `30` seconds. Maximum value: `3600` seconds.", + "title": "ManifestWindowSeconds", "type": "number" } }, @@ -148157,6 +149157,8 @@ "items": { "type": "string" }, + "markdownDescription": "The log types.", + "title": "LogTypes", "type": "array" } }, @@ -148166,15 +149168,23 @@ "additionalProperties": false, "properties": { "DashPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.DashPlaylistSettings", + "markdownDescription": "DASH manifest configuration parameters.", + "title": "DashPlaylistSettings" }, "HlsPlaylistSettings": { - "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings" + "$ref": "#/definitions/AWS::MediaTailor::Channel.HlsPlaylistSettings", + "markdownDescription": "HLS playlist configuration parameters.", + "title": "HlsPlaylistSettings" }, "ManifestName": { + "markdownDescription": "The name of the manifest for the channel. The name appears in the `PlaybackUrl` .", + "title": "ManifestName", "type": "string" }, "SourceGroup": { + "markdownDescription": "A string used to match which `HttpPackageConfiguration` is used for each `VodSource` .", + "title": "SourceGroup", "type": "string" } }, @@ -148188,9 +149198,13 @@ "additionalProperties": false, "properties": { "SourceLocationName": { + "markdownDescription": "The name of the source location where the slate VOD source is stored.", + "title": "SourceLocationName", "type": "string" }, "VodSourceName": { + "markdownDescription": "The slate VOD source name. The VOD source must already exist in a source location before it can be used for slate.", + "title": "VodSourceName", "type": "string" } }, @@ -148232,9 +149246,13 @@ "additionalProperties": false, "properties": { "ChannelName": { + "markdownDescription": "The name of the channel associated with this Channel Policy.", + "title": "ChannelName", "type": "string" }, "Policy": { + "markdownDescription": "The IAM policy for the channel. IAM policies are used to control access to your channel.", + "title": "Policy", "type": "object" } }, @@ -148304,18 +149322,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::LiveSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the live source.", + "title": "HttpPackageConfigurations", "type": "array" }, "LiveSourceName": { + "markdownDescription": "The name that's used to refer to a live source.", + "title": "LiveSourceName", "type": "string" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the live source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148351,12 +149377,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -148403,23 +149435,23 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS). This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "AvailSuppression": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AvailSuppression", - "markdownDescription": "", + "markdownDescription": "The configuration for avail suppression, also known as ad suppression. For more information about ad suppression, see [Ad Suppression](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "AvailSuppression" }, "Bumper": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.Bumper", - "markdownDescription": "", + "markdownDescription": "The configuration for bumpers. Bumpers are short audio or video clips that play at the start or before the end of an ad break. To learn more about bumpers, see [Bumpers](https://docs.aws.amazon.com/mediatailor/latest/ug/bumpers.html) .", "title": "Bumper" }, "CdnConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.CdnConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for using a content delivery network (CDN), like Amazon CloudFront, for content and ad segment management.", "title": "CdnConfiguration" }, "ConfigurationAliases": { @@ -148435,7 +149467,7 @@ }, "DashConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.DashConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for a DASH source.", "title": "DashConfiguration" }, "HlsConfiguration": { @@ -148445,26 +149477,26 @@ }, "LivePreRollConfiguration": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.LivePreRollConfiguration", - "markdownDescription": "", + "markdownDescription": "The configuration for pre-roll ad insertion.", "title": "LivePreRollConfiguration" }, "ManifestProcessingRules": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.ManifestProcessingRules", - "markdownDescription": "", + "markdownDescription": "The configuration for manifest processing rules. Manifest processing rules enable customization of the personalized manifests created by MediaTailor.", "title": "ManifestProcessingRules" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The identifier for the playback configuration.", "title": "Name", "type": "string" }, "PersonalizationThresholdSeconds": { - "markdownDescription": "", + "markdownDescription": "Defines the maximum duration of underfilled ad time (in seconds) allowed in an ad break. If the duration of underfilled ad time exceeds the personalization threshold, then the personalization of the ad break is abandoned and the underlying content is shown. This feature applies to *ad replacement* in live and VOD streams, rather than ad insertion, because it relies on an underlying content stream. For more information about ad break behavior, including ad replacement and insertion, see [Ad Behavior in AWS Elemental MediaTailor](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-behavior.html) .", "title": "PersonalizationThresholdSeconds", "type": "number" }, "SlateAdUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for a video asset to transcode and use to fill in time that's not used by ads. AWS Elemental MediaTailor shows the slate to fill in gaps in media content. Configuring the slate is optional for non-VPAID playback configurations. For VPAID, the slate is required because MediaTailor provides it in the slots designated for dynamic ad content. The slate must be a high-quality asset that contains both audio and video.", "title": "SlateAdUrl", "type": "string" }, @@ -148472,17 +149504,17 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "", + "markdownDescription": "The tags to assign to the playback configuration. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", "title": "Tags", "type": "array" }, "TranscodeProfileName": { - "markdownDescription": "", + "markdownDescription": "The name that is used to associate this playback configuration with a custom transcode profile. This overrides the dynamic transcoding defaults of MediaTailor. Use this only if you have already set up custom profiles with the help of AWS Support.", "title": "TranscodeProfileName", "type": "string" }, "VideoContentSourceUrl": { - "markdownDescription": "", + "markdownDescription": "The URL prefix for the parent manifest for the stream, minus the asset ID. The maximum length is 512 characters.", "title": "VideoContentSourceUrl", "type": "string" } @@ -148519,7 +149551,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "", + "markdownDescription": "Enables ad marker passthrough for your configuration.", "title": "Enabled", "type": "boolean" } @@ -148530,12 +149562,12 @@ "additionalProperties": false, "properties": { "Mode": { - "markdownDescription": "", + "markdownDescription": "Sets the ad suppression mode. By default, ad suppression is off and all ad breaks are filled with ads or slate. When Mode is set to `BEHIND_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks on or behind the ad suppression Value time in the manifest lookback window. When Mode is set to `AFTER_LIVE_EDGE` , ad suppression is active and MediaTailor won't fill ad breaks that are within the live edge plus the avail suppression value.", "title": "Mode", "type": "string" }, "Value": { - "markdownDescription": "", + "markdownDescription": "A live edge offset time in HH:MM:SS. MediaTailor won't fill ad breaks on or behind this time in the manifest lookback window. If Value is set to 00:00:00, it is in sync with the live edge, and MediaTailor won't fill any ad breaks on or behind the live edge. If you set a Value time, MediaTailor won't fill any ad breaks on or behind this time in the manifest lookback window. For example, if you set 00:45:00, then MediaTailor will fill ad breaks that occur within 45 minutes behind the live edge, but won't fill ad breaks on or behind 45 minutes behind the live edge.", "title": "Value", "type": "string" } @@ -148546,12 +149578,12 @@ "additionalProperties": false, "properties": { "EndUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the end bumper asset.", "title": "EndUrl", "type": "string" }, "StartUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the start bumper asset.", "title": "StartUrl", "type": "string" } @@ -148562,12 +149594,12 @@ "additionalProperties": false, "properties": { "AdSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A non-default content delivery network (CDN) to serve ad segments. By default, AWS Elemental MediaTailor uses Amazon CloudFront with default cache settings as its CDN for ad segments. To set up an alternate CDN, create a rule in your CDN for the origin ads.mediatailor. ** .amazonaws.com. Then specify the rule's name in this `AdSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for ad segments.", "title": "AdSegmentUrlPrefix", "type": "string" }, "ContentSegmentUrlPrefix": { - "markdownDescription": "", + "markdownDescription": "A content delivery network (CDN) to cache content segments, so that content requests don\u2019t always have to go to the origin server. First, create a rule in your CDN for the content segment origin server. Then specify the rule's name in this `ContentSegmentUrlPrefix` . When AWS Elemental MediaTailor serves a manifest, it reports your CDN as the source for content segments.", "title": "ContentSegmentUrlPrefix", "type": "string" } @@ -148610,12 +149642,12 @@ "additionalProperties": false, "properties": { "AdDecisionServerUrl": { - "markdownDescription": "", + "markdownDescription": "The URL for the ad decision server (ADS) for pre-roll ads. This includes the specification of static parameters and placeholders for dynamic parameters. AWS Elemental MediaTailor substitutes player-specific and session-specific parameters as needed when calling the ADS. Alternately, for testing, you can provide a static VAST URL. The maximum length is 25,000 characters.", "title": "AdDecisionServerUrl", "type": "string" }, "MaxDurationSeconds": { - "markdownDescription": "", + "markdownDescription": "The maximum allowed duration for the pre-roll ad avail. AWS Elemental MediaTailor won't play pre-roll ads to exceed this duration, regardless of the total duration of ads that the ADS returns.", "title": "MaxDurationSeconds", "type": "number" } @@ -148627,7 +149659,7 @@ "properties": { "AdMarkerPassthrough": { "$ref": "#/definitions/AWS::MediaTailor::PlaybackConfiguration.AdMarkerPassthrough", - "markdownDescription": "", + "markdownDescription": "For HLS, when set to `true` , MediaTailor passes through `EXT-X-CUE-IN` , `EXT-X-CUE-OUT` , and `EXT-X-SPLICEPOINT-SCTE35` ad markers from the origin manifest to the MediaTailor personalized manifest.\n\nNo logic is applied to these ad markers. For example, if `EXT-X-CUE-OUT` has a value of `60` , but no ads are filled for that ad break, MediaTailor will not set the value to `0` .", "title": "AdMarkerPassthrough" } }, @@ -148669,27 +149701,39 @@ "additionalProperties": false, "properties": { "AccessConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.AccessConfiguration", + "markdownDescription": "The access configuration for the source location.", + "title": "AccessConfiguration" }, "DefaultSegmentDeliveryConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.DefaultSegmentDeliveryConfiguration", + "markdownDescription": "The default segment delivery configuration.", + "title": "DefaultSegmentDeliveryConfiguration" }, "HttpConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.HttpConfiguration", + "markdownDescription": "The HTTP configuration for the source location.", + "title": "HttpConfiguration" }, "SegmentDeliveryConfigurations": { "items": { "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SegmentDeliveryConfiguration" }, + "markdownDescription": "The segment delivery configurations for the source location.", + "title": "SegmentDeliveryConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the source location. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" } }, @@ -148724,10 +149768,14 @@ "additionalProperties": false, "properties": { "AccessType": { + "markdownDescription": "The type of authentication used to access content from `HttpConfiguration::BaseUrl` on your source location. Accepted value: `S3_SIGV4` .\n\n`S3_SIGV4` - AWS Signature Version 4 authentication for Amazon S3 hosted virtual-style access. If your source location base URL is an Amazon S3 bucket, MediaTailor can use AWS Signature Version 4 (SigV4) authentication to access the bucket where your source content is stored. Your MediaTailor source location baseURL must follow the S3 virtual hosted-style request URL format. For example, https://bucket-name.s3.Region.amazonaws.com/key-name.\n\nBefore you can use `S3_SIGV4` , you must meet these requirements:\n\n\u2022 You must allow MediaTailor to access your S3 bucket by granting mediatailor.amazonaws.com principal access in IAM. For information about configuring access in IAM, see Access management in the IAM User Guide.\n\n\u2022 The mediatailor.amazonaws.com service principal must have permissions to read all top level manifests referenced by the VodSource packaging configurations.\n\n\u2022 The caller of the API must have s3:GetObject IAM permissions to read all top level manifests referenced by your MediaTailor VodSource packaging configurations.", + "title": "AccessType", "type": "string" }, "SecretsManagerAccessTokenConfiguration": { - "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration" + "$ref": "#/definitions/AWS::MediaTailor::SourceLocation.SecretsManagerAccessTokenConfiguration", + "markdownDescription": "AWS Secrets Manager access token configuration parameters.", + "title": "SecretsManagerAccessTokenConfiguration" } }, "type": "object" @@ -148736,6 +149784,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The hostname of the server that will be used to serve segments. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148745,6 +149795,8 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL for the source location host server. This string must include the protocol, such as *https://* .", + "title": "BaseUrl", "type": "string" } }, @@ -148757,12 +149809,18 @@ "additionalProperties": false, "properties": { "HeaderName": { + "markdownDescription": "The name of the HTTP header used to supply the access token in requests to the source location.", + "title": "HeaderName", "type": "string" }, "SecretArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the access token.", + "title": "SecretArn", "type": "string" }, "SecretStringKey": { + "markdownDescription": "The AWS Secrets Manager [SecretString](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html#SecretsManager-CreateSecret-request-SecretString.html) key associated with the access token. MediaTailor uses the key to look up SecretString key and value pair containing the access token.", + "title": "SecretStringKey", "type": "string" } }, @@ -148772,9 +149830,13 @@ "additionalProperties": false, "properties": { "BaseUrl": { + "markdownDescription": "The base URL of the host or path of the segment delivery server that you're using to serve segments. This is typically a content delivery network (CDN). The URL can be absolute or relative. To use an absolute URL include the protocol, such as `https://example.com/some/path` . To use a relative URL specify the relative path, such as `/some/path*` .", + "title": "BaseUrl", "type": "string" }, "Name": { + "markdownDescription": "A unique identifier used to distinguish between multiple segment delivery configurations in a source location.", + "title": "Name", "type": "string" } }, @@ -148819,18 +149881,26 @@ "items": { "$ref": "#/definitions/AWS::MediaTailor::VodSource.HttpPackageConfiguration" }, + "markdownDescription": "The HTTP package configurations for the VOD source.", + "title": "HttpPackageConfigurations", "type": "array" }, "SourceLocationName": { + "markdownDescription": "The name of the source location that the VOD source is associated with.", + "title": "SourceLocationName", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags assigned to the VOD source. Tags are key-value pairs that you can associate with Amazon resources to help with organization, access control, and cost tracking. For more information, see [Tagging AWS Elemental MediaTailor Resources](https://docs.aws.amazon.com/mediatailor/latest/ug/tagging.html) .", + "title": "Tags", "type": "array" }, "VodSourceName": { + "markdownDescription": "The name of the VOD source.", + "title": "VodSourceName", "type": "string" } }, @@ -148866,12 +149936,18 @@ "additionalProperties": false, "properties": { "Path": { + "markdownDescription": "The relative path to the URL for this VOD source. This is combined with `SourceLocation::HttpConfiguration::BaseUrl` to form a valid URL.", + "title": "Path", "type": "string" }, "SourceGroup": { + "markdownDescription": "The name of the source group. This has to match one of the `Channel::Outputs::SourceGroup` .", + "title": "SourceGroup", "type": "string" }, "Type": { + "markdownDescription": "The streaming protocol for this package configuration. Supported values are `HLS` and `DASH` .", + "title": "Type", "type": "string" } }, @@ -149451,12 +150527,12 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The password(s) used for authentication", "title": "Passwords", "type": "array" }, "Type": { - "markdownDescription": "", + "markdownDescription": "Indicates whether the user requires a password to authenticate. All newly-created users require a password.", "title": "Type", "type": "string" } @@ -149540,6 +150616,8 @@ "type": "string" }, "DBPort": { + "markdownDescription": "The port number on which the DB instances in the DB cluster accept connections.\n\nIf not specified, the default port used is `8182` .\n\n> The `Port` property will soon be deprecated. Please update existing templates to use the new `DBPort` property that has the same functionality.", + "title": "DBPort", "type": "number" }, "DBSubnetGroupName": { @@ -149682,12 +150760,12 @@ "additionalProperties": false, "properties": { "MaxCapacity": { - "markdownDescription": "", + "markdownDescription": "The maximum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 40, 40.5, 41, and so on.", "title": "MaxCapacity", "type": "number" }, "MinCapacity": { - "markdownDescription": "", + "markdownDescription": "The minimum number of Neptune capacity units (NCUs) for a DB instance in a Neptune Serverless cluster. You can specify NCU values in half-step increments, such as 8, 8.5, 9, and so on.", "title": "MinCapacity", "type": "number" } @@ -150477,7 +151555,7 @@ "additionalProperties": false, "properties": { "RuleOrder": { - "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", + "markdownDescription": "Indicates how to manage the order of stateful rule evaluation for the policy. `STRICT_ORDER` is the default and recommended option. With `STRICT_ORDER` , provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose `STRICT_ORDER` to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is `PASS` , followed by `DROP` , `REJECT` , and `ALERT` actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the *AWS Network Firewall Developer Guide* .", "title": "RuleOrder", "type": "string" }, @@ -151061,7 +152139,7 @@ }, "StatefulRuleOptions": { "$ref": "#/definitions/AWS::NetworkFirewall::RuleGroup.StatefulRuleOptions", - "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.", + "markdownDescription": "Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see [Strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html) in the *AWS Network Firewall Developer Guide* .", "title": "StatefulRuleOptions" } }, @@ -151129,7 +152207,7 @@ "title": "RulesSourceList" }, "RulesString": { - "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.", + "markdownDescription": "Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard rule-based language for network traffic inspection.\n\nThese rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.\n\n> You can't use the `priority` keyword if the `RuleOrder` option in `StatefulRuleOptions` is set to `STRICT_ORDER` .", "title": "RulesString", "type": "string" }, @@ -151343,7 +152421,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::ConnectAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -151461,7 +152539,7 @@ "properties": { "BgpOptions": { "$ref": "#/definitions/AWS::NetworkManager::ConnectPeer.BgpOptions", - "markdownDescription": "", + "markdownDescription": "Describes the BGP options.", "title": "BgpOptions" }, "ConnectAttachmentId": { @@ -151488,6 +152566,8 @@ "type": "string" }, "SubnetArn": { + "markdownDescription": "The subnet ARN of the Connect peer.", + "title": "SubnetArn", "type": "string" }, "Tags": { @@ -151857,7 +152937,7 @@ "properties": { "AWSLocation": { "$ref": "#/definitions/AWS::NetworkManager::Device.AWSLocation", - "markdownDescription": "", + "markdownDescription": "The AWS location of the device.", "title": "AWSLocation" }, "Description": { @@ -151939,12 +153019,12 @@ "additionalProperties": false, "properties": { "SubnetArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) of the subnet that the device is located in.", "title": "SubnetArn", "type": "string" }, "Zone": { - "markdownDescription": "", + "markdownDescription": "The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost.", "title": "Zone", "type": "string" } @@ -152008,6 +153088,8 @@ "additionalProperties": false, "properties": { "CreatedAt": { + "markdownDescription": "The date and time that the global network was created.", + "title": "CreatedAt", "type": "string" }, "Description": { @@ -152016,6 +153098,8 @@ "type": "string" }, "State": { + "markdownDescription": "The state of the global network.", + "title": "State", "type": "string" }, "Tags": { @@ -152394,7 +153478,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::SiteToSiteVpnAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "Tags": { @@ -152773,7 +153857,7 @@ }, "ProposedSegmentChange": { "$ref": "#/definitions/AWS::NetworkManager::VpcAttachment.ProposedSegmentChange", - "markdownDescription": "", + "markdownDescription": "Describes a proposed segment change. In some cases, the segment change must first be evaluated and accepted.", "title": "ProposedSegmentChange" }, "SubnetArns": { @@ -152992,7 +154076,7 @@ "additionalProperties": false, "properties": { "AutomaticTerminationMode": { - "markdownDescription": "", + "markdownDescription": "Indicates if a streaming session created from this launch profile should be terminated automatically or retained without termination after being in a `STOPPED` state.\n\n- When `ACTIVATED` , the streaming session is scheduled for termination after being in the `STOPPED` state for the time specified in `maxStoppedSessionLengthInMinutes` .\n- When `DEACTIVATED` , the streaming session can remain in the `STOPPED` state indefinitely.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` . When allowed, the default value for this parameter is `DEACTIVATED` .", "title": "AutomaticTerminationMode", "type": "string" }, @@ -153021,11 +154105,11 @@ }, "SessionBackup": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.StreamConfigurationSessionBackup", - "markdownDescription": "", + "markdownDescription": "Information about the streaming session backup.", "title": "SessionBackup" }, "SessionPersistenceMode": { - "markdownDescription": "", + "markdownDescription": "Determine if a streaming session created from this launch profile can configure persistent storage. This means that `volumeConfiguration` and `automaticTerminationMode` are configured.", "title": "SessionPersistenceMode", "type": "string" }, @@ -153044,7 +154128,7 @@ }, "VolumeConfiguration": { "$ref": "#/definitions/AWS::NimbleStudio::LaunchProfile.VolumeConfiguration", - "markdownDescription": "", + "markdownDescription": "Custom volume configuration for the root volumes that are attached to streaming sessions.\n\nThis parameter is only allowed when `sessionPersistenceMode` is `ACTIVATED` .", "title": "VolumeConfiguration" } }, @@ -153059,12 +154143,12 @@ "additionalProperties": false, "properties": { "MaxBackupsToRetain": { - "markdownDescription": "", + "markdownDescription": "The maximum number of backups that each streaming session created from this launch profile can have.", "title": "MaxBackupsToRetain", "type": "number" }, "Mode": { - "markdownDescription": "", + "markdownDescription": "Specifies how artists sessions are backed up.\n\nConfigures backups for streaming sessions launched with this launch profile. The default value is `DEACTIVATED` , which means that backups are deactivated. To allow backups, set this value to `AUTOMATIC` .", "title": "Mode", "type": "string" } @@ -153113,17 +154197,17 @@ "additionalProperties": false, "properties": { "Iops": { - "markdownDescription": "", + "markdownDescription": "The number of I/O operations per second for the root volume that is attached to streaming session.", "title": "Iops", "type": "number" }, "Size": { - "markdownDescription": "", + "markdownDescription": "The size of the root volume that is attached to the streaming session. The root volume size is measured in GiBs.", "title": "Size", "type": "number" }, "Throughput": { - "markdownDescription": "", + "markdownDescription": "The throughput to provision for the root volume that is attached to the streaming session. The throughput is measured in MiB/s.", "title": "Throughput", "type": "number" } @@ -153229,12 +154313,12 @@ "additionalProperties": false, "properties": { "KeyArn": { - "markdownDescription": "", + "markdownDescription": "The ARN for a KMS key that is used to encrypt studio data.", "title": "KeyArn", "type": "string" }, "KeyType": { - "markdownDescription": "", + "markdownDescription": "The type of KMS key that is used to encrypt studio data.", "title": "KeyType", "type": "string" } @@ -153766,7 +154850,7 @@ "additionalProperties": false, "properties": { "LogGroup": { - "markdownDescription": "", + "markdownDescription": "The name of the CloudWatch Logs group to send pipeline logs to. You can specify an existing log group or create a new one. For example, `/aws/OpenSearchService/IngestionService/my-pipeline` .", "title": "LogGroup", "type": "string" } @@ -153876,7 +154960,7 @@ "items": { "type": "string" }, - "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace` .", + "markdownDescription": "An array of strings that define which types of data that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric | AWS::Logs::LogGroup | AWS::XRay::Trace | AWS::ApplicationInsights::Application` .", "title": "ResourceTypes", "type": "array" }, @@ -154338,6 +155422,8 @@ "type": "number" }, "MaxGpus": { + "markdownDescription": "The maximum GPUs that can be used by a run group.", + "title": "MaxGpus", "type": "number" }, "MaxRuns": { @@ -154425,7 +155511,7 @@ "type": "string" }, "FallbackLocation": { - "markdownDescription": "", + "markdownDescription": "An S3 location that is used to store files that have failed a direct upload.", "title": "FallbackLocation", "type": "string" }, @@ -154659,6 +155745,8 @@ "additionalProperties": false, "properties": { "Accelerators": { + "markdownDescription": "", + "title": "Accelerators", "type": "string" }, "DefinitionUri": { @@ -154890,7 +155978,7 @@ "type": "array" }, "Type": { - "markdownDescription": "The type of collection. Possible values are `SEARCH` and `TIMESERIES` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", + "markdownDescription": "The type of collection. Possible values are `SEARCH` , `TIMESERIES` , and `VECTORSEARCH` . For more information, see [Choosing a collection type](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-overview.html#serverless-usecase) .", "title": "Type", "type": "string" } @@ -155987,7 +157075,7 @@ "type": "string" }, "Secure": { - "markdownDescription": "(Optional) Whether the variable's value is returned by the [DescribeApps](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeApps) action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", + "markdownDescription": "(Optional) Whether the variable's value is returned by the `DescribeApps` action. To hide an environment variable's value, set `Secure` to `true` . `DescribeApps` returns `*****FILTERED*****` instead of the actual value. The default value for `Secure` is `false` .", "title": "Secure", "type": "boolean" }, @@ -156169,7 +157257,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- `INHERIT` - Use the stack's default agent version setting.\n- *version_number* - Use the specified agent version. This value overrides the stack's default setting. To update the agent version, edit the instance configuration and specify a new version. AWS OpsWorks Stacks installs that version on the instance.\n\nThe default setting is `INHERIT` . To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.", "title": "AgentVersion", "type": "string" }, @@ -156220,7 +157308,7 @@ "type": "string" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> We strongly recommend using the default value of `true` to ensure that your instances have the latest security updates.", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156238,7 +157326,7 @@ "type": "array" }, "Os": { - "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the [CreateInstance](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateInstance) action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", + "markdownDescription": "The instance's operating system, which must be set to one of the following.\n\n- A supported Linux operating system: An Amazon Linux version, such as `Amazon Linux 2` , `Amazon Linux 2018.03` , `Amazon Linux 2017.09` , `Amazon Linux 2017.03` , `Amazon Linux 2016.09` , `Amazon Linux 2016.03` , `Amazon Linux 2015.09` , or `Amazon Linux 2015.03` .\n- A supported Ubuntu operating system, such as `Ubuntu 18.04 LTS` , `Ubuntu 16.04 LTS` , `Ubuntu 14.04 LTS` , or `Ubuntu 12.04 LTS` .\n- `CentOS Linux 7`\n- `Red Hat Enterprise Linux 7`\n- A supported Windows operating system, such as `Microsoft Windows Server 2012 R2 Base` , `Microsoft Windows Server 2012 R2 with SQL Server Express` , `Microsoft Windows Server 2012 R2 with SQL Server Standard` , or `Microsoft Windows Server 2012 R2 with SQL Server Web` .\n- A custom AMI: `Custom` .\n\nNot all operating systems are supported with all versions of Chef. For more information about the supported operating systems, see [AWS OpsWorks Stacks Operating Systems](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-os.html) .\n\nThe default option is the current Amazon Linux version. If you set this parameter to `Custom` , you must use the `CreateInstance` action's AmiId parameter to specify the custom AMI that you want to use. Block device mappings are not supported if the value is `Custom` . For more information about how to use custom AMIs with AWS OpsWorks Stacks, see [Using Custom AMIs](https://docs.aws.amazon.com/opsworks/latest/userguide/workinginstances-custom-ami.html) .", "title": "Os", "type": "string" }, @@ -156539,7 +157627,7 @@ "type": "boolean" }, "InstallUpdatesOnBoot": { - "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using [CreateDeployment](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/CreateDeployment) to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", + "markdownDescription": "Whether to install operating system and package updates when the instance boots. The default value is `true` . To control when updates are installed, set this value to `false` . You must then update your instances manually by using `CreateDeployment` to run the `update_dependencies` stack command or by manually running `yum` (Amazon Linux) or `apt-get` (Ubuntu) on the instances.\n\n> To ensure that your instances have the latest security updates, we strongly recommend using the default value of `true` .", "title": "InstallUpdatesOnBoot", "type": "boolean" }, @@ -156842,7 +157930,7 @@ "additionalProperties": false, "properties": { "AgentVersion": { - "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call [DescribeAgentVersions](https://docs.aws.amazon.com/goto/WebAPI/opsworks-2013-02-18/DescribeAgentVersions) . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", + "markdownDescription": "The default AWS OpsWorks Stacks agent version. You have the following options:\n\n- Auto-update - Set this parameter to `LATEST` . AWS OpsWorks Stacks automatically installs new agent versions on the stack's instances as soon as they are available.\n- Fixed version - Set this parameter to your preferred agent version. To update the agent version, you must edit the stack configuration and specify a new version. AWS OpsWorks Stacks installs that version on the stack's instances.\n\nThe default setting is the most recent release of the agent. To specify an agent version, you must use the complete version number, not the abbreviated number shown on the console. For a list of available agent version numbers, call `DescribeAgentVersions` . AgentVersion cannot be set to Chef 12.2.\n\n> You can also specify an agent version when you create or update an instance, which overrides the stack's default setting.", "title": "AgentVersion", "type": "string" }, @@ -157537,7 +158625,7 @@ "type": "array" }, "RoleName": { - "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [Tutorial: Delegate Access Across AWS accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", + "markdownDescription": "The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole` .\n\nFor more information about how to use this role to access the member account, see the following links:\n\n- [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide*\n- Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-", "title": "RoleName", "type": "string" }, @@ -157613,7 +158701,7 @@ "additionalProperties": false, "properties": { "FeatureSet": { - "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide.*\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", + "markdownDescription": "Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n\n- `ALL` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the `FeatureSet` property to `ALL` , the new organization is created with all features enabled and service control policies automatically enabled in the [root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root) . For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide* .\n- `CONSOLIDATED_BILLING` All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide* .\n\nThe consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.\n\nFeature set `ALL` provides the following advanced features:\n\n- Apply any [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) to any member account in the organization.\n- Apply [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization.\n- Enable [integration with supported AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) to let those services provide functionality across all of the accounts in your organization.\n\nIf you don't specify this property, the default value is `ALL` .", "title": "FeatureSet", "type": "string" } @@ -157932,22 +159020,30 @@ "additionalProperties": false, "properties": { "CertificateAuthorityArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the certificate authority being used.", + "title": "CertificateAuthorityArn", "type": "string" }, "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a connector consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" }, "VpcInformation": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation" + "$ref": "#/definitions/AWS::PCAConnectorAD::Connector.VpcInformation", + "markdownDescription": "Information of the VPC and security group(s) used with the connector.", + "title": "VpcInformation" } }, "required": [ @@ -157985,6 +159081,8 @@ "items": { "type": "string" }, + "markdownDescription": "The security groups used with the connector. You can use a maximum of 4 security groups with a connector.", + "title": "SecurityGroupIds", "type": "array" } }, @@ -158029,15 +159127,19 @@ "additionalProperties": false, "properties": { "DirectoryId": { + "markdownDescription": "The identifier of the Active Directory.", + "title": "DirectoryId", "type": "string" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a directory registration consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158103,9 +159205,13 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector.html](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "DirectoryRegistrationArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateDirectoryRegistration](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateDirectoryRegistration.html) .", + "title": "DirectoryRegistrationArn", "type": "string" } }, @@ -158167,24 +159273,34 @@ "additionalProperties": false, "properties": { "ConnectorArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateConnector](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateConnector.html) .", + "title": "ConnectorArn", "type": "string" }, "Definition": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateDefinition", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "Definition" }, "Name": { + "markdownDescription": "Name of the templates. Template names must be unique.", + "title": "Name", "type": "string" }, "ReenrollAllCertificateHolders": { + "markdownDescription": "This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.", + "title": "ReenrollAllCertificateHolders", "type": "boolean" }, "Tags": { "additionalProperties": true, + "markdownDescription": "Metadata assigned to a template consisting of a key-value pair.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "Tags", "type": "object" } }, @@ -158220,12 +159336,16 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Marks the application policy extension as critical.", + "title": "Critical", "type": "boolean" }, "Policies": { "items": { "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicy" }, + "markdownDescription": "Application policies describe what the certificate can be used for.", + "title": "Policies", "type": "array" } }, @@ -158238,9 +159358,13 @@ "additionalProperties": false, "properties": { "PolicyObjectIdentifier": { + "markdownDescription": "The object identifier (OID) of an application policy.", + "title": "PolicyObjectIdentifier", "type": "string" }, "PolicyType": { + "markdownDescription": "The type of application policy", + "title": "PolicyType", "type": "string" } }, @@ -158250,10 +159374,14 @@ "additionalProperties": false, "properties": { "RenewalPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Renewal period is the period of time before certificate expiration when a new certificate will be requested.", + "title": "RenewalPeriod" }, "ValidityPeriod": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ValidityPeriod", + "markdownDescription": "Information describing the end of the validity period of the certificate. This parameter sets the \u201cNot After\u201d date for the certificate. Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280. This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.", + "title": "ValidityPeriod" } }, "required": [ @@ -158266,18 +159394,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158287,18 +159425,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158308,18 +159456,28 @@ "additionalProperties": false, "properties": { "EnableKeyReuseOnNtTokenKeysetStorageFull": { + "markdownDescription": "Allow renewal using the same key.", + "title": "EnableKeyReuseOnNtTokenKeysetStorageFull", "type": "boolean" }, "IncludeSymmetricAlgorithms": { + "markdownDescription": "Include symmetric algorithms allowed by the subject.", + "title": "IncludeSymmetricAlgorithms", "type": "boolean" }, "NoSecurityExtension": { + "markdownDescription": "This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability.", + "title": "NoSecurityExtension", "type": "boolean" }, "RemoveInvalidCertificateFromPersonalStore": { + "markdownDescription": "Delete expired or revoked certificates instead of archiving them.", + "title": "RemoveInvalidCertificateFromPersonalStore", "type": "boolean" }, "UserInteractionRequired": { + "markdownDescription": "Require user interaction when the subject is enrolled and the private key associated with the certificate is used.", + "title": "UserInteractionRequired", "type": "boolean" } }, @@ -158329,10 +159487,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158344,10 +159506,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158359,10 +159525,14 @@ "additionalProperties": false, "properties": { "ApplicationPolicies": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ApplicationPolicies", + "markdownDescription": "Application policies specify what the certificate is used for and its purpose.", + "title": "ApplicationPolicies" }, "KeyUsage": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsage", + "markdownDescription": "The key usage extension defines the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "KeyUsage" } }, "required": [ @@ -158374,9 +159544,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users.", + "title": "MachineType", "type": "boolean" } }, @@ -158386,9 +159560,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158398,9 +159576,13 @@ "additionalProperties": false, "properties": { "AutoEnrollment": { + "markdownDescription": "Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment.", + "title": "AutoEnrollment", "type": "boolean" }, "MachineType": { + "markdownDescription": "Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users", + "title": "MachineType", "type": "boolean" } }, @@ -158410,10 +159592,14 @@ "additionalProperties": false, "properties": { "Critical": { + "markdownDescription": "Sets the key usage extension to critical.", + "title": "Critical", "type": "boolean" }, "UsageFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageFlags", + "markdownDescription": "The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate.", + "title": "UsageFlags" } }, "required": [ @@ -158425,18 +159611,28 @@ "additionalProperties": false, "properties": { "DataEncipherment": { + "markdownDescription": "DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.", + "title": "DataEncipherment", "type": "boolean" }, "DigitalSignature": { + "markdownDescription": "The digitalSignature is asserted when the subject public key is used for verifying digital signatures.", + "title": "DigitalSignature", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "KeyAgreement is asserted when the subject public key is used for key agreement.", + "title": "KeyAgreement", "type": "boolean" }, "KeyEncipherment": { + "markdownDescription": "KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport.", + "title": "KeyEncipherment", "type": "boolean" }, "NonRepudiation": { + "markdownDescription": "NonRepudiation is asserted when the subject public key is used to verify digital signatures.", + "title": "NonRepudiation", "type": "boolean" } }, @@ -158446,9 +159642,13 @@ "additionalProperties": false, "properties": { "PropertyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsagePropertyFlags", + "markdownDescription": "You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both.", + "title": "PropertyFlags" }, "PropertyType": { + "markdownDescription": "You can specify all key usages using property type ALL. You can use property type or property flags but not both.", + "title": "PropertyType", "type": "string" } }, @@ -158458,12 +159658,18 @@ "additionalProperties": false, "properties": { "Decrypt": { + "markdownDescription": "Allows key for encryption and decryption.", + "title": "Decrypt", "type": "boolean" }, "KeyAgreement": { + "markdownDescription": "Allows key exchange without encryption.", + "title": "KeyAgreement", "type": "boolean" }, "Sign": { + "markdownDescription": "Allow key use for digital signature.", + "title": "Sign", "type": "boolean" } }, @@ -158476,12 +159682,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158495,21 +159707,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158525,21 +159747,31 @@ "additionalProperties": false, "properties": { "Algorithm": { + "markdownDescription": "Defines the algorithm used to generate the private key.", + "title": "Algorithm", "type": "string" }, "CryptoProviders": { "items": { "type": "string" }, + "markdownDescription": "Defines the cryptographic providers used to generate the private key.", + "title": "CryptoProviders", "type": "array" }, "KeySpec": { + "markdownDescription": "Defines the purpose of the private key. Set it to \"KEY_EXCHANGE\" or \"SIGNATURE\" value.", + "title": "KeySpec", "type": "string" }, "KeyUsageProperty": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.KeyUsageProperty", + "markdownDescription": "The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL.", + "title": "KeyUsageProperty" }, "MinimalKeyLength": { + "markdownDescription": "Set the minimum key length of the private key.", + "title": "MinimalKeyLength", "type": "number" } }, @@ -158553,12 +159785,18 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158571,15 +159809,23 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Requirer user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" } }, @@ -158592,21 +159838,33 @@ "additionalProperties": false, "properties": { "ClientVersion": { + "markdownDescription": "Defines the minimum client compatibility.", + "title": "ClientVersion", "type": "string" }, "ExportableKey": { + "markdownDescription": "Allows the private key to be exported.", + "title": "ExportableKey", "type": "boolean" }, "RequireAlternateSignatureAlgorithm": { + "markdownDescription": "Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.", + "title": "RequireAlternateSignatureAlgorithm", "type": "boolean" }, "RequireSameKeyRenewal": { + "markdownDescription": "Renew certificate using the same private key.", + "title": "RequireSameKeyRenewal", "type": "boolean" }, "StrongKeyProtectionRequired": { + "markdownDescription": "Require user input when using the private key for enrollment.", + "title": "StrongKeyProtectionRequired", "type": "boolean" }, "UseLegacyProvider": { + "markdownDescription": "Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers.", + "title": "UseLegacyProvider", "type": "boolean" } }, @@ -158619,33 +159877,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158655,33 +159933,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158691,33 +159989,53 @@ "additionalProperties": false, "properties": { "RequireCommonName": { + "markdownDescription": "Include the common name in the subject name.", + "title": "RequireCommonName", "type": "boolean" }, "RequireDirectoryPath": { + "markdownDescription": "Include the directory path in the subject name.", + "title": "RequireDirectoryPath", "type": "boolean" }, "RequireDnsAsCn": { + "markdownDescription": "Include the DNS as common name in the subject name.", + "title": "RequireDnsAsCn", "type": "boolean" }, "RequireEmail": { + "markdownDescription": "Include the subject's email in the subject name.", + "title": "RequireEmail", "type": "boolean" }, "SanRequireDirectoryGuid": { + "markdownDescription": "Include the globally unique identifier (GUID) in the subject alternate name.", + "title": "SanRequireDirectoryGuid", "type": "boolean" }, "SanRequireDns": { + "markdownDescription": "Include the DNS in the subject alternate name.", + "title": "SanRequireDns", "type": "boolean" }, "SanRequireDomainDns": { + "markdownDescription": "Include the domain DNS in the subject alternate name.", + "title": "SanRequireDomainDns", "type": "boolean" }, "SanRequireEmail": { + "markdownDescription": "Include the subject's email in the subject alternate name.", + "title": "SanRequireEmail", "type": "boolean" }, "SanRequireSpn": { + "markdownDescription": "Include the service principal name (SPN) in the subject alternate name.", + "title": "SanRequireSpn", "type": "boolean" }, "SanRequireUpn": { + "markdownDescription": "Include the user principal name (UPN) in the subject alternate name.", + "title": "SanRequireUpn", "type": "boolean" } }, @@ -158727,13 +160045,19 @@ "additionalProperties": false, "properties": { "TemplateV2": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV2", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV2" }, "TemplateV3": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV3", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV3" }, "TemplateV4": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.TemplateV4", + "markdownDescription": "Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings.", + "title": "TemplateV4" } }, "type": "object" @@ -158742,30 +160066,46 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV2", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV2", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV2", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV2", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV2", + "markdownDescription": "Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV2", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158784,33 +160124,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV3", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV3", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV3", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV3", + "markdownDescription": "Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV3", + "markdownDescription": "Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV3", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158830,33 +160188,51 @@ "additionalProperties": false, "properties": { "CertificateValidity": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.CertificateValidity", + "markdownDescription": "Certificate validity describes the validity and renewal periods of a certificate.", + "title": "CertificateValidity" }, "EnrollmentFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.EnrollmentFlagsV4", + "markdownDescription": "Enrollment flags describe the enrollment settings for certificates using the existing private key and deleting expired or revoked certificates.", + "title": "EnrollmentFlags" }, "Extensions": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.ExtensionsV4", + "markdownDescription": "Extensions describe the key usage extensions and application policies for a template.", + "title": "Extensions" }, "GeneralFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.GeneralFlagsV4", + "markdownDescription": "General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment.", + "title": "GeneralFlags" }, "HashAlgorithm": { + "markdownDescription": "Specifies the hash algorithm used to hash the private key. Hash algorithm can only be specified when using Key Storage Providers.", + "title": "HashAlgorithm", "type": "string" }, "PrivateKeyAttributes": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyAttributesV4", + "markdownDescription": "Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags.", + "title": "PrivateKeyAttributes" }, "PrivateKeyFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.PrivateKeyFlagsV4", + "markdownDescription": "Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if certificates are renewed using the same private key.", + "title": "PrivateKeyFlags" }, "SubjectNameFlags": { - "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4" + "$ref": "#/definitions/AWS::PCAConnectorAD::Template.SubjectNameFlagsV4", + "markdownDescription": "Subject name flags describe the subject name and subject alternate name that is included in a certificate.", + "title": "SubjectNameFlags" }, "SupersededTemplates": { "items": { "type": "string" }, + "markdownDescription": "List of templates in Active Directory that are superseded by this template.", + "title": "SupersededTemplates", "type": "array" } }, @@ -158875,9 +160251,13 @@ "additionalProperties": false, "properties": { "Period": { + "markdownDescription": "The numeric value for the validity period.", + "title": "Period", "type": "number" }, "PeriodType": { + "markdownDescription": "The unit of time. You can select hours, days, weeks, months, and years.", + "title": "PeriodType", "type": "string" } }, @@ -158923,15 +160303,23 @@ "additionalProperties": false, "properties": { "AccessRights": { - "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights" + "$ref": "#/definitions/AWS::PCAConnectorAD::TemplateGroupAccessControlEntry.AccessRights", + "markdownDescription": "Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template.", + "title": "AccessRights" }, "GroupDisplayName": { + "markdownDescription": "Name of the Active Directory group. This name does not need to match the group name in Active Directory.", + "title": "GroupDisplayName", "type": "string" }, "GroupSecurityIdentifier": { + "markdownDescription": "Security identifier (SID) of the group object from Active Directory. The SID starts with \"S-\".", + "title": "GroupSecurityIdentifier", "type": "string" }, "TemplateArn": { + "markdownDescription": "The Amazon Resource Name (ARN) that was returned when you called [CreateTemplate](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API_CreateTemplate.html) .", + "title": "TemplateArn", "type": "string" } }, @@ -158966,9 +160354,13 @@ "additionalProperties": false, "properties": { "AutoEnroll": { + "markdownDescription": "Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment", + "title": "AutoEnroll", "type": "string" }, "Enroll": { + "markdownDescription": "Allow or deny an Active Directory group from enrolling certificates issued against a template.", + "title": "Enroll", "type": "string" } }, @@ -159144,7 +160536,7 @@ }, "StorageLocation": { "$ref": "#/definitions/AWS::Panorama::Package.StorageLocation", - "markdownDescription": "", + "markdownDescription": "A storage location.", "title": "StorageLocation" }, "Tags": { @@ -159186,27 +160578,27 @@ "additionalProperties": false, "properties": { "BinaryPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's binary prefix.", "title": "BinaryPrefixLocation", "type": "string" }, "Bucket": { - "markdownDescription": "", + "markdownDescription": "The location's bucket.", "title": "Bucket", "type": "string" }, "GeneratedPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's generated prefix.", "title": "GeneratedPrefixLocation", "type": "string" }, "ManifestPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's manifest prefix.", "title": "ManifestPrefixLocation", "type": "string" }, "RepoPrefixLocation": { - "markdownDescription": "", + "markdownDescription": "The location's repo prefix.", "title": "RepoPrefixLocation", "type": "string" } @@ -159349,7 +160741,7 @@ }, "DatasetImportJob": { "$ref": "#/definitions/AWS::Personalize::Dataset.DatasetImportJob", - "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset.", + "markdownDescription": "Describes a job that imports training data from a data source (Amazon S3 bucket) to an Amazon Personalize dataset. If you specify a dataset import job as part of a dataset, all dataset import job fields are required.", "title": "DatasetImportJob" }, "DatasetType": { @@ -159401,7 +160793,7 @@ "additionalProperties": false, "properties": { "DataLocation": { - "markdownDescription": "", + "markdownDescription": "The path to the Amazon S3 bucket where the data that you want to upload to your dataset is stored. For example:\n\n`s3://bucket-name/folder-name/`", "title": "DataLocation", "type": "string" } @@ -159490,7 +160882,7 @@ "type": "string" }, "RoleArn": { - "markdownDescription": "The ARN of the IAM role that has permissions to create the dataset group.", + "markdownDescription": "The ARN of the AWS Identity and Access Management (IAM) role that has permissions to access the AWS Key Management Service (KMS) key. Supplying an IAM role is only valid when also specifying a KMS key.", "title": "RoleArn", "type": "string" } @@ -159704,7 +161096,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.CategoricalHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a categorical hyperparameter.", "title": "CategoricalHyperParameterRanges", "type": "array" }, @@ -159712,7 +161104,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.ContinuousHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of a continuous hyperparameter.", "title": "ContinuousHyperParameterRanges", "type": "array" }, @@ -159720,7 +161112,7 @@ "items": { "$ref": "#/definitions/AWS::Personalize::Solution.IntegerHyperParameterRange" }, - "markdownDescription": "", + "markdownDescription": "Provides the name and range of an integer-valued hyperparameter.", "title": "IntegerHyperParameterRanges", "type": "array" } @@ -159731,7 +161123,7 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The metric to optimize.", "title": "MetricName", "type": "string" }, @@ -159739,7 +161131,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The list of candidate recipes.", "title": "RecipeList", "type": "array" } @@ -159750,7 +161142,7 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" }, @@ -159758,7 +161150,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of the categories for the hyperparameter.", "title": "Values", "type": "array" } @@ -159769,17 +161161,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159791,17 +161183,17 @@ "properties": { "AlgorithmHyperParameterRanges": { "$ref": "#/definitions/AWS::Personalize::Solution.AlgorithmHyperParameterRanges", - "markdownDescription": "", + "markdownDescription": "The hyperparameters and their allowable ranges.", "title": "AlgorithmHyperParameterRanges" }, "HpoObjective": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoObjective", - "markdownDescription": "", + "markdownDescription": "The metric to optimize during HPO.\n\n> Amazon Personalize doesn't support configuring the `hpoObjective` at this time.", "title": "HpoObjective" }, "HpoResourceConfig": { "$ref": "#/definitions/AWS::Personalize::Solution.HpoResourceConfig", - "markdownDescription": "", + "markdownDescription": "Describes the resource configuration for HPO.", "title": "HpoResourceConfig" } }, @@ -159811,17 +161203,17 @@ "additionalProperties": false, "properties": { "MetricName": { - "markdownDescription": "", + "markdownDescription": "The name of the metric.", "title": "MetricName", "type": "string" }, "MetricRegex": { - "markdownDescription": "", + "markdownDescription": "A regular expression for finding the metric in the training job logs.", "title": "MetricRegex", "type": "string" }, "Type": { - "markdownDescription": "", + "markdownDescription": "The type of the metric. Valid values are `Maximize` and `Minimize` .", "title": "Type", "type": "string" } @@ -159832,12 +161224,12 @@ "additionalProperties": false, "properties": { "MaxNumberOfTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of training jobs when you create a solution version. The maximum value for `maxNumberOfTrainingJobs` is `40` .", "title": "MaxNumberOfTrainingJobs", "type": "string" }, "MaxParallelTrainingJobs": { - "markdownDescription": "", + "markdownDescription": "The maximum number of parallel training jobs when you create a solution version. The maximum value for `maxParallelTrainingJobs` is `10` .", "title": "MaxParallelTrainingJobs", "type": "string" } @@ -159848,17 +161240,17 @@ "additionalProperties": false, "properties": { "MaxValue": { - "markdownDescription": "", + "markdownDescription": "The maximum allowable value for the hyperparameter.", "title": "MaxValue", "type": "number" }, "MinValue": { - "markdownDescription": "", + "markdownDescription": "The minimum allowable value for the hyperparameter.", "title": "MinValue", "type": "number" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the hyperparameter.", "title": "Name", "type": "string" } @@ -159870,7 +161262,7 @@ "properties": { "AlgorithmHyperParameters": { "additionalProperties": true, - "markdownDescription": "Lists the hyperparameter names and ranges.", + "markdownDescription": "Lists the algorithm hyperparameters and their values.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -160538,7 +161930,7 @@ "title": "CampaignHook" }, "CloudWatchMetricsEnabled": { - "markdownDescription": "Specifies whether to enable application-related alarms in Amazon CloudWatch.", + "markdownDescription": "", "title": "CloudWatchMetricsEnabled", "type": "boolean" }, @@ -160810,7 +162202,7 @@ }, "MessageConfiguration": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.MessageConfiguration", - "markdownDescription": "The message configuration settings for the campaign.", + "markdownDescription": "The message configuration settings for the treatment.", "title": "MessageConfiguration" }, "Name": { @@ -160825,7 +162217,7 @@ }, "Schedule": { "$ref": "#/definitions/AWS::Pinpoint::Campaign.Schedule", - "markdownDescription": "The schedule settings for the campaign.", + "markdownDescription": "The schedule settings for the treatment.", "title": "Schedule" }, "SegmentId": { @@ -160849,12 +162241,12 @@ "title": "TemplateConfiguration" }, "TreatmentDescription": { - "markdownDescription": "A custom description of the default treatment for the campaign.", + "markdownDescription": "A custom description of the treatment.", "title": "TreatmentDescription", "type": "string" }, "TreatmentName": { - "markdownDescription": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing.", + "markdownDescription": "A custom name for the treatment.", "title": "TreatmentName", "type": "string" } @@ -160892,16 +162284,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -161373,13 +162761,9 @@ "additionalProperties": false, "properties": { "ComparisonOperator": { - "markdownDescription": "The operator to use when comparing metric values. Valid values are: `GREATER_THAN` , `LESS_THAN` , `GREATER_THAN_OR_EQUAL` , `LESS_THAN_OR_EQUAL` , and `EQUAL` .", - "title": "ComparisonOperator", "type": "string" }, "Value": { - "markdownDescription": "The value to compare.", - "title": "Value", "type": "number" } }, @@ -162240,7 +163624,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -162508,7 +163892,7 @@ }, "Dimensions": { "$ref": "#/definitions/AWS::Pinpoint::Segment.SegmentDimensions", - "markdownDescription": "The criteria that define the dimensions for the segment.", + "markdownDescription": "An array that defines the dimensions for the segment.", "title": "Dimensions" }, "Name": { @@ -162558,16 +163942,12 @@ "additionalProperties": false, "properties": { "AttributeType": { - "markdownDescription": "The type of segment dimension to use. Valid values are:\n\n- `INCLUSIVE` \u2013 endpoints that have attributes matching the values are included in the segment.\n- `EXCLUSIVE` \u2013 endpoints that have attributes matching the values are excluded from the segment.\n- `CONTAINS` \u2013 endpoints that have attributes' substrings match the values are included in the segment.\n- `BEFORE` \u2013 endpoints with attributes read as ISO_INSTANT datetimes before the value are included in the segment.\n- `AFTER` \u2013 endpoints with attributes read as ISO_INSTANT datetimes after the value are included in the segment.\n- `BETWEEN` \u2013 endpoints with attributes read as ISO_INSTANT datetimes between the values are included in the segment.\n- `ON` \u2013 endpoints with attributes read as ISO_INSTANT dates on the value are included in the segment. Time is ignored in this comparison.", - "title": "AttributeType", "type": "string" }, "Values": { "items": { "type": "string" }, - "markdownDescription": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values.", - "title": "Values", "type": "array" } }, @@ -162877,7 +164257,7 @@ "type": "string" }, "TemplateName": { - "markdownDescription": "The name of the message template.", + "markdownDescription": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", "title": "TemplateName", "type": "string" } @@ -163842,7 +165222,7 @@ "additionalProperties": false, "properties": { "Arn": { - "markdownDescription": "The ARN of the Amazon SQS queue specified as the target for the dead-letter queue.", + "markdownDescription": "The ARN of the specified target for the dead-letter queue.\n\nFor Amazon Kinesis stream and Amazon DynamoDB stream sources, specify either an Amazon SNS topic or Amazon SQS queue ARN.", "title": "Arn", "type": "string" } @@ -164365,7 +165745,7 @@ }, "SelfManagedKafkaParameters": { "$ref": "#/definitions/AWS::Pipes::Pipe.PipeSourceSelfManagedKafkaParameters", - "markdownDescription": "The parameters for using a self-managed Apache Kafka stream as a source.", + "markdownDescription": "The parameters for using a stream as a source.", "title": "SelfManagedKafkaParameters" }, "SqsQueueParameters": { @@ -165031,12 +166411,12 @@ "additionalProperties": false, "properties": { "CodebuildRoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of an IAM service role in the environment account. AWS Proton uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", + "markdownDescription": "The Amazon Resource Name (ARN) of an service role in the environment account. uses this role to provision infrastructure resources using CodeBuild-based provisioning in the associated environment account.", "title": "CodebuildRoleArn", "type": "string" }, "ComponentRoleArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the IAM service role that AWS Proton uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.\n\nFor more information about components, see [AWS Proton components](https://docs.aws.amazon.com/proton/latest/userguide/ag-components.html) in the *AWS Proton User Guide* .", + "markdownDescription": "The Amazon Resource Name (ARN) of the service role that uses when provisioning directly defined components in the associated environment account. It determines the scope of infrastructure that a component can provision in the account.\n\nThe environment account connection must have a `componentRoleArn` to allow directly defined components to be associated with any environments running in the account.", "title": "ComponentRoleArn", "type": "string" }, @@ -165064,7 +166444,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An optional list of metadata items that you can associate with the AWS Proton environment account connection. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* .", + "markdownDescription": "An optional list of metadata items that you can associate with the environment account connection. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* .", "title": "Tags", "type": "array" } @@ -165155,7 +166535,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "An optional list of metadata items that you can associate with the AWS Proton environment template. A tag is a key-value pair.\n\nFor more information, see [AWS Proton resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *AWS Proton User Guide* .", + "markdownDescription": "An optional list of metadata items that you can associate with the environment template. A tag is a key-value pair.\n\nFor more information, see [resources and tagging](https://docs.aws.amazon.com/proton/latest/userguide/resources.html) in the *User Guide* .", "title": "Tags", "type": "array" } @@ -165575,7 +166955,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" } }, "required": [ @@ -165610,7 +166992,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -165868,9 +167252,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -166839,6 +168227,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -166848,7 +168238,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ColumnIdentifier", @@ -167557,12 +168949,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -168007,6 +169405,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -168016,7 +169416,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Analysis.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -168283,7 +169685,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -168613,7 +170017,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSelectAllOptions", @@ -169276,6 +170682,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -169408,6 +170816,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -171187,10 +172597,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171199,10 +172613,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Analysis.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -171225,10 +172643,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIPrimaryValueConditionalFormatting", @@ -171328,7 +172750,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TrendArrowOptions", @@ -171336,7 +172760,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -171386,15 +172812,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -171457,7 +172891,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Analysis.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -171466,6 +172902,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -171917,7 +173355,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.ListControlSearchOptions", @@ -173573,6 +175013,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -173596,9 +175038,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -173634,9 +175080,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -173772,6 +175222,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -174113,7 +175565,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -174123,6 +175575,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -174249,7 +175703,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -174387,6 +175843,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -174974,9 +176432,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -175198,7 +176660,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.LabelOptions", @@ -175212,9 +176676,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -175239,10 +176707,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -175415,6 +176887,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -175746,18 +177220,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -175856,6 +177332,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -175936,6 +177414,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -176004,7 +177484,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176055,7 +177537,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Analysis.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TextControlPlaceholderOptions", @@ -176136,12 +177620,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Analysis.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -176149,7 +177635,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -176468,6 +177954,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -176477,10 +177965,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -176511,6 +178003,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Analysis.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -176746,6 +178240,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -177472,7 +178968,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description for the first version of the dashboard being created.", @@ -177523,7 +179021,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -177661,9 +179161,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -178632,6 +180136,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -178641,7 +180147,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ColumnIdentifier", @@ -179350,12 +180858,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -180057,6 +181571,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -180066,7 +181582,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -180366,7 +181884,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -180696,7 +182216,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSelectAllOptions", @@ -181392,6 +182914,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -181524,6 +183048,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -183303,10 +184829,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183315,10 +184845,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -183341,10 +184875,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIPrimaryValueConditionalFormatting", @@ -183444,7 +184982,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TrendArrowOptions", @@ -183452,7 +184992,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -183502,15 +185044,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -183573,7 +185123,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -183582,6 +185134,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -184033,7 +185587,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.ListControlSearchOptions", @@ -185689,6 +187245,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -185712,9 +187270,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -185750,9 +187312,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -185888,6 +187454,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -186229,7 +187797,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -186239,6 +187807,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -186365,7 +187935,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -186503,6 +188075,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -187090,9 +188664,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -187336,7 +188914,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.LabelOptions", @@ -187350,9 +188930,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -187377,10 +188961,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -187553,6 +189141,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -187884,18 +189474,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -187994,6 +189586,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -188074,6 +189668,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -188142,7 +189738,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188193,7 +189791,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TextControlPlaceholderOptions", @@ -188274,12 +189874,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -188287,7 +189889,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -188606,6 +190208,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -188615,10 +190219,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -188649,6 +190257,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Dashboard.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -188884,6 +190494,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -189603,7 +191215,7 @@ }, "DataSetRefreshProperties": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DataSetRefreshProperties", - "markdownDescription": "", + "markdownDescription": "The refresh properties of a dataset.", "title": "DataSetRefreshProperties" }, "DataSetUsageConfiguration": { @@ -189615,7 +191227,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DatasetParameter" }, - "markdownDescription": "", + "markdownDescription": "The parameters that are declared in a dataset.", "title": "DatasetParameters", "type": "array" }, @@ -189911,22 +191523,22 @@ "properties": { "DateTimeDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A date time parameter that is created in the dataset.", "title": "DateTimeDatasetParameter" }, "DecimalDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A decimal parameter that is created in the dataset.", "title": "DecimalDatasetParameter" }, "IntegerDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameter", - "markdownDescription": "", + "markdownDescription": "An integer parameter that is created in the dataset.", "title": "IntegerDatasetParameter" }, "StringDatasetParameter": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameter", - "markdownDescription": "", + "markdownDescription": "A string parameter that is created in the dataset.", "title": "StringDatasetParameter" } }, @@ -189937,26 +191549,26 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DateTimeDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given date time parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the date time parameter that is created in the dataset.", "title": "Name", "type": "string" }, "TimeGranularity": { - "markdownDescription": "", + "markdownDescription": "The time granularity of the date time parameter.", "title": "TimeGranularity", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -189987,21 +191599,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.DecimalDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given decimal parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the decimal parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the decimal parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190020,7 +191632,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "StaticValues", "type": "array" } @@ -190140,21 +191752,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.IntegerDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given integer parameter. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the integer parameter created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the integer parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190173,7 +191785,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "StaticValues", "type": "array" } @@ -190318,7 +191930,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given decimal parameter.", "title": "DecimalStaticValues", "type": "array" }, @@ -190326,7 +191938,7 @@ "items": { "type": "number" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given integer parameter.", "title": "IntegerStaticValues", "type": "array" }, @@ -190334,7 +191946,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StringStaticValues", "type": "array" } @@ -190376,7 +191988,7 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "", + "markdownDescription": "The name of the parameter to be overridden with different values.", "title": "ParameterName", "type": "string" } @@ -190439,7 +192051,7 @@ "additionalProperties": false, "properties": { "Catalog": { - "markdownDescription": "", + "markdownDescription": "The catalog associated with a table.", "title": "Catalog", "type": "string" }, @@ -190556,12 +192168,12 @@ "additionalProperties": false, "properties": { "Status": { - "markdownDescription": "", + "markdownDescription": "The status of row-level security tags. If enabled, the status is `ENABLED` . If disabled, the status is `DISABLED` .", "title": "Status", "type": "string" }, "TagRuleConfigurations": { - "markdownDescription": "", + "markdownDescription": "The configuration of tags on a dataset to set row-level security.", "title": "TagRuleConfigurations", "type": "object" }, @@ -190569,7 +192181,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::DataSet.RowLevelPermissionTagRule" }, - "markdownDescription": "", + "markdownDescription": "A set of rules associated with row-level security, such as the tag names and columns that they are assigned to.", "title": "TagRules", "type": "array" } @@ -190583,22 +192195,22 @@ "additionalProperties": false, "properties": { "ColumnName": { - "markdownDescription": "", + "markdownDescription": "The column name that a tag key is assigned to.", "title": "ColumnName", "type": "string" }, "MatchAllValue": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to filter by all the values in a column in the dataset and don\u2019t want to list the values one by one. For example, you can use an asterisk as your match all value.", "title": "MatchAllValue", "type": "string" }, "TagKey": { - "markdownDescription": "", + "markdownDescription": "The unique key for a tag.", "title": "TagKey", "type": "string" }, "TagMultiValueDelimiter": { - "markdownDescription": "", + "markdownDescription": "A string that you want to use to delimit the values when you pass the values at run time. For example, you can delimit the values with a comma.", "title": "TagMultiValueDelimiter", "type": "string" } @@ -190642,21 +192254,21 @@ "properties": { "DefaultValues": { "$ref": "#/definitions/AWS::QuickSight::DataSet.StringDatasetParameterDefaultValues", - "markdownDescription": "", + "markdownDescription": "A list of default values for a given string dataset parameter type. This structure only accepts static values.", "title": "DefaultValues" }, "Id": { - "markdownDescription": "", + "markdownDescription": "An identifier for the string parameter that is created in the dataset.", "title": "Id", "type": "string" }, "Name": { - "markdownDescription": "", + "markdownDescription": "The name of the string parameter that is created in the dataset.", "title": "Name", "type": "string" }, "ValueType": { - "markdownDescription": "", + "markdownDescription": "The value type of the dataset parameter. Valid values are `single value` or `multi value` .", "title": "ValueType", "type": "string" } @@ -190675,7 +192287,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "A list of static default values for a given string parameter.", "title": "StaticValues", "type": "array" } @@ -191769,7 +193381,9 @@ "type": "string" }, "ValidationStrategy": { - "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy" + "$ref": "#/definitions/AWS::QuickSight::Template.ValidationStrategy", + "markdownDescription": "The option to relax the validation that is required to create and update analyses, dashboards, and templates with definition objects. When you set this value to `LENIENT` , validation is skipped for specific errors.", + "title": "ValidationStrategy" }, "VersionDescription": { "markdownDescription": "A description of the current template version being created. This API operation creates the first version of the template. Every time `UpdateTemplate` is called, a new version is created. Each version of the template maintains a description of the version in the `VersionDescription` field.", @@ -191808,7 +193422,9 @@ "additionalProperties": false, "properties": { "AttributeAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.AttributeAggregationFunction", + "markdownDescription": "Aggregation for attributes.", + "title": "AttributeAggregationFunction" }, "CategoricalAggregationFunction": { "markdownDescription": "Aggregation for categorical values.\n\n- `COUNT` : Aggregate by the total number of values, including duplicates.\n- `DISTINCT_COUNT` : Aggregate by the total number of distinct values.", @@ -191946,9 +193562,13 @@ "additionalProperties": false, "properties": { "SimpleAttributeAggregation": { + "markdownDescription": "The built-in aggregation functions for attributes.\n\n- `UNIQUE_VALUE` : Returns the unique value for a field, aggregated by the dimension fields.", + "title": "SimpleAttributeAggregation", "type": "string" }, "ValueForMultipleValues": { + "markdownDescription": "Used by the `UNIQUE_VALUE` aggregation function. If there are multiple values for the field used by the aggregation, the value for this property will be returned instead. Defaults to '*'.", + "title": "ValueForMultipleValues", "type": "string" } }, @@ -192917,6 +194537,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.CustomColor" }, + "markdownDescription": "A list of up to 50 custom colors.", + "title": "CustomColors", "type": "array" } }, @@ -192926,7 +194548,9 @@ "additionalProperties": false, "properties": { "ColorsConfiguration": { - "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.ColorsConfiguration", + "markdownDescription": "The color configurations of the column.", + "title": "ColorsConfiguration" }, "Column": { "$ref": "#/definitions/AWS::QuickSight::Template.ColumnIdentifier", @@ -193686,12 +195310,18 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color that is applied to the data value.", + "title": "Color", "type": "string" }, "FieldValue": { + "markdownDescription": "The data value that the color is applied to.", + "title": "FieldValue", "type": "string" }, "SpecialValue": { + "markdownDescription": "The value of a special data value.", + "title": "SpecialValue", "type": "string" } }, @@ -194136,6 +195766,8 @@ "additionalProperties": false, "properties": { "PivotTableDataPathType": { + "markdownDescription": "The type of data path value utilized in a pivot table. Choose one of the following options:\n\n- `HIERARCHY_ROWS_LAYOUT_COLUMN` - The type of data path for the rows layout column, when `RowsLayout` is set to `HIERARCHY` .\n- `MULTIPLE_ROW_METRICS_COLUMN` - The type of data path for the metric column when the row is set to Metric Placement.\n- `EMPTY_COLUMN_HEADER` - The type of data path for the column with empty column header, when there is no field in `ColumnsFieldWell` and the row is set to Metric Placement.\n- `COUNT_METRIC_COLUMN` - The type of data path for the column with `COUNT` as the metric, when there is no field in the `ValuesFieldWell` .", + "title": "PivotTableDataPathType", "type": "string" } }, @@ -194145,7 +195777,9 @@ "additionalProperties": false, "properties": { "DataPathType": { - "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType" + "$ref": "#/definitions/AWS::QuickSight::Template.DataPathType", + "markdownDescription": "The type configuration of the field.", + "title": "DataPathType" }, "FieldId": { "markdownDescription": "The field ID of the field that needs to be sorted.", @@ -194407,7 +196041,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -194714,7 +196350,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SelectAllOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSelectAllOptions", @@ -195377,6 +197015,8 @@ "type": "string" }, "NullOption": { + "markdownDescription": "This option determines how null values should be treated when filtering data.\n\n- `ALL_VALUES` : Include null values in filtered results.\n- `NULLS_ONLY` : Only include null values in filtered results.\n- `NON_NULLS_ONLY` : Exclude null values from filtered results.", + "title": "NullOption", "type": "string" }, "SelectAllOptions": { @@ -195509,6 +197149,8 @@ "additionalProperties": false, "properties": { "AllSheets": { + "markdownDescription": "The configuration for applying a filter to all sheets.", + "title": "AllSheets", "type": "object" }, "SelectedSheets": { @@ -197265,10 +198907,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the actual value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the actual value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197277,10 +198923,14 @@ "additionalProperties": false, "properties": { "Icon": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingIcon", + "markdownDescription": "The conditional formatting of the comparison value's icon.", + "title": "Icon" }, "TextColor": { - "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor" + "$ref": "#/definitions/AWS::QuickSight::Template.ConditionalFormattingColor", + "markdownDescription": "The conditional formatting of the comparison value's text color.", + "title": "TextColor" } }, "type": "object" @@ -197303,10 +198953,14 @@ "additionalProperties": false, "properties": { "ActualValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIActualValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the actual value of a KPI visual.", + "title": "ActualValue" }, "ComparisonValue": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIComparisonValueConditionalFormatting", + "markdownDescription": "The conditional formatting for the comparison value of a KPI visual.", + "title": "ComparisonValue" }, "PrimaryValue": { "$ref": "#/definitions/AWS::QuickSight::Template.KPIPrimaryValueConditionalFormatting", @@ -197406,7 +199060,9 @@ "title": "SecondaryValueFontConfiguration" }, "Sparkline": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPISparklineOptions", + "markdownDescription": "The options that determine the visibility, color, type, and tooltip visibility of the sparkline of a KPI visual.", + "title": "Sparkline" }, "TrendArrows": { "$ref": "#/definitions/AWS::QuickSight::Template.TrendArrowOptions", @@ -197414,7 +199070,9 @@ "title": "TrendArrows" }, "VisualLayoutOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualLayoutOptions", + "markdownDescription": "The options that determine the layout a KPI visual.", + "title": "VisualLayoutOptions" } }, "type": "object" @@ -197464,15 +199122,23 @@ "additionalProperties": false, "properties": { "Color": { + "markdownDescription": "The color of the sparkline.", + "title": "Color", "type": "string" }, "TooltipVisibility": { + "markdownDescription": "The tooltip visibility of the sparkline.", + "title": "TooltipVisibility", "type": "string" }, "Type": { + "markdownDescription": "The type of the sparkline.", + "title": "Type", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the sparkline.", + "title": "Visibility", "type": "string" } }, @@ -197535,7 +199201,9 @@ "additionalProperties": false, "properties": { "StandardLayout": { - "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout" + "$ref": "#/definitions/AWS::QuickSight::Template.KPIVisualStandardLayout", + "markdownDescription": "The standard layout of the KPI visual.", + "title": "StandardLayout" } }, "type": "object" @@ -197544,6 +199212,8 @@ "additionalProperties": false, "properties": { "Type": { + "markdownDescription": "The standard layout type.", + "title": "Type", "type": "string" } }, @@ -197995,7 +199665,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "SearchOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.ListControlSearchOptions", @@ -199613,6 +201285,8 @@ "type": "string" }, "DefaultCellWidth": { + "markdownDescription": "The default cell width of the pivot table.", + "title": "DefaultCellWidth", "type": "string" }, "MetricPlacement": { @@ -199636,9 +201310,13 @@ "title": "RowHeaderStyle" }, "RowsLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.PivotTableRowsLabelOptions", + "markdownDescription": "The options for the label that is located above the row headers. This option is only applicable when `RowsLayout` is set to `HIERARCHY` .", + "title": "RowsLabelOptions" }, "RowsLayout": { + "markdownDescription": "The layout for the row dimension headers of a pivot table. Choose one of the following options.\n\n- `TABULAR` : (Default) Each row field is displayed in a separate column.\n- `HIERARCHY` : All row fields are displayed in a single column. Indentation is used to differentiate row headers of different fields.", + "title": "RowsLayout", "type": "string" }, "SingleMetricVisibility": { @@ -199674,9 +201352,13 @@ "additionalProperties": false, "properties": { "CustomLabel": { + "markdownDescription": "The custom label string for the rows label.", + "title": "CustomLabel", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility of the rows label.", + "title": "Visibility", "type": "string" } }, @@ -199812,6 +201494,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation options for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -200153,7 +201837,7 @@ "additionalProperties": false, "properties": { "AxisBinding": { - "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- PrimaryY\n- SecondaryY", + "markdownDescription": "The axis binding type of the reference line. Choose one of the following options:\n\n- `PrimaryY`\n- `SecondaryY`", "title": "AxisBinding", "type": "string" }, @@ -200163,6 +201847,8 @@ "title": "DynamicConfiguration" }, "SeriesType": { + "markdownDescription": "The series type of the reference line data configuration. Choose one of the following options:\n\n- `BAR`\n- `LINE`", + "title": "SeriesType", "type": "string" }, "StaticConfiguration": { @@ -200289,7 +201975,9 @@ "type": "string" }, "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -200427,6 +202115,8 @@ "type": "string" }, "UsePrimaryBackgroundColor": { + "markdownDescription": "The primary background color options for alternate rows.", + "title": "UsePrimaryBackgroundColor", "type": "string" } }, @@ -201014,9 +202704,13 @@ "additionalProperties": false, "properties": { "InfoIconText": { + "markdownDescription": "The text content of info icon.", + "title": "InfoIconText", "type": "string" }, "Visibility": { + "markdownDescription": "The visibility configuration of info icon label options.", + "title": "Visibility", "type": "string" } }, @@ -201238,7 +202932,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "TitleOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.LabelOptions", @@ -201252,9 +202948,13 @@ "additionalProperties": false, "properties": { "Placement": { + "markdownDescription": "Defines the placement of the axis. By default, axes are rendered `OUTSIDE` of the panels. Axes with `INDEPENDENT` scale are rendered `INSIDE` the panels.", + "title": "Placement", "type": "string" }, "Scale": { + "markdownDescription": "Determines whether scale of the axes are shared or independent. The default value is `SHARED` .", + "title": "Scale", "type": "string" } }, @@ -201279,10 +202979,14 @@ "title": "PanelConfiguration" }, "XAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples X axis.", + "title": "XAxis" }, "YAxis": { - "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties" + "$ref": "#/definitions/AWS::QuickSight::Template.SmallMultiplesAxisProperties", + "markdownDescription": "The properties of a small multiples Y axis.", + "title": "YAxis" } }, "type": "object" @@ -201432,6 +203136,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableStyleTarget" }, + "markdownDescription": "The style targets options for subtotals.", + "title": "StyleTargets", "type": "array" }, "TotalCellStyle": { @@ -201763,18 +203469,20 @@ "items": { "type": "string" }, - "markdownDescription": "The order of field IDs of the field options for a table visual.", + "markdownDescription": "The order of the field IDs that are configured as field options for a table visual.", "title": "Order", "type": "array" }, "PinnedFieldOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.TablePinnedFieldOptions", + "markdownDescription": "The settings for the pinned columns of a table visual.", + "title": "PinnedFieldOptions" }, "SelectedFieldOptions": { "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TableFieldOption" }, - "markdownDescription": "The selected field options for the table field options.", + "markdownDescription": "The field options to be configured to a table.", "title": "SelectedFieldOptions", "type": "array" } @@ -201873,6 +203581,8 @@ "items": { "type": "string" }, + "markdownDescription": "A list of columns to be pinned to the left of a table visual.", + "title": "PinnedLeftFields", "type": "array" } }, @@ -201953,6 +203663,8 @@ "additionalProperties": false, "properties": { "CellType": { + "markdownDescription": "The cell type of the table style target.", + "title": "CellType", "type": "string" } }, @@ -202220,7 +203932,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202271,7 +203985,9 @@ "additionalProperties": false, "properties": { "InfoIconLabelOptions": { - "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions" + "$ref": "#/definitions/AWS::QuickSight::Template.SheetControlInfoIconLabelOptions", + "markdownDescription": "The configuration of info icon label options.", + "title": "InfoIconLabelOptions" }, "PlaceholderOptions": { "$ref": "#/definitions/AWS::QuickSight::Template.TextControlPlaceholderOptions", @@ -202352,12 +204068,14 @@ "type": "string" }, "ParameterName": { - "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` .", + "markdownDescription": "The parameter whose value should be used for the filter value.\n\nThis field is mutually exclusive to `Value` and `RollingDate` .", "title": "ParameterName", "type": "string" }, "RollingDate": { - "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration" + "$ref": "#/definitions/AWS::QuickSight::Template.RollingDateConfiguration", + "markdownDescription": "The rolling date input for the `TimeEquality` filter.\n\nThis field is mutually exclusive to `Value` and `ParameterName` .", + "title": "RollingDate" }, "TimeGranularity": { "markdownDescription": "The level of time precision that is used to aggregate `DateTime` values.", @@ -202365,7 +204083,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `ParameterName` .", + "markdownDescription": "The value of a `TimeEquality` filter.\n\nThis field is mutually exclusive to `RollingDate` and `ParameterName` .", "title": "Value", "type": "string" } @@ -202684,6 +204402,8 @@ "additionalProperties": false, "properties": { "SimpleTotalAggregationFunction": { + "markdownDescription": "A built in aggregation function for total values.", + "title": "SimpleTotalAggregationFunction", "type": "string" } }, @@ -202693,10 +204413,14 @@ "additionalProperties": false, "properties": { "FieldId": { + "markdownDescription": "The field id that's associated with the total aggregation option.", + "title": "FieldId", "type": "string" }, "TotalAggregationFunction": { - "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction" + "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationFunction", + "markdownDescription": "The total aggregation function that you want to set for a specified field id.", + "title": "TotalAggregationFunction" } }, "required": [ @@ -202727,6 +204451,8 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Template.TotalAggregationOption" }, + "markdownDescription": "The total aggregation settings for each value field.", + "title": "TotalAggregationOptions", "type": "array" }, "TotalCellStyle": { @@ -202962,6 +204688,8 @@ "additionalProperties": false, "properties": { "Mode": { + "markdownDescription": "The mode of validation for the asset to be creaed or updated. When you set this value to `STRICT` , strict validation for every error is enforced. When you set this value to `LENIENT` , validation is skipped for specific UI errors.", + "title": "Mode", "type": "string" } }, @@ -203750,7 +205478,7 @@ "additionalProperties": false, "properties": { "FontFamily": { - "markdownDescription": "", + "markdownDescription": "Determines the font family settings.", "title": "FontFamily", "type": "string" } @@ -203948,7 +205676,7 @@ "items": { "$ref": "#/definitions/AWS::QuickSight::Theme.Font" }, - "markdownDescription": "", + "markdownDescription": "Determines the list of font families.", "title": "FontFamilies", "type": "array" } @@ -204581,6 +206309,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive for the table style target.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -204659,7 +206389,7 @@ "additionalProperties": false, "properties": { "Aggregation": { - "markdownDescription": "The type of aggregation that is performed on the column data when it's queried. Valid values for this structure are `SUM` , `MAX` , `MIN` , `COUNT` , `DISTINCT_COUNT` , and `AVERAGE` .", + "markdownDescription": "The type of aggregation that is performed on the column data when it's queried.", "title": "Aggregation", "type": "string" }, @@ -204728,6 +206458,8 @@ "type": "boolean" }, "NonAdditive": { + "markdownDescription": "The non additive value for the column.", + "title": "NonAdditive", "type": "boolean" }, "NotAllowedAggregations": { @@ -205274,6 +207006,8 @@ "items": { "type": "string" }, + "markdownDescription": "", + "title": "Sources", "type": "array" }, "Tags": { @@ -205593,7 +207327,7 @@ "type": "number" }, "KmsKeyId": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the database instances in the DB cluster, such as `arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef` . If you enable the `StorageEncrypted` property but don't specify this property, the default KMS key is used. If you specify this property, you must set the `StorageEncrypted` property to `true` .\n\nIf you specify the `SnapshotIdentifier` property, the `StorageEncrypted` property value is inherited from the snapshot, and if the DB cluster is encrypted, the specified `KmsKeyId` property is used.\n\nIf you create a read replica of an encrypted DB cluster in another AWS Region, make sure to set `KmsKeyId` to a KMS key identifier that is valid in the destination AWS Region. This KMS key is used to encrypt the read replica in that AWS Region.\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "KmsKeyId", "type": "string" }, @@ -205673,7 +207407,7 @@ "type": "string" }, "RestoreToTime": { - "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", + "markdownDescription": "The date and time to restore the DB cluster to.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Must be specified if `UseLatestRestorableTime` parameter isn't provided\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n- Can't be specified if the `RestoreType` parameter is `copy-on-write`\n\nThis property must be used with `SourceDBClusterIdentifier` property. The resulting cluster will have the identifier that matches the value of the `DBclusterIdentifier` property.\n\nExample: `2015-03-07T23:45:00Z`\n\nValid for: Aurora DB clusters and Multi-AZ DB clusters", "title": "RestoreToTime", "type": "string" }, @@ -205713,7 +207447,7 @@ "type": "boolean" }, "StorageType": { - "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`", + "markdownDescription": "The storage type to associate with the DB cluster.\n\nFor information on storage types for Aurora DB clusters, see [Storage configurations for Amazon Aurora DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type) . For information on storage types for Multi-AZ DB clusters, see [Settings for creating Multi-AZ DB clusters](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings) .\n\nThis setting is required to create a Multi-AZ DB cluster.\n\nWhen specified for a Multi-AZ DB cluster, a value for the `Iops` parameter is required.\n\nValid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters\n\nValid Values:\n\n- Aurora DB clusters - `aurora | aurora-iopt1`\n- Multi-AZ DB clusters - `io1`\n\nDefault:\n\n- Aurora DB clusters - `aurora`\n- Multi-AZ DB clusters - `io1`\n\n> When you create an Aurora DB cluster with the storage type set to `aurora-iopt1` , the storage type is returned in the response. The storage type isn't returned when you set it to `aurora` .", "title": "StorageType", "type": "string" }, @@ -205827,7 +207561,7 @@ "additionalProperties": false, "properties": { "AutoPause": { - "markdownDescription": "A value that indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", + "markdownDescription": "Indicates whether to allow or disallow automatic pause for an Aurora DB cluster in `serverless` DB engine mode. A DB cluster can be paused only when it's idle (it has no connections).\n\n> If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it.", "title": "AutoPause", "type": "boolean" }, @@ -206026,6 +207760,8 @@ "type": "boolean" }, "AutomaticBackupReplicationRegion": { + "markdownDescription": "", + "title": "AutomaticBackupReplicationRegion", "type": "string" }, "AvailabilityZone": { @@ -206132,15 +207868,21 @@ "type": "string" }, "DomainAuthSecretArn": { + "markdownDescription": "The ARN for the Secrets Manager secret with the credentials for the user joining the domain.\n\nExample: `arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456`", + "title": "DomainAuthSecretArn", "type": "string" }, "DomainDnsIps": { "items": { "type": "string" }, + "markdownDescription": "The IPv4 DNS IP addresses of your primary and secondary Active Directory domain controllers.\n\nConstraints:\n\n- Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list.\n\nExample: `123.124.125.126,234.235.236.237`", + "title": "DomainDnsIps", "type": "array" }, "DomainFqdn": { + "markdownDescription": "The fully qualified domain name (FQDN) of an Active Directory domain.\n\nConstraints:\n\n- Can't be longer than 64 characters.\n\nExample: `mymanagedADtest.mymanagedAD.mydomain`", + "title": "DomainFqdn", "type": "string" }, "DomainIAMRoleName": { @@ -206149,13 +207891,15 @@ "type": "string" }, "DomainOu": { + "markdownDescription": "The Active Directory organizational unit for your DB instance to join.\n\nConstraints:\n\n- Must be in the distinguished name format.\n- Can't be longer than 64 characters.\n\nExample: `OU=mymanagedADtestOU,DC=mymanagedADtest,DC=mymanagedAD,DC=mydomain`", + "title": "DomainOu", "type": "string" }, "EnableCloudwatchLogsExports": { "items": { "type": "string" }, - "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", + "markdownDescription": "The list of log types that need to be enabled for exporting to CloudWatch Logs. The values in the list depend on the DB engine being used. For more information, see [Publishing Database Logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) in the *Amazon Relational Database Service User Guide* .\n\n*Amazon Aurora*\n\nNot applicable. CloudWatch Logs exports are managed by the DB cluster.\n\n*MariaDB*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Microsoft SQL Server*\n\nValid values: `agent` , `error`\n\n*MySQL*\n\nValid values: `audit` , `error` , `general` , `slowquery`\n\n*Oracle*\n\nValid values: `alert` , `audit` , `listener` , `trace` , `oemagent`\n\n*PostgreSQL*\n\nValid values: `postgresql` , `upgrade`", "title": "EnableCloudwatchLogsExports", "type": "array" }, @@ -206303,7 +208047,7 @@ "type": "string" }, "RestoreTime": { - "markdownDescription": "The date and time to restore from.\n\nValid Values: Value must be a time in Universal Coordinated Time (UTC) format\n\nConstraints:\n\n- Must be before the latest restorable time for the DB instance\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled\n\nExample: `2009-09-07T23:45:00Z`", + "markdownDescription": "The date and time to restore from.\n\nConstraints:\n\n- Must be a time in Universal Coordinated Time (UTC) format.\n- Must be before the latest restorable time for the DB instance.\n- Can't be specified if the `UseLatestRestorableTime` parameter is enabled.\n\nExample: `2009-09-07T23:45:00Z`", "title": "RestoreTime", "type": "string" }, @@ -206313,7 +208057,7 @@ "type": "string" }, "SourceDBInstanceAutomatedBackupsArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:useast-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", + "markdownDescription": "The Amazon Resource Name (ARN) of the replicated automated backups from which to restore, for example, `arn:aws:rds:us-east-1:123456789012:auto-backup:ab-L2IJCEXJP7XQ7HOJ4SIEXAMPLE` .\n\nThis setting doesn't apply to RDS Custom.", "title": "SourceDBInstanceAutomatedBackupsArn", "type": "string" }, @@ -206333,7 +208077,7 @@ "type": "string" }, "StorageEncrypted": { - "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `SnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", + "markdownDescription": "A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.\n\nIf you specify the `KmsKeyId` property, then you must enable encryption.\n\nIf you specify the `SourceDBInstanceIdentifier` property, don't specify this property. The value is inherited from the source DB instance, and if the DB instance is encrypted, the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot is encrypted, don't specify this property. The value is inherited from the snapshot, and the specified `KmsKeyId` property is used.\n\nIf you specify the `DBSnapshotIdentifier` and the specified snapshot isn't encrypted, you can use this property to specify that the restored DB instance is encrypted. Specify the `KmsKeyId` property for the KMS key to use for encryption. If you don't want the restored DB instance to be encrypted, then don't set this property or set it to `false` .\n\n*Amazon Aurora*\n\nNot applicable. The encryption for DB instances is managed by the DB cluster.", "title": "StorageEncrypted", "type": "boolean" }, @@ -206366,7 +208110,7 @@ "type": "boolean" }, "UseLatestRestorableTime": { - "markdownDescription": "A value that indicates whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints: Can't be specified if the `RestoreTime` parameter is provided.", + "markdownDescription": "Specifies whether the DB instance is restored from the latest backup time. By default, the DB instance isn't restored from the latest backup time.\n\nConstraints:\n\n- Can't be specified if the `RestoreTime` parameter is provided.", "title": "UseLatestRestorableTime", "type": "boolean" }, @@ -206630,7 +208374,7 @@ "type": "string" }, "DebugLogging": { - "markdownDescription": "Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", + "markdownDescription": "Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.", "title": "DebugLogging", "type": "boolean" }, @@ -206645,7 +208389,7 @@ "type": "number" }, "RequireTLS": { - "markdownDescription": "A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", + "markdownDescription": "Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.", "title": "RequireTLS", "type": "boolean" }, @@ -206973,7 +208717,7 @@ "additionalProperties": false, "properties": { "ConnectionBorrowTimeout": { - "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.\n\nDefault: 120\n\nConstraints: between 1 and 3600, or 0 representing unlimited", + "markdownDescription": "The number of seconds for a proxy to wait for a connection to become available in the connection pool. This setting only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions. For an unlimited wait time, specify `0` .\n\nDefault: `120`\n\nConstraints:\n\n- Must be between 0 and 3600.", "title": "ConnectionBorrowTimeout", "type": "number" }, @@ -206983,12 +208727,12 @@ "type": "string" }, "MaxConnectionsPercent": { - "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: 10 for RDS for Microsoft SQL Server, and 100 for all other engines\n\nConstraints: Must be between 1 and 100.", + "markdownDescription": "The maximum size of the connection pool for each target in a target group. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group.\n\nIf you specify `MaxIdleConnectionsPercent` , then you must also include a value for this parameter.\n\nDefault: `10` for RDS for Microsoft SQL Server, and `100` for all other engines\n\nConstraints:\n\n- Must be between 1 and 100.", "title": "MaxConnectionsPercent", "type": "number" }, "MaxIdleConnectionsPercent": { - "markdownDescription": "Controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is 5, and for all other engines, the default is 50.\n\nConstraints: Must be between 0 and the value of `MaxConnectionsPercent` .", + "markdownDescription": "A value that controls how actively the proxy closes idle database connections in the connection pool. The value is expressed as a percentage of the `max_connections` setting for the RDS DB instance or Aurora DB cluster used by the target group. With a high value, the proxy leaves a high percentage of idle database connections open. A low value causes the proxy to close more idle connections and return them to the database.\n\nIf you specify this parameter, then you must also include a value for `MaxConnectionsPercent` .\n\nDefault: The default value is half of the value of `MaxConnectionsPercent` . For example, if `MaxConnectionsPercent` is 80, then the default value of `MaxIdleConnectionsPercent` is 40. If the value of `MaxConnectionsPercent` isn't specified, then for SQL Server, `MaxIdleConnectionsPercent` is `5` , and for all other engines, the default is `50` .\n\nConstraints:\n\n- Must be between 0 and the value of `MaxConnectionsPercent` .", "title": "MaxIdleConnectionsPercent", "type": "number" }, @@ -207330,7 +209074,7 @@ "additionalProperties": false, "properties": { "Enabled": { - "markdownDescription": "A value that indicates whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", + "markdownDescription": "Specifies whether to activate the subscription. If the event notification subscription isn't activated, the subscription is created but not active.", "title": "Enabled", "type": "boolean" }, @@ -208099,7 +209843,7 @@ "type": "number" }, "MasterUserPassword": { - "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", + "markdownDescription": "The password associated with the admin user account for the cluster that is being created.\n\nYou can't use `MasterUserPassword` if `ManageMasterPassword` is `true` .\n\nConstraints:\n\n- Must be between 8 and 64 characters in length.\n- Must contain at least one uppercase letter.\n- Must contain at least one lowercase letter.\n- Must contain one number.\n- Can be any printable ASCII character (ASCII code 33-126) except `'` (single quote), `\"` (double quote), `\\` , `/` , or `@` .", "title": "MasterUserPassword", "type": "string" }, @@ -210608,12 +212352,12 @@ "type": "string" }, "AppTemplateBody": { - "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template provided in the *Examples* section.\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nThe name of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nThe name of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nThe name of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nThe name of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nThe name of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nThe name of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", + "markdownDescription": "A JSON string that provides information about your application structure. To learn more about the `appTemplateBody` template, see the sample template in [Sample appTemplateBody template](https://docs.aws.amazon.com//resilience-hub/latest/APIReference/API_PutDraftAppVersionTemplate.html#API_PutDraftAppVersionTemplate_Examples) .\n\nThe `appTemplateBody` JSON string has the following structure:\n\n- *`resources`*\n\nThe list of logical resources that needs to be included in the AWS Resilience Hub application.\n\nType: Array\n\n> Don't add the resources that you want to exclude. \n\nEach `resources` array item includes the following fields:\n\n- *`logicalResourceId`*\n\nThe logical identifier of the resource.\n\nType: Object\n\nEach `logicalResourceId` object includes the following fields:\n\n- `identifier`\n\nIdentifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`type`*\n\nThe type of resource.\n\nType: string\n- *`name`*\n\nName of the resource.\n\nType: String\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`appComponents`*\n\nThe list of Application Components (AppComponent) that this resource belongs to. If an AppComponent is not part of the AWS Resilience Hub application, it will be added.\n\nType: Array\n\nEach `appComponents` array item includes the following fields:\n\n- `name`\n\nName of the AppComponent.\n\nType: String\n- `type`\n\nThe type of AppComponent. For more information about the types of AppComponent, see [Grouping resources in an AppComponent](https://docs.aws.amazon.com/resilience-hub/latest/userguide/AppComponent.grouping.html) .\n\nType: String\n- `resourceNames`\n\nThe list of included resources that are assigned to the AppComponent.\n\nType: Array of strings\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`\n- *`excludedResources`*\n\nThe list of logical resource identifiers to be excluded from the application.\n\nType: Array\n\n> Don't add the resources that you want to include. \n\nEach `excludedResources` array item includes the following fields:\n\n- *`logicalResourceIds`*\n\nThe logical identifier of the resource.\n\nType: Object\n\n> You can configure only one of the following fields:\n> \n> - `logicalStackName`\n> - `resourceGroupName`\n> - `terraformSourceName`\n> - `eksSourceName` \n\nEach `logicalResourceIds` object includes the following fields:\n\n- `identifier`\n\nThe identifier of the resource.\n\nType: String\n- `logicalStackName`\n\nName of the AWS CloudFormation stack this resource belongs to.\n\nType: String\n- `resourceGroupName`\n\nName of the resource group this resource belongs to.\n\nType: String\n- `terraformSourceName`\n\nName of the Terraform S3 state file this resource belongs to.\n\nType: String\n- `eksSourceName`\n\nName of the Amazon Elastic Kubernetes Service cluster and namespace this resource belongs to.\n\n> This parameter accepts values in \"eks-cluster/namespace\" format. \n\nType: String\n- *`version`*\n\nThe AWS Resilience Hub application version.\n- `additionalInfo`\n\nAdditional configuration parameters for an AWS Resilience Hub application. If you want to implement `additionalInfo` through the AWS Resilience Hub console rather than using an API call, see [Configure the application configuration parameters](https://docs.aws.amazon.com//resilience-hub/latest/userguide/app-config-param.html) .\n\n> Currently, this parameter accepts a key-value mapping (in a string format) of only one failover region and one associated account.\n> \n> Key: `\"failover-regions\"`\n> \n> Value: `\"[{\"region\":\"\", \"accounts\":[{\"id\":\"\"}]}]\"`", "title": "AppTemplateBody", "type": "string" }, "Description": { - "markdownDescription": "The optional description for an app.", + "markdownDescription": "Optional description for an application.", "title": "Description", "type": "string" }, @@ -210621,15 +212365,19 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.EventSubscription" }, + "markdownDescription": "The list of events you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* and *Scheduled assessment failure* events.", + "title": "EventSubscriptions", "type": "array" }, "Name": { - "markdownDescription": "The name for the application.", + "markdownDescription": "Name for the application.", "title": "Name", "type": "string" }, "PermissionModel": { - "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel" + "$ref": "#/definitions/AWS::ResilienceHub::App.PermissionModel", + "markdownDescription": "Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.", + "title": "PermissionModel" }, "ResiliencyPolicyArn": { "markdownDescription": "The Amazon Resource Name (ARN) of the resiliency policy.", @@ -210640,13 +212388,13 @@ "items": { "$ref": "#/definitions/AWS::ResilienceHub::App.ResourceMapping" }, - "markdownDescription": "An array of ResourceMapping objects.", + "markdownDescription": "An array of `ResourceMapping` objects.", "title": "ResourceMappings", "type": "array" }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210688,12 +212436,18 @@ "additionalProperties": false, "properties": { "EventType": { + "markdownDescription": "The type of event you would like to subscribe and get notification for. Currently, AWS Resilience Hub supports notifications only for *Drift detected* ( `DriftDetected` ) and *Scheduled assessment failure* ( `ScheduledAssessmentFailure` ) events.", + "title": "EventType", "type": "string" }, "Name": { + "markdownDescription": "Unique name to identify an event subscription.", + "title": "Name", "type": "string" }, "SnsTopicArn": { + "markdownDescription": "Amazon Resource Name (ARN) of the Amazon Simple Notification Service topic. The format for this ARN is: `arn:partition:sns:region:account:topic-name` .", + "title": "SnsTopicArn", "type": "string" } }, @@ -210710,12 +212464,18 @@ "items": { "type": "string" }, + "markdownDescription": "Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.\n\n> - These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.\n> - These roles must have a trust policy with `iam:AssumeRole` permission to the invoker role in the primary account.", + "title": "CrossAccountRoleArns", "type": "array" }, "InvokerRoleName": { + "markdownDescription": "Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.\n\n> You must have `iam:passRole` permission for this role while creating or updating the application.", + "title": "InvokerRoleName", "type": "string" }, "Type": { + "markdownDescription": "Defines how AWS Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user.", + "title": "Type", "type": "string" } }, @@ -210728,17 +212488,17 @@ "additionalProperties": false, "properties": { "AwsAccountId": { - "markdownDescription": "The AWS account that owns the physical resource.", + "markdownDescription": "The account that owns the physical resource.", "title": "AwsAccountId", "type": "string" }, "AwsRegion": { - "markdownDescription": "The AWS Region that the physical resource is located in.", + "markdownDescription": "The that the physical resource is located in.", "title": "AwsRegion", "type": "string" }, "Identifier": { - "markdownDescription": "The identifier of the physical resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "Identifier", "type": "string" }, @@ -210763,22 +212523,22 @@ "type": "string" }, "LogicalStackName": { - "markdownDescription": "The name of the CloudFormation stack this resource is mapped to.", + "markdownDescription": "The name of the AWS CloudFormation stack this resource is mapped to.", "title": "LogicalStackName", "type": "string" }, "MappingType": { - "markdownDescription": "Specifies the type of resource mapping.\n\nValid Values: CfnStack | Resource | AppRegistryApp | ResourceGroup | Terraform\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a CloudFormation stack. The name of the CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to a resource group. The name of the resource group is contained in the `resourceGroupName` property.", + "markdownDescription": "Specifies the type of resource mapping.\n\n- **AppRegistryApp** - The resource is mapped to another application. The name of the application is contained in the `appRegistryAppName` property.\n- **CfnStack** - The resource is mapped to a AWS CloudFormation stack. The name of the AWS CloudFormation stack is contained in the `logicalStackName` property.\n- **Resource** - The resource is mapped to another resource. The name of the resource is contained in the `resourceName` property.\n- **ResourceGroup** - The resource is mapped to AWS Resource Groups . The name of the resource group is contained in the `resourceGroupName` property.", "title": "MappingType", "type": "string" }, "PhysicalResourceId": { "$ref": "#/definitions/AWS::ResilienceHub::App.PhysicalResourceId", - "markdownDescription": "The identifier of this resource.", + "markdownDescription": "Identifier of the physical resource.", "title": "PhysicalResourceId" }, "ResourceName": { - "markdownDescription": "The name of the resource this resource is mapped to.", + "markdownDescription": "Name of the resource that the resource is mapped to.", "title": "ResourceName", "type": "string" }, @@ -210857,7 +212617,7 @@ }, "Tags": { "additionalProperties": true, - "markdownDescription": "The tags assigned to the resource. A tag is a label that you assign to an AWS resource. Each tag consists of a key/value pair.", + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" @@ -210904,12 +212664,12 @@ "additionalProperties": false, "properties": { "RpoInSecs": { - "markdownDescription": "The Recovery Point Objective (RPO), in seconds.", + "markdownDescription": "Recovery Point Objective (RPO) in seconds.", "title": "RpoInSecs", "type": "number" }, "RtoInSecs": { - "markdownDescription": "The Recovery Time Objective (RTO), in seconds.", + "markdownDescription": "Recovery Time Objective (RTO) in seconds.", "title": "RtoInSecs", "type": "number" } @@ -212075,17 +213835,17 @@ "additionalProperties": false, "properties": { "CrlData": { - "markdownDescription": "The x509 v3 specified certificate revocation list (CRL).", + "markdownDescription": "", "title": "CrlData", "type": "string" }, "Enabled": { - "markdownDescription": "Specifies whether the certificate revocation list (CRL) is enabled.", + "markdownDescription": "", "title": "Enabled", "type": "boolean" }, "Name": { - "markdownDescription": "The name of the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Name", "type": "string" }, @@ -212093,7 +213853,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "A list of tags to attach to the certificate revocation list (CRL).", + "markdownDescription": "", "title": "Tags", "type": "array" }, @@ -212166,12 +213926,12 @@ "additionalProperties": false, "properties": { "DurationSeconds": { - "markdownDescription": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", + "markdownDescription": "The number of seconds vended session credentials will be valid for", "title": "DurationSeconds", "type": "number" }, "Enabled": { - "markdownDescription": "Indicates whether the profile is enabled.", + "markdownDescription": "The enabled status of the resource.", "title": "Enabled", "type": "boolean" }, @@ -212179,17 +213939,17 @@ "items": { "type": "string" }, - "markdownDescription": "A list of managed policy ARNs that apply to the vended session credentials.", + "markdownDescription": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", "title": "ManagedPolicyArns", "type": "array" }, "Name": { - "markdownDescription": "The name of the profile.", + "markdownDescription": "The customer specified name of the resource.", "title": "Name", "type": "string" }, "RequireInstanceProperties": { - "markdownDescription": "Specifies whether instance properties are required in temporary credential requests with this profile.", + "markdownDescription": "Specifies whether instance properties are required in CreateSession requests with this profile.", "title": "RequireInstanceProperties", "type": "boolean" }, @@ -212197,12 +213957,12 @@ "items": { "type": "string" }, - "markdownDescription": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", + "markdownDescription": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", "title": "RoleArns", "type": "array" }, "SessionPolicy": { - "markdownDescription": "A session policy that applies to the trust boundary of the vended session credentials.", + "markdownDescription": "A session policy that will applied to the trust boundary of the vended session credentials.", "title": "SessionPolicy", "type": "string" }, @@ -212210,7 +213970,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The tags to attach to the profile.", + "markdownDescription": "A list of Tags.", "title": "Tags", "type": "array" } @@ -212291,6 +214051,8 @@ "items": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.NotificationSetting" }, + "markdownDescription": "A list of notification settings to be associated to the trust anchor.", + "title": "NotificationSettings", "type": "array" }, "Source": { @@ -212338,15 +214100,23 @@ "additionalProperties": false, "properties": { "Channel": { + "markdownDescription": "The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge , and AWS Health Dashboard to notify for an event.\n\n> In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.", + "title": "Channel", "type": "string" }, "Enabled": { + "markdownDescription": "Indicates whether the notification setting is enabled.", + "title": "Enabled", "type": "boolean" }, "Event": { + "markdownDescription": "The event to which this notification setting is applied.", + "title": "Event", "type": "string" }, "Threshold": { + "markdownDescription": "The number of days before a notification event. This value is required for a notification setting that is enabled.", + "title": "Threshold", "type": "number" } }, @@ -212361,11 +214131,11 @@ "properties": { "SourceData": { "$ref": "#/definitions/AWS::RolesAnywhere::TrustAnchor.SourceData", - "markdownDescription": "The data field of the trust anchor depending on its type.", + "markdownDescription": "A union object representing the data field of the TrustAnchor depending on its type", "title": "SourceData" }, "SourceType": { - "markdownDescription": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region.", + "markdownDescription": "The type of the TrustAnchor.", "title": "SourceType", "type": "string" } @@ -212728,7 +214498,7 @@ "type": "string" }, "RoutingControlArn": { - "markdownDescription": "", + "markdownDescription": "The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control.\n\nFor more information about Route 53 Application Recovery Controller, see [Route 53 Application Recovery Controller Developer Guide.](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route-53-recovery.html) .", "title": "RoutingControlArn", "type": "string" }, @@ -213088,7 +214858,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213395,7 +215165,7 @@ "type": "string" }, "HostedZoneId": { - "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .", + "markdownDescription": "The ID of the hosted zone that you want to create records in.\n\nSpecify either `HostedZoneName` or `HostedZoneId` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using `HostedZoneId` .\n\nDo not provide the `HostedZoneId` if it is already defined in `AWS::Route53::RecordSetGroup` . The creation fails if `HostedZoneId` is defined in both.", "title": "HostedZoneId", "type": "string" }, @@ -213410,7 +215180,7 @@ "type": "boolean" }, "Name": { - "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.\n\nYou can use the * wildcard as the leftmost label in a domain name, for example, `*.example.com` . You can't use an * for one of the middle labels, for example, `marketing.*.example.com` . In addition, the * must replace the entire label; for example, you can't specify `prod*.example.com` .", + "markdownDescription": "For `ChangeResourceRecordSets` requests, the name of the record that you want to create, update, or delete. For `ListResourceRecordSets` responses, the name of a record in the specified hosted zone.\n\n*ChangeResourceRecordSets Only*\n\nEnter a fully qualified domain name, for example, `www.example.com` . You can optionally include a trailing dot. If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified. This means that Route 53 treats `www.example.com` (without a trailing dot) and `www.example.com.` (with a trailing dot) as identical.\n\nFor information about how to specify characters other than `a-z` , `0-9` , and `-` (hyphen) and how to specify internationalized domain names, see [DNS Domain Name Format](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html) in the *Amazon Route 53 Developer Guide* .\n\nYou can use the asterisk (*) wildcard to replace the leftmost label in a domain name, for example, `*.example.com` . Note the following:\n\n- The * must replace the entire label. For example, you can't specify `*prod.example.com` or `prod*.example.com` .\n- The * can't replace any of the middle labels, for example, marketing.*.example.com.\n- If you include * in any position other than the leftmost label in a domain name, DNS treats it as an * character (ASCII 42), not as a wildcard.\n\n> You can't use the * wildcard for resource records sets that have a type of NS.", "title": "Name", "type": "string" }, @@ -213498,7 +215268,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the cluster.", "title": "Tags", "type": "array" } @@ -213594,7 +215364,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the control panel.", "title": "Tags", "type": "array" } @@ -213743,7 +215513,7 @@ "title": "AssertionRule" }, "ControlPanelArn": { - "markdownDescription": "The Amazon Resource Name (ARN) for the control panel.", + "markdownDescription": "The Amazon Resource Name (ARN) of the control panel.", "title": "ControlPanelArn", "type": "string" }, @@ -213766,7 +215536,7 @@ "items": { "$ref": "#/definitions/Tag" }, - "markdownDescription": "The value for a tag.", + "markdownDescription": "The tags associated with the safety rule.", "title": "Tags", "type": "array" } @@ -214648,21 +216418,31 @@ "additionalProperties": false, "properties": { "InstanceCount": { + "markdownDescription": "Amazon EC2 instance count for the Resolver on the Outpost.", + "title": "InstanceCount", "type": "number" }, "Name": { + "markdownDescription": "Name of the Resolver.", + "title": "Name", "type": "string" }, "OutpostArn": { + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", + "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { + "markdownDescription": "The Amazon EC2 instance type. If you specify this, you must also specify a value for the `OutpostArn` .", + "title": "PreferredInstanceType", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "A key value pair that helps you identify a Route\u00a053 Resolver .", + "title": "Tags", "type": "array" } }, @@ -214884,12 +216664,12 @@ "type": "string" }, "OutpostArn": { - "markdownDescription": "", + "markdownDescription": "The ARN (Amazon Resource Name) for the Outpost.", "title": "OutpostArn", "type": "string" }, "PreferredInstanceType": { - "markdownDescription": "", + "markdownDescription": "The Amazon EC2 instance type.", "title": "PreferredInstanceType", "type": "string" }, @@ -215471,7 +217251,7 @@ "title": "AccelerateConfiguration" }, "AccessControl": { - "markdownDescription": "A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nBe aware that the syntax for this property differs from the information provided in the *Amazon S3 User Guide* . The AccessControl property is case-sensitive and must be one of the following values: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead.", + "markdownDescription": "> This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see [Controlling object ownership](https://docs.aws.amazon.com//AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon S3 User Guide* . \n\nA canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) in the *Amazon S3 User Guide* .\n\nS3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the [AWS::S3::OwnershipControls](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html) property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon.\n\nThe majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see [AWS::S3::BucketPolicy](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html) . For examples of common policy configurations, including S3 Server Access Logs buckets and more, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon S3 User Guide* .", "title": "AccessControl", "type": "string" }, @@ -215830,7 +217610,7 @@ "type": "string" }, "Format": { - "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.", + "markdownDescription": "Specifies the file format used when exporting data to Amazon S3.\n\n*Allowed values* : `CSV` | `ORC` | `Parquet`", "title": "Format", "type": "string" }, @@ -218014,7 +219794,7 @@ "additionalProperties": false, "properties": { "VpcId": { - "markdownDescription": "The ID of the VPC configuration.", + "markdownDescription": "", "title": "VpcId", "type": "string" } @@ -218067,7 +219847,7 @@ "title": "LifecycleConfiguration" }, "OutpostId": { - "markdownDescription": "The ID of the Outpost of the specified bucket.", + "markdownDescription": "", "title": "OutpostId", "type": "string" }, @@ -218225,7 +220005,7 @@ "title": "Filter" }, "Id": { - "markdownDescription": "The unique identifier for the lifecycle rule. The value can't be longer than 255 characters.", + "markdownDescription": "", "title": "Id", "type": "string" }, @@ -218360,21 +220140,21 @@ }, "FailedReason": { "$ref": "#/definitions/AWS::S3Outposts::Endpoint.FailedReason", - "markdownDescription": "", + "markdownDescription": "The failure reason, if any, for a create or delete endpoint operation.", "title": "FailedReason" }, "OutpostId": { - "markdownDescription": "The ID of the Outpost.", + "markdownDescription": "", "title": "OutpostId", "type": "string" }, "SecurityGroupId": { - "markdownDescription": "The ID of the security group to use with the endpoint.", + "markdownDescription": "The ID of the security group used for the endpoint.", "title": "SecurityGroupId", "type": "string" }, "SubnetId": { - "markdownDescription": "The ID of the subnet.", + "markdownDescription": "The ID of the subnet used for the endpoint.", "title": "SubnetId", "type": "string" } @@ -218411,12 +220191,12 @@ "additionalProperties": false, "properties": { "ErrorCode": { - "markdownDescription": "", + "markdownDescription": "The failure code, if any, for a create or delete endpoint operation.", "title": "ErrorCode", "type": "string" }, "Message": { - "markdownDescription": "", + "markdownDescription": "Additional error details describing the endpoint failure and recommended action.", "title": "Message", "type": "string" } @@ -220058,6 +221838,8 @@ "additionalProperties": false, "properties": { "ArchivePolicy": { + "markdownDescription": "The archive policy determines the number of days Amazon SNS retains messages. You can set a retention period from 1 to 365 days.", + "title": "ArchivePolicy", "type": "object" }, "ContentBasedDeduplication": { @@ -220112,7 +221894,7 @@ "type": "string" }, "TracingConfig": { - "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to `Active` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", + "markdownDescription": "Tracing mode of an Amazon SNS topic. By default `TracingConfig` is set to `PassThrough` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to `Active` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.", "title": "TracingConfig", "type": "string" } @@ -220195,9 +221977,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains permissions to add to the specified Amazon SNS topic.", + "title": "PolicyDocument", "type": "object" }, "TopicArn": { + "markdownDescription": "The Amazon Resource Name (ARN) of the topic to which you want to add the policy.", + "title": "TopicArn", "type": "string" } }, @@ -220405,7 +222191,7 @@ "type": "object" }, "SqsManagedSseEnabled": { - "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ).", + "markdownDescription": "Enables server-side queue encryption using SQS owned encryption keys. Only one server-side encryption option is supported per queue (for example, [SSE-KMS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) or [SSE-SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sqs-sse-queue.html) ). When `SqsManagedSseEnabled` is not defined, `SSE-SQS` encryption is enabled by default.", "title": "SqsManagedSseEnabled", "type": "boolean" }, @@ -220481,9 +222267,13 @@ "additionalProperties": false, "properties": { "PolicyDocument": { + "markdownDescription": "A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see [Using custom policies with the Amazon SQS access policy language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon SQS Developer Guide* .", + "title": "PolicyDocument", "type": "object" }, "Queue": { + "markdownDescription": "The URLs of the queues to which you want to add the policy. You can use the `[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)` function to specify an `[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)` resource.", + "title": "Queue", "type": "string" } }, @@ -220684,8 +222474,6 @@ "title": "OutputLocation" }, "Parameters": { - "markdownDescription": "The parameters for the runtime configuration of the document.", - "title": "Parameters", "type": "object" }, "ScheduleExpression": { @@ -220712,7 +222500,7 @@ "type": "array" }, "WaitForSuccessTimeoutSeconds": { - "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.", + "markdownDescription": "The number of seconds the service should wait for the association status to show \"Success\" before proceeding with the stack execution. If the association status doesn't show \"Success\" after the specified number of seconds, then stack creation fails.\n\n> When you specify a value for the `WaitForSuccessTimeoutSeconds` , [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your AWS CloudFormation stack\u2019s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don\u2019t include `WaitForSuccessTimeoutSeconds` in your template.", "title": "WaitForSuccessTimeoutSeconds", "type": "number" } @@ -220852,7 +222640,7 @@ "type": "string" }, "DocumentType": { - "markdownDescription": "The type of document to create.\n\n*Allowed Values* : `ApplicationConfigurationSchema` | `Automation` | `Automation.ChangeTemplate` | `Command` | `DeploymentStrategy` | `Package` | `Policy` | `Session`", + "markdownDescription": "The type of document to create.", "title": "DocumentType", "type": "string" }, @@ -222001,8 +223789,6 @@ "type": "string" }, "SyncName": { - "markdownDescription": "A name for the resource data sync.", - "title": "SyncName", "type": "string" }, "SyncSource": { @@ -223735,7 +225521,7 @@ "type": "string" }, "AppType": { - "markdownDescription": "The type of app.\n\n*Allowed Values* : `JupyterServer | KernelGateway | RSessionGateway | RStudioServerPro | TensorBoard | Canvas`", + "markdownDescription": "The type of app.", "title": "AppType", "type": "string" }, @@ -224187,30 +225973,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -224316,7 +226104,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -224352,7 +226140,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::DataQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -224393,6 +226181,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -224401,7 +226191,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -224446,7 +226236,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -224842,7 +226632,7 @@ }, "DefaultSpaceSettings": { "$ref": "#/definitions/AWS::SageMaker::Domain.DefaultSpaceSettings", - "markdownDescription": "", + "markdownDescription": "A collection of settings that apply to spaces created in the Domain.", "title": "DefaultSpaceSettings" }, "DefaultUserSettings": { @@ -225373,7 +227163,9 @@ "title": "BlueGreenUpdatePolicy" }, "RollingUpdatePolicy": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.RollingUpdatePolicy", + "markdownDescription": "Specifies a rolling deployment strategy for updating a SageMaker endpoint.", + "title": "RollingUpdatePolicy" } }, "type": "object" @@ -225382,15 +227174,23 @@ "additionalProperties": false, "properties": { "MaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count.", + "title": "MaximumBatchSize" }, "MaximumExecutionTimeoutInSeconds": { + "markdownDescription": "The time limit for the total deployment. Exceeding this limit causes a timeout.", + "title": "MaximumExecutionTimeoutInSeconds", "type": "number" }, "RollbackMaximumBatchSize": { - "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize" + "$ref": "#/definitions/AWS::SageMaker::Endpoint.CapacitySize", + "markdownDescription": "Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback.", + "title": "RollbackMaximumBatchSize" }, "WaitIntervalInSeconds": { + "markdownDescription": "The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet.", + "title": "WaitIntervalInSeconds", "type": "number" } }, @@ -225492,7 +227292,7 @@ }, "ExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A parameter to activate explainers.", "title": "ExplainerConfig" }, "KmsKeyId": { @@ -225593,7 +227393,7 @@ "items": { "type": "string" }, - "markdownDescription": "", + "markdownDescription": "The Amazon SNS topics where you want the inference response to be included.\n\n> The inference response is included only if the response size is less than or equal to 128 KB.", "title": "IncludeInferenceResponseIn", "type": "array" }, @@ -225619,7 +227419,7 @@ "title": "NotificationConfig" }, "S3FailurePath": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location to upload failure inference responses to.", "title": "S3FailurePath", "type": "string" }, @@ -225671,18 +227471,18 @@ "additionalProperties": false, "properties": { "EnableExplanations": { - "markdownDescription": "", + "markdownDescription": "A JMESPath boolean expression used to filter which records to explain. Explanations are activated by default. See [`EnableExplanations`](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-enable) for additional information.", "title": "EnableExplanations", "type": "string" }, "InferenceConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyInferenceConfig", - "markdownDescription": "", + "markdownDescription": "The inference configuration parameter for the model container.", "title": "InferenceConfig" }, "ShapConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for SHAP analysis.", "title": "ShapConfig" } }, @@ -225705,7 +227505,7 @@ "additionalProperties": false, "properties": { "ContentTemplate": { - "markdownDescription": "", + "markdownDescription": "A template string used to format a JSON record into an acceptable model container input. For example, a `ContentTemplate` string `'{\"myfeatures\":$features}'` will format a list of features `[1,2,3]` into the record string `'{\"myfeatures\":[1,2,3]}'` . Required only when the model container input is in JSON Lines format.", "title": "ContentTemplate", "type": "string" }, @@ -225713,7 +227513,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "The names of the features. If provided, these are included in the endpoint response payload to help readability of the `InvokeEndpoint` output. See the [Response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureHeaders", "type": "array" }, @@ -225721,17 +227521,17 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyFeatureType" }, - "markdownDescription": "", + "markdownDescription": "A list of data types of the features (optional). Applicable only to NLP explainability. If provided, `FeatureTypes` must have at least one `'text'` string (for example, `['text']` ). If `FeatureTypes` is not provided, the explainer infers the feature types based on the baseline data. The feature types are included in the endpoint response payload. For additional information see the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information.", "title": "FeatureTypes", "type": "array" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "Provides the JMESPath expression to extract the features from a model container input in JSON Lines format. For example, if `FeaturesAttribute` is the JMESPath expression `'myfeatures'` , it extracts a list of features `[1,2,3]` from request data `'{\"myfeatures\":[1,2,3]}'` .", "title": "FeaturesAttribute", "type": "string" }, "LabelAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to locate the list of label headers in the model container output.\n\n*Example* : If the model container output of a batch request is `'{\"labels\":[\"cat\",\"dog\",\"fish\"],\"probability\":[0.6,0.3,0.1]}'` , then set `LabelAttribute` to `'labels'` to extract the list of label headers `[\"cat\",\"dog\",\"fish\"]`", "title": "LabelAttribute", "type": "string" }, @@ -225739,32 +227539,32 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyHeader" }, - "markdownDescription": "", + "markdownDescription": "For multiclass classification problems, the label headers are the names of the classes. Otherwise, the label header is the name of the predicted label. These are used to help readability for the output of the `InvokeEndpoint` API. See the [response](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-invoke-endpoint.html#clarify-online-explainability-response) section under *Invoke the endpoint* in the Developer Guide for more information. If there are no label headers in the model container output, provide them manually using this parameter.", "title": "LabelHeaders", "type": "array" }, "LabelIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a label header or list of label headers from model container output in CSV format.\n\n*Example for a multiclass model:* If the model container output consists of label headers followed by probabilities: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `LabelIndex` to `0` to select the label headers `['cat','dog','fish']` .", "title": "LabelIndex", "type": "number" }, "MaxPayloadInMB": { - "markdownDescription": "", + "markdownDescription": "The maximum payload size (MB) allowed of a request from the explainer to the model container. Defaults to `6` MB.", "title": "MaxPayloadInMB", "type": "number" }, "MaxRecordCount": { - "markdownDescription": "", + "markdownDescription": "The maximum number of records in a request that the model container can process when querying the model container for the predictions of a [synthetic dataset](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html#clarify-online-explainability-create-endpoint-synthetic) . A record is a unit of input data that inference can be made on, for example, a single line in CSV data. If `MaxRecordCount` is `1` , the model container expects one record per request. A value of 2 or greater means that the model expects batch requests, which can reduce overhead and speed up the inferencing process. If this parameter is not provided, the explainer will tune the record count per request according to the model container's capacity at runtime.", "title": "MaxRecordCount", "type": "number" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "A JMESPath expression used to extract the probability (or score) from the model container output if the model container is in JSON Lines format.\n\n*Example* : If the model container output of a single request is `'{\"predicted_label\":1,\"probability\":0.6}'` , then set `ProbabilityAttribute` to `'probability'` .", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityIndex": { - "markdownDescription": "", + "markdownDescription": "A zero-based index used to extract a probability value (score) or list from model container output in CSV format. If this value is not provided, the entire model container output will be treated as a probability value (score) or list.\n\n*Example for a single class model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'1,0.6'` , set `ProbabilityIndex` to `1` to select the probability value `0.6` .\n\n*Example for a multiclass model:* If the model container output consists of a string-formatted prediction label followed by its probability: `'\"[\\'cat\\',\\'dog\\',\\'fish\\']\",\"[0.1,0.6,0.3]\"'` , set `ProbabilityIndex` to `1` to select the probability values `[0.1,0.6,0.3]` .", "title": "ProbabilityIndex", "type": "number" } @@ -225775,17 +227575,17 @@ "additionalProperties": false, "properties": { "MimeType": { - "markdownDescription": "", + "markdownDescription": "The MIME type of the baseline data. Choose from `'text/csv'` or `'application/jsonlines'` . Defaults to `'text/csv'` .", "title": "MimeType", "type": "string" }, "ShapBaseline": { - "markdownDescription": "", + "markdownDescription": "The inline SHAP baseline data in string format. `ShapBaseline` can have one or multiple records to be used as the baseline dataset. The format of the SHAP baseline file should be the same format as the training dataset. For example, if the training dataset is in CSV format and each record contains four features, and all features are numerical, then the format of the baseline data should also share these characteristics. For natural language processing (NLP) of text columns, the baseline value should be the value used to replace the unit of text specified by the `Granularity` of the `TextConfig` parameter. The size limit for `ShapBasline` is 4 KB. Use the `ShapBaselineUri` parameter if you want to provide more than 4 KB of baseline data.", "title": "ShapBaseline", "type": "string" }, "ShapBaselineUri": { - "markdownDescription": "", + "markdownDescription": "The uniform resource identifier (URI) of the S3 bucket where the SHAP baseline file is stored. The format of the SHAP baseline file should be the same format as the format of the training dataset. For example, if the training dataset is in CSV format, and each record in the training dataset has four features, and all features are numerical, then the baseline file should also have this same format. Each record should contain only the features. If you are using a virtual private cloud (VPC), the `ShapBaselineUri` should be accessible to the VPC. For more information about setting up endpoints with Amazon Virtual Private Cloud, see [Give SageMaker access to Resources in your Amazon Virtual Private Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/infrastructure-give-access.html) .", "title": "ShapBaselineUri", "type": "string" } @@ -225796,27 +227596,27 @@ "additionalProperties": false, "properties": { "NumberOfSamples": { - "markdownDescription": "", + "markdownDescription": "The number of samples to be used for analysis by the Kernal SHAP algorithm.\n\n> The number of samples determines the size of the synthetic dataset, which has an impact on latency of explainability requests. For more information, see the *Synthetic data* of [Configure and create an endpoint](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-online-explainability-create-endpoint.html) .", "title": "NumberOfSamples", "type": "number" }, "Seed": { - "markdownDescription": "", + "markdownDescription": "The starting value used to initialize the random number generator in the explainer. Provide a value for this parameter to obtain a deterministic SHAP result.", "title": "Seed", "type": "number" }, "ShapBaselineConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyShapBaselineConfig", - "markdownDescription": "", + "markdownDescription": "The configuration for the SHAP baseline of the Kernal SHAP algorithm.", "title": "ShapBaselineConfig" }, "TextConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyTextConfig", - "markdownDescription": "", + "markdownDescription": "A parameter that indicates if text features are treated as text and explanations are provided for individual units of text. Required for natural language processing (NLP) explainability only.", "title": "TextConfig" }, "UseLogit": { - "markdownDescription": "", + "markdownDescription": "A Boolean toggle to indicate if you want to use the logit function (true) or log-odds units (false) for model predictions. Defaults to false.", "title": "UseLogit", "type": "boolean" } @@ -225830,12 +227630,12 @@ "additionalProperties": false, "properties": { "Granularity": { - "markdownDescription": "", + "markdownDescription": "The unit of granularity for the analysis of text features. For example, if the unit is `'token'` , then each token (like a word in English) of the text is treated as a feature. SHAP values are computed for each unit/feature.", "title": "Granularity", "type": "string" }, "Language": { - "markdownDescription": "", + "markdownDescription": "Specifies the language of the text features in [ISO 639-1](https://docs.aws.amazon.com/ https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) or [ISO 639-3](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_639-3) code of a supported language.\n\n> For a mix of multiple languages, use code `'xx'` .", "title": "Language", "type": "string" } @@ -225895,7 +227695,7 @@ "properties": { "ClarifyExplainerConfig": { "$ref": "#/definitions/AWS::SageMaker::EndpointConfig.ClarifyExplainerConfig", - "markdownDescription": "", + "markdownDescription": "A member of `ExplainerConfig` that contains configuration parameters for the SageMaker Clarify explainer.", "title": "ClarifyExplainerConfig" } }, @@ -225910,12 +227710,12 @@ "type": "string" }, "ContainerStartupHealthCheckTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests) .", "title": "ContainerStartupHealthCheckTimeoutInSeconds", "type": "number" }, "EnableSSMAccess": { - "markdownDescription": "", + "markdownDescription": "You can use this parameter to turn on native AWS Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoint. You can turn on or turn off SSM access for a production variant behind an existing endpoint by creating a new endpoint configuration and calling `UpdateEndpoint` .", "title": "EnableSSMAccess", "type": "boolean" }, @@ -225935,7 +227735,7 @@ "type": "string" }, "ModelDataDownloadTimeoutInSeconds": { - "markdownDescription": "", + "markdownDescription": "The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant.", "title": "ModelDataDownloadTimeoutInSeconds", "type": "number" }, @@ -225955,7 +227755,7 @@ "type": "string" }, "VolumeSizeInGB": { - "markdownDescription": "", + "markdownDescription": "The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Currently only Amazon EBS gp2 storage volumes are supported.", "title": "VolumeSizeInGB", "type": "number" } @@ -226173,7 +227973,7 @@ "title": "S3StorageConfig" }, "TableFormat": { - "markdownDescription": "", + "markdownDescription": "Format for the offline store table. Supported formats are Glue (Default) and [Apache Iceberg](https://docs.aws.amazon.com/https://iceberg.apache.org/) .", "title": "TableFormat", "type": "string" } @@ -226265,7 +228065,7 @@ "additionalProperties": false, "properties": { "ImageDescription": { - "markdownDescription": "The description of the image.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 512.\n\n*Pattern* : `.*`", + "markdownDescription": "The description of the image.", "title": "ImageDescription", "type": "string" }, @@ -226356,20 +228156,26 @@ "additionalProperties": false, "properties": { "Alias": { + "markdownDescription": "", + "title": "Alias", "type": "string" }, "Aliases": { "items": { "type": "string" }, + "markdownDescription": "", + "title": "Aliases", "type": "array" }, "BaseImage": { - "markdownDescription": "The container image that the SageMaker image version is based on.\n\n*Length Constraints* : Minimum length of 1. Maximum length of 255.\n\n*Pattern* : `.*`", + "markdownDescription": "The container image that the SageMaker image version is based on.", "title": "BaseImage", "type": "string" }, "Horovod": { + "markdownDescription": "", + "title": "Horovod", "type": "boolean" }, "ImageName": { @@ -226378,21 +228184,33 @@ "type": "string" }, "JobType": { + "markdownDescription": "", + "title": "JobType", "type": "string" }, "MLFramework": { + "markdownDescription": "", + "title": "MLFramework", "type": "string" }, "Processor": { + "markdownDescription": "", + "title": "Processor", "type": "string" }, "ProgrammingLang": { + "markdownDescription": "", + "title": "ProgrammingLang", "type": "string" }, "ReleaseNotes": { + "markdownDescription": "", + "title": "ReleaseNotes", "type": "string" }, "VendorGuidance": { + "markdownDescription": "", + "title": "VendorGuidance", "type": "string" } }, @@ -226567,7 +228385,7 @@ "items": { "type": "string" }, - "markdownDescription": "The list of all content type headers that SageMaker will treat as CSV and capture accordingly.", + "markdownDescription": "The list of all content type headers that Amazon SageMaker will treat as CSV and capture accordingly.", "title": "CsvContentTypes", "type": "array" }, @@ -227126,57 +228944,57 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -227301,7 +229119,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -227385,7 +229203,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelBiasJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -227436,7 +229254,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -227865,7 +229683,7 @@ "items": { "$ref": "#/definitions/AWS::SageMaker::ModelCard.Container" }, - "markdownDescription": "", + "markdownDescription": "The Amazon ECR registry path of the Docker image that contains the inference code.", "title": "Containers", "type": "array" } @@ -227910,39 +229728,27 @@ "additionalProperties": false, "properties": { "Name": { - "markdownDescription": "The names of the metrics.", - "title": "Name", "type": "string" }, "Notes": { - "markdownDescription": "Any notes to add to the metric.", - "title": "Notes", "type": "string" }, "Type": { - "markdownDescription": "You must specify one of the following data types:\n\n- Bar Chart `bar_char`\n- Boolean `boolean`\n- Linear Graph `linear_graph`\n- Matrix `matrix`\n- Number `number`\n- String `string`", - "title": "Type", "type": "string" }, "Value": { - "markdownDescription": "The datatype of the metric. The metric's *value* must be compatible with the metric's *type* .", - "title": "Value", "type": "object" }, "XAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the x axis.", - "title": "XAxisName", "type": "array" }, "YAxisName": { "items": { "type": "string" }, - "markdownDescription": "The name of the y axis.", - "title": "YAxisName", "type": "array" } }, @@ -228151,12 +229957,12 @@ "additionalProperties": false, "properties": { "AlgorithmName": { - "markdownDescription": "", + "markdownDescription": "The name of an algorithm that was used to create the model package. The algorithm must be either an algorithm resource in your SageMaker account or an algorithm in AWS Marketplace that you are subscribed to.", "title": "AlgorithmName", "type": "string" }, "ModelDataUrl": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 path where the model artifacts, which result from model training, are stored. This path must point to a single `gzip` compressed tar archive ( `.tar.gz` suffix).\n\n> The model artifacts must be in an S3 bucket that is in the same AWS region as the algorithm.", "title": "ModelDataUrl", "type": "string" } @@ -228451,42 +230257,42 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "FeaturesAttribute": { - "markdownDescription": "", + "markdownDescription": "The attributes of the input data that are the input features.", "title": "FeaturesAttribute", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -228601,7 +230407,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -228632,7 +230438,7 @@ "additionalProperties": false, "properties": { "ConfigUri": { - "markdownDescription": "JSON formatted S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", + "markdownDescription": "JSON formatted Amazon S3 file that defines explainability parameters. For more information on this JSON configuration file, see [Configure model explainability parameters](https://docs.aws.amazon.com/sagemaker/latest/dg/clarify-config-json-monitor-model-explainability-parameters.html) .", "title": "ConfigUri", "type": "string" }, @@ -228680,7 +230486,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelExplainabilityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -228709,7 +230515,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -228970,6 +230776,8 @@ "type": "string" }, "SkipModelValidation": { + "markdownDescription": "Indicates if you want to skip model validation.", + "title": "SkipModelValidation", "type": "string" }, "SourceAlgorithmSpecification": { @@ -229963,52 +231771,52 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "EndTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs subtract this time from the end time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "EndTimeOffset", "type": "string" }, "InferenceAttribute": { - "markdownDescription": "", + "markdownDescription": "The attribute of the input data that represents the ground truth label.", "title": "InferenceAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "ProbabilityAttribute": { - "markdownDescription": "", + "markdownDescription": "In a classification problem, the attribute that represents the class probability.", "title": "ProbabilityAttribute", "type": "string" }, "ProbabilityThresholdAttribute": { - "markdownDescription": "", + "markdownDescription": "The threshold for the class probability to be evaluated as a positive result.", "title": "ProbabilityThresholdAttribute", "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" }, "StartTimeOffset": { - "markdownDescription": "", + "markdownDescription": "If specified, monitoring jobs substract this time from the start time. For information about using offsets for scheduling monitoring jobs, see [Schedule Model Quality Monitoring Jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-model-quality-schedule.html) .", "title": "StartTimeOffset", "type": "string" } @@ -230128,7 +231936,7 @@ "type": "number" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230206,7 +232014,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230238,7 +232046,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::ModelQualityJobDefinition.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230289,7 +232097,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230528,30 +232336,32 @@ "additionalProperties": false, "properties": { "DataCapturedDestinationS3Uri": { - "markdownDescription": "", + "markdownDescription": "The Amazon S3 location being used to capture the data.", "title": "DataCapturedDestinationS3Uri", "type": "string" }, "DatasetFormat": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.DatasetFormat", - "markdownDescription": "", + "markdownDescription": "The dataset format for your batch transform job.", "title": "DatasetFormat" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { - "markdownDescription": "", + "markdownDescription": "Path to the filesystem where the batch transform data is available to the container.", "title": "LocalPath", "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, "S3InputMode": { - "markdownDescription": "", + "markdownDescription": "Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File` .", "title": "S3InputMode", "type": "string" } @@ -230646,6 +232456,8 @@ "type": "string" }, "ExcludeFeaturesAttribute": { + "markdownDescription": "The attributes of the input data to exclude from the analysis.", + "title": "ExcludeFeaturesAttribute", "type": "string" }, "LocalPath": { @@ -230654,7 +232466,7 @@ "type": "string" }, "S3DataDistributionType": { - "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`", + "markdownDescription": "Whether input data distributed in Amazon S3 is fully replicated or sharded by an Amazon S3 key. Defaults to `FullyReplicated`", "title": "S3DataDistributionType", "type": "string" }, @@ -230711,7 +232523,7 @@ "type": "string" }, "RecordPreprocessorSourceUri": { - "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", + "markdownDescription": "An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flattened JSON so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers.", "title": "RecordPreprocessorSourceUri", "type": "string" } @@ -230779,7 +232591,7 @@ "properties": { "BatchTransformInput": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.BatchTransformInput", - "markdownDescription": "", + "markdownDescription": "Input object for the batch transform job.", "title": "BatchTransformInput" }, "EndpointInput": { @@ -230824,7 +232636,7 @@ }, "MonitoringOutputConfig": { "$ref": "#/definitions/AWS::SageMaker::MonitoringSchedule.MonitoringOutputConfig", - "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon Simple Storage Service (Amazon S3).", + "markdownDescription": "The array of outputs from the monitoring job to be uploaded to Amazon S3.", "title": "MonitoringOutputConfig" }, "MonitoringResources": { @@ -230875,7 +232687,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The AWS Key Management Service ( AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", + "markdownDescription": "The AWS Key Management Service ( AWS KMS ) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.", "title": "KmsKeyId", "type": "string" }, @@ -230983,13 +232795,17 @@ "additionalProperties": false, "properties": { "DataAnalysisEndTime": { + "markdownDescription": "Sets the end time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to end the window one hour before the start of each monitoring job, you would specify: `\"-PT1H\"` .\n\nThe end time that you specify must not follow the start time that you specify by more than 24 hours. You specify the start time with the `DataAnalysisStartTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisEndTime", "type": "string" }, "DataAnalysisStartTime": { + "markdownDescription": "Sets the start time for a monitoring job window. Express this time as an offset to the times that you schedule your monitoring jobs to run. You schedule monitoring jobs with the `ScheduleExpression` parameter. Specify this offset in ISO 8601 duration format. For example, if you want to monitor the five hours of data in your dataset that precede the start of each monitoring job, you would specify: `\"-PT5H\"` .\n\nThe start time that you specify must not precede the end time that you specify by more than 24 hours. You specify the end time with the `DataAnalysisEndTime` parameter.\n\nIf you set `ScheduleExpression` to `NOW` , this parameter is required.", + "title": "DataAnalysisStartTime", "type": "string" }, "ScheduleExpression": { - "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nCurrently the only supported cron expressions are:\n\n- If you want to set the job to start every hour, please use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day.", + "markdownDescription": "A cron expression that describes details about the monitoring schedule.\n\nThe supported cron expressions are:\n\n- If you want to set the job to start every hour, use the following:\n\n`Hourly: cron(0 * ? * * *)`\n- If you want to start the job daily:\n\n`cron(0 [00-23] ? * * *)`\n- If you want to run the job one time, immediately, use the following keyword:\n\n`NOW`\n\nFor example, the following are valid cron expressions:\n\n- Daily at noon UTC: `cron(0 12 ? * * *)`\n- Daily at midnight UTC: `cron(0 0 ? * * *)`\n\nTo support running every 6, 12 hours, the following are also supported:\n\n`cron(0 [00-23]/[01-24] ? * * *)`\n\nFor example, the following are valid cron expressions:\n\n- Every 12 hours, starting at 5pm UTC: `cron(0 17/12 ? * * *)`\n- Every two hours starting at midnight: `cron(0 0/2 ? * * *)`\n\n> - Even though the cron expression is set to start at 5PM UTC, note that there could be a delay of 0-20 minutes from the actual requested time to run the execution.\n> - We recommend that if you would like a daily schedule, you do not provide this parameter. Amazon SageMaker will pick a time for running every day. \n\nYou can also specify the keyword `NOW` to run the monitoring job immediately, one time, without recurring.", "title": "ScheduleExpression", "type": "string" } @@ -231346,7 +233162,7 @@ "properties": { "ParallelismConfiguration": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.ParallelismConfiguration", - "markdownDescription": "", + "markdownDescription": "The parallelism configuration applied to the pipeline.", "title": "ParallelismConfiguration" }, "PipelineDefinition": { @@ -231429,13 +233245,13 @@ "additionalProperties": false, "properties": { "PipelineDefinitionBody": { - "markdownDescription": "", + "markdownDescription": "The [JSON pipeline definition](https://docs.aws.amazon.com/https://aws-sagemaker-mlops.github.io/sagemaker-model-building-pipeline-definition-JSON-schema/) of the pipeline.", "title": "PipelineDefinitionBody", "type": "string" }, "PipelineDefinitionS3Location": { "$ref": "#/definitions/AWS::SageMaker::Pipeline.S3Location", - "markdownDescription": "", + "markdownDescription": "The location of the pipeline definition stored in Amazon S3. If specified, SageMaker retrieves the pipeline definition from this location.", "title": "PipelineDefinitionS3Location" } }, @@ -231445,22 +233261,22 @@ "additionalProperties": false, "properties": { "Bucket": { - "markdownDescription": "", + "markdownDescription": "The name of the S3 bucket.", "title": "Bucket", "type": "string" }, "ETag": { - "markdownDescription": "", + "markdownDescription": "A file checksum of the pipeline definition file.", "title": "ETag", "type": "string" }, "Key": { - "markdownDescription": "", + "markdownDescription": "The object key (or key name) which uniquely identifies the object in an S3 bucket.", "title": "Key", "type": "string" }, "Version": { - "markdownDescription": "", + "markdownDescription": "The version ID of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version.", "title": "Version", "type": "string" } @@ -231518,7 +233334,7 @@ }, "ServiceCatalogProvisionedProductDetails": { "$ref": "#/definitions/AWS::SageMaker::Project.ServiceCatalogProvisionedProductDetails", - "markdownDescription": "", + "markdownDescription": "Details of a provisioned service catalog product. For information about service catalog, see [What is AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html) .", "title": "ServiceCatalogProvisionedProductDetails" }, "ServiceCatalogProvisioningDetails": { @@ -232524,7 +234340,7 @@ "type": "number" }, "Mode": { - "markdownDescription": "Determines whether the schedule is invoked within a flexible time window.\n\n*Allowed Values* : `OFF` | `FLEXIBLE`", + "markdownDescription": "Determines whether the schedule is invoked within a flexible time window. You must use quotation marks when you specify this value in your JSON or YAML template.\n\n*Allowed Values* : `\"OFF\"` | `\"FLEXIBLE\"`", "title": "Mode", "type": "string" } @@ -233325,13 +235141,13 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesAction" }, - "markdownDescription": "One or more actions to update finding fields if a finding matches the defined criteria of the rule.", + "markdownDescription": "One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` .", "title": "Actions", "type": "array" }, "Criteria": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.AutomationRulesFindingFilters", - "markdownDescription": "A set of [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.", + "markdownDescription": "A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.", "title": "Criteria" }, "Description": { @@ -233340,7 +235156,7 @@ "type": "string" }, "IsTerminal": { - "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to `true` for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is `false` .", + "markdownDescription": "Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.", "title": "IsTerminal", "type": "boolean" }, @@ -233483,7 +235299,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS account ID in which a finding was generated.", + "markdownDescription": "The AWS account ID in which a finding was generated.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "AwsAccountId", "type": "array" }, @@ -233491,7 +235307,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .", + "markdownDescription": "The name of the company for the product that generated the finding. For control-based findings, the company is AWS .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CompanyName", "type": "array" }, @@ -233499,7 +235315,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.", + "markdownDescription": "The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceAssociatedStandardsId", "type": "array" }, @@ -233507,7 +235323,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.", + "markdownDescription": "The security control ID for which a finding was generated. Security control IDs are the same across standards.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceSecurityControlId", "type": "array" }, @@ -233515,7 +235331,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.", + "markdownDescription": "The result of a security check. This field is only used for findings generated from controls.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ComplianceStatus", "type": "array" }, @@ -233523,7 +235339,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0\u2013100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Confidence", "type": "array" }, @@ -233531,7 +235347,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when this finding record was created.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "CreatedAt", "type": "array" }, @@ -233539,7 +235355,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.NumberFilter" }, - "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .", + "markdownDescription": "The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Criticality", "type": "array" }, @@ -233547,7 +235363,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's description.", + "markdownDescription": "A finding's description.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Description", "type": "array" }, @@ -233555,7 +235371,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "FirstObservedAt", "type": "array" }, @@ -233563,7 +235379,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the solution-specific component that generated a finding.", + "markdownDescription": "The identifier for the solution-specific component that generated a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "GeneratorId", "type": "array" }, @@ -233571,7 +235387,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-specific identifier for a finding.", + "markdownDescription": "The product-specific identifier for a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "array" }, @@ -233579,7 +235395,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "LastObservedAt", "type": "array" }, @@ -233587,7 +235403,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The text of a user-defined note that's added to a finding.", + "markdownDescription": "The text of a user-defined note that's added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteText", "type": "array" }, @@ -233595,7 +235411,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "The timestamp of when the note was updated. Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedAt", "type": "array" }, @@ -233603,7 +235419,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The principal that created a note.", + "markdownDescription": "The principal that created a note.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "NoteUpdatedBy", "type": "array" }, @@ -233611,7 +235427,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.", + "markdownDescription": "The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductArn", "type": "array" }, @@ -233619,7 +235435,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.", + "markdownDescription": "Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ProductName", "type": "array" }, @@ -233627,7 +235443,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the current state of a finding.", + "markdownDescription": "Provides the current state of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RecordState", "type": "array" }, @@ -233635,7 +235451,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsId", "type": "array" }, @@ -233643,7 +235459,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The ARN for the product that generated a related finding.", + "markdownDescription": "The ARN for the product that generated a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "RelatedFindingsProductArn", "type": "array" }, @@ -233651,7 +235467,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "Custom fields and values about the resource that a finding pertains to.", + "markdownDescription": "Custom fields and values about the resource that a finding pertains to.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceDetailsOther", "type": "array" }, @@ -233659,7 +235475,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.", + "markdownDescription": "The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceId", "type": "array" }, @@ -233667,7 +235483,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.", + "markdownDescription": "The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions . Each AWS account is scoped to one partition.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourcePartition", "type": "array" }, @@ -233675,7 +235491,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.", + "markdownDescription": "The AWS Region where the resource that a finding pertains to is located.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceRegion", "type": "array" }, @@ -233683,7 +235499,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.", + "markdownDescription": "A list of AWS tags associated with a resource at the time the finding was processed.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "ResourceTags", "type": "array" }, @@ -233691,7 +235507,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "ResourceType", "type": "array" }, @@ -233699,7 +235515,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "The severity value of the finding.", + "markdownDescription": "The severity value of the finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SeverityLabel", "type": "array" }, @@ -233707,7 +235523,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.", + "markdownDescription": "Provides a URL that links to a page about the current finding in the finding product.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "SourceUrl", "type": "array" }, @@ -233715,7 +235531,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "A finding's title.", + "markdownDescription": "A finding's title.\n\nArray Members: Minimum number of 1 item. Maximum number of 100 items.", "title": "Title", "type": "array" }, @@ -233723,7 +235539,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .", + "markdownDescription": "One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Type", "type": "array" }, @@ -233731,7 +235547,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.DateFilter" }, - "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .", + "markdownDescription": "A timestamp that indicates when the finding record was most recently updated.\n\nUses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` .\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UpdatedAt", "type": "array" }, @@ -233739,7 +235555,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.MapFilter" }, - "markdownDescription": "A list of user-defined name and value string pairs added to a finding.", + "markdownDescription": "A list of user-defined name and value string pairs added to a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "UserDefinedFields", "type": "array" }, @@ -233747,7 +235563,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides the veracity of a finding.", + "markdownDescription": "Provides the veracity of a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "VerificationState", "type": "array" }, @@ -233755,7 +235571,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::AutomationRule.StringFilter" }, - "markdownDescription": "Provides information about the status of the investigation into a finding.", + "markdownDescription": "Provides information about the status of the investigation into a finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "WorkflowStatus", "type": "array" } @@ -233807,7 +235623,7 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to the key value when querying for findings with a map filter.\n\nTo search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the tag `Department` .\n\nTo search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that do not have the value `Finance` for the tag `Department` .\n\n`EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\n`NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nYou cannot have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field.", + "markdownDescription": "The condition to apply to the key value when filtering Security Hub findings with a map filter.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag.\n\n`CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values.\n\nTo search for values that don't have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don\u2019t have the value `Finance` for the `Department` tag.\n\n`NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values.\n\n`CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can\u2019t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error.\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, @@ -233817,7 +235633,7 @@ "type": "string" }, "Value": { - "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there is no match.", + "markdownDescription": "The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match.", "title": "Value", "type": "string" } @@ -233874,7 +235690,7 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The product-generated identifier for a related finding.", + "markdownDescription": "The product-generated identifier for a related finding.\n\nArray Members: Minimum number of 1 item. Maximum number of 20 items.", "title": "Id", "type": "object" }, @@ -233915,12 +235731,12 @@ "additionalProperties": false, "properties": { "Comparison": { - "markdownDescription": "The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that exactly match the filter value, use `EQUALS` .\n\nFor example, the filter `ResourceType EQUALS AwsEc2SecurityGroup` only matches findings that have a resource type of `AwsEc2SecurityGroup` .\n- To search for values that start with the filter value, use `PREFIX` .\n\nFor example, the filter `ResourceType PREFIX AwsIam` matches findings that have a resource type that starts with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all match.\n\n`EQUALS` and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters.\n\nTo search for values that do not contain the filter criteria value, use one of the following comparison operators:\n\n- To search for values that do not exactly match the filter value, use `NOT_EQUALS` .\n\nFor example, the filter `ResourceType NOT_EQUALS AwsIamPolicy` matches findings that have a resource type other than `AwsIamPolicy` .\n- To search for values that do not start with the filter value, use `PREFIX_NOT_EQUALS` .\n\nFor example, the filter `ResourceType PREFIX_NOT_EQUALS AwsIam` matches findings that have a resource type that does not start with `AwsIam` . Findings with a resource type of `AwsIamPolicy` , `AwsIamRole` , or `AwsIamUser` would all be excluded from the results.\n\n`NOT_EQUALS` and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters.\n\nFor filters on the same field, you cannot provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filter, Security Hub first identifies findings that have resource types that start with either `AwsIAM` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`", + "markdownDescription": "The condition to apply to a string value when filtering Security Hub findings.\n\nTo search for values that have the filter value, use one of the following comparison operators:\n\n- To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront.\n- To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` .\n- To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match.\n\n`CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title.\n\nTo search for values that don\u2019t have the filter value, use one of the following comparison operators:\n\n- To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront.\n- To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` .\n- To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` .\n\n`NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title.\n\nYou can\u2019t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters.\n\nYou can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters.\n\nFor example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` .\n\n- `ResourceType PREFIX AwsIam`\n- `ResourceType PREFIX AwsEc2`\n- `ResourceType NOT_EQUALS AwsIamPolicy`\n- `ResourceType NOT_EQUALS AwsEc2NetworkInterface`\n\n`CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .", "title": "Comparison", "type": "string" }, "Value": { - "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter text, then there is no match.", + "markdownDescription": "The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match.", "title": "Value", "type": "string" } @@ -234062,7 +235878,7 @@ "items": { "$ref": "#/definitions/AWS::SecurityHub::Standard.StandardsControl" }, - "markdownDescription": "Specifies which controls are to be disabled in a standard.", + "markdownDescription": "Specifies which controls are to be disabled in a standard.\n\n*Maximum* : `100`", "title": "DisabledStandardsControls", "type": "array" }, @@ -234390,7 +236206,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `MARKETPLACE_AMI` - AWS Marketplace AMI\n- `MARKETPLACE_CAR` - AWS Marketplace Clusters and AWS Resources\n- `TERRAFORM_OPEN_SOURCE` - Terraform open source configuration file", + "markdownDescription": "The type of provisioning artifact.\n\n- `CLOUD_FORMATION_TEMPLATE` - AWS CloudFormation template\n- `TERRAFORM_OPEN_SOURCE` - Terraform Open Source configuration file\n- `TERRAFORM_CLOUD` - Terraform Cloud configuration file\n- `EXTERNAL` - External configuration file", "title": "Type", "type": "string" } @@ -235030,7 +236846,7 @@ "type": "string" }, "PrincipalType": { - "markdownDescription": "The principal type. The supported value is `IAM` .\n\n*Allowed Values* : `IAM`", + "markdownDescription": "The principal type. The supported values are `IAM` and `IAM_PATTERN` .", "title": "PrincipalType", "type": "string" } @@ -236225,8 +238041,6 @@ "type": "object" }, "InstanceId": { - "markdownDescription": "An identifier that you want to associate with the instance. Note the following:\n\n- If the service that's specified by `ServiceId` includes settings for an `SRV` record, the value of `InstanceId` is automatically included as part of the value for the `SRV` record. For more information, see [DnsRecord > Type](https://docs.aws.amazon.com/cloud-map/latest/api/API_DnsRecord.html#cloudmap-Type-DnsRecord-Type) .\n- You can use this value to update an existing instance.\n- To register a new instance, you must specify a value that's unique among instances that you register by using the same service.\n- If you specify an existing `InstanceId` and `ServiceId` , AWS Cloud Map updates the existing DNS records, if any. If there's also an existing health check, AWS Cloud Map deletes the old health check and creates a new one.\n\n> The health check isn't deleted immediately, so it will still appear for a while if you submit a `ListHealthChecks` request, for example.\n\n> Do not include sensitive information in `InstanceId` if the namespace is discoverable by public DNS queries and any `Type` member of `DnsRecord` for the service contains `SRV` because the `InstanceId` is discoverable by public DNS queries.", - "title": "InstanceId", "type": "string" }, "ServiceId": { @@ -236899,7 +238713,7 @@ "properties": { "ApplicationLayerAutomaticResponseConfiguration": { "$ref": "#/definitions/AWS::Shield::Protection.ApplicationLayerAutomaticResponseConfiguration", - "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.", + "markdownDescription": "The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.\n\nIf you use AWS CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the guidance for the `AWS::WAFv2::WebACL` resource.\n\nhello!", "title": "ApplicationLayerAutomaticResponseConfiguration" }, "HealthCheckArns": { @@ -237741,7 +239555,7 @@ "properties": { "DeploymentPreference": { "$ref": "#/definitions/AWS::StepFunctions::StateMachineAlias.DeploymentPreference", - "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The settings that enable gradual state machine deployments. These settings include [Alarms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-alarms) , [Interval](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-interval) , [Percentage](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-percentage) , [StateMachineVersionArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-statemachineversionarn) , and [Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stepfunctions-statemachinealias-deploymentpreference.html#cfn-stepfunctions-statemachinealias-deploymentpreference-type) .\n\nCloudFormation automatically shifts traffic from the version an alias currently points to, to a new state machine version that you specify.\n\n> `RoutingConfiguration` and `DeploymentPreference` are mutually exclusive properties. You must define only one of these properties. \n\nBased on the type of deployment you want to perform, you can specify one of the following settings:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any Amazon CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "DeploymentPreference" }, "Description": { @@ -237812,7 +239626,7 @@ "type": "string" }, "Type": { - "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of seconds between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` seconds, this deployment increases traffic by 20 percent every 600 seconds until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", + "markdownDescription": "The type of deployment you want to perform. You can specify one of the following types:\n\n- `LINEAR` - Shifts traffic to the new version in equal increments with an equal number of minutes between each increment.\n\nFor example, if you specify the increment percent as `20` with an interval of `600` minutes, this deployment increases traffic by 20 percent every 600 minutes until the new version receives 100 percent of the traffic. This deployment immediately rolls back the new version if any CloudWatch alarms are triggered.\n- `ALL_AT_ONCE` - Shifts 100 percent of traffic to the new version immediately. CloudFormation monitors the new version and rolls it back automatically to the previous version if any CloudWatch alarms are triggered.\n- `CANARY` - Shifts traffic in two increments.\n\nIn the first increment, a small percentage of traffic, for example, 10 percent is shifted to the new version. In the second increment, before a specified time interval in seconds gets over, the remaining traffic is shifted to the new version. The shift to the new version for the remaining traffic takes place only if no CloudWatch alarms are triggered during the specified time interval.", "title": "Type", "type": "string" } @@ -239204,7 +241018,9 @@ "title": "RetentionProperties" }, "Schema": { - "$ref": "#/definitions/AWS::Timestream::Table.Schema" + "$ref": "#/definitions/AWS::Timestream::Table.Schema", + "markdownDescription": "The schema of the table.", + "title": "Schema" }, "TableName": { "markdownDescription": "The name of the Timestream table.\n\n*Length Constraints* : Minimum length of 3 bytes. Maximum length of 256 bytes.", @@ -239280,12 +241096,18 @@ "additionalProperties": false, "properties": { "EnforcementInRecord": { + "markdownDescription": "The level of enforcement for the specification of a dimension key in ingested records. Options are REQUIRED (dimension key must be specified) and OPTIONAL (dimension key does not have to be specified).", + "title": "EnforcementInRecord", "type": "string" }, "Name": { + "markdownDescription": "The name of the attribute used for a dimension key.", + "title": "Name", "type": "string" }, "Type": { + "markdownDescription": "The type of the partition key. Options are DIMENSION (dimension key) and MEASURE (measure key).", + "title": "Type", "type": "string" } }, @@ -239347,6 +241169,8 @@ "items": { "$ref": "#/definitions/AWS::Timestream::Table.PartitionKey" }, + "markdownDescription": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed.", + "title": "CompositePartitionKey", "type": "array" } }, @@ -239388,7 +241212,7 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, @@ -239603,13 +241427,13 @@ "additionalProperties": false, "properties": { "AccessRole": { - "markdownDescription": "With AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.", + "markdownDescription": "Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.\n\n*For AS2 connectors*\n\nWith AS2, you can send files by calling `StartFileTransfer` and specifying the file paths in the request parameter, `SendFilePaths` . We use the file\u2019s parent directory (for example, for `--send-file-paths /bucket/dir/file.txt` , parent directory is `/bucket/dir/` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the `AccessRole` needs to provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with `StartFileTransfer` .\n\nIf you are using Basic authentication for your AS2 connector, the access role requires the `secretsmanager:GetSecretValue` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the `kms:Decrypt` permission for that key.\n\n*For SFTP connectors*\n\nMake sure that the access role provides read and write access to the parent directory of the file location that's used in the `StartFileTransfer` request. Additionally, make sure that the role provides `secretsmanager:GetSecretValue` permission to AWS Secrets Manager .", "title": "AccessRole", "type": "string" }, "As2Config": { "$ref": "#/definitions/AWS::Transfer::Connector.As2Config", - "markdownDescription": "A structure that contains the parameters for a connector object.", + "markdownDescription": "A structure that contains the parameters for an AS2 connector object.", "title": "As2Config" }, "LoggingRole": { @@ -239618,7 +241442,9 @@ "type": "string" }, "SftpConfig": { - "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig" + "$ref": "#/definitions/AWS::Transfer::Connector.SftpConfig", + "markdownDescription": "A structure that contains the parameters for an SFTP connector object.", + "title": "SftpConfig" }, "Tags": { "items": { @@ -239629,7 +241455,7 @@ "type": "array" }, "Url": { - "markdownDescription": "The URL of the partner's AS2 endpoint.", + "markdownDescription": "The URL of the partner's AS2 or SFTP endpoint.", "title": "Url", "type": "string" } @@ -239665,6 +241491,8 @@ "additionalProperties": false, "properties": { "BasicAuthSecretId": { + "markdownDescription": "Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .\n\nThe default value for this parameter is `null` , which indicates that Basic authentication is not enabled for the connector.\n\nIf the connector should use Basic authentication, the secret needs to be in the following format:\n\n`{ \"Username\": \"user-name\", \"Password\": \"user-password\" }`\n\nReplace `user-name` and `user-password` with the credentials for the actual user that is being authenticated.\n\nNote the following:\n\n- You are storing these credentials in Secrets Manager, *not passing them directly* into this API.\n- If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.\n\nIf you have previously enabled Basic authentication for a connector, you can disable it by using the `UpdateConnector` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:\n\n`update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=\"\"'`", + "title": "BasicAuthSecretId", "type": "string" }, "Compression": { @@ -239717,9 +241545,13 @@ "items": { "type": "string" }, + "markdownDescription": "The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key.\n\nThe three standard SSH public key format elements are `` , `` , and an optional `` , with spaces between each element. Specify only the `` and `` : do not enter the `` portion of the key.\n\nFor the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.\n\n- For RSA keys, the `` string is `ssh-rsa` .\n- For ECDSA keys, the `` string is either `ecdsa-sha2-nistp256` , `ecdsa-sha2-nistp384` , or `ecdsa-sha2-nistp521` , depending on the size of the key you generated.", + "title": "TrustedHostKeys", "type": "array" }, "UserSecretId": { + "markdownDescription": "The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.", + "title": "UserSecretId", "type": "string" } }, @@ -239865,7 +241697,7 @@ "title": "EndpointDetails" }, "EndpointType": { - "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.", + "markdownDescription": "The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.\n\n> After May 19, 2021, you won't be able to create a server using `EndpointType=VPC_ENDPOINT` in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with `EndpointType=VPC_ENDPOINT` in your AWS account on or before May 19, 2021, you will not be affected. After this date, use `EndpointType` = `VPC` .\n> \n> For more information, see [Discontinuing the use of VPC_ENDPOINT](https://docs.aws.amazon.com//transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint) .\n> \n> It is recommended that you use `VPC` as the `EndpointType` . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with `EndpointType` set to `VPC_ENDPOINT` .", "title": "EndpointType", "type": "string" }, @@ -240149,7 +241981,7 @@ "additionalProperties": false, "properties": { "HomeDirectory": { - "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .", + "markdownDescription": "The landing directory (folder) for a user when they log in to the server using the client.\n\nA `HomeDirectory` example is `/bucket_name/home/mydirectory` .\n\n> The `HomeDirectory` parameter is only used if `HomeDirectoryType` is set to `PATH` .", "title": "HomeDirectory", "type": "string" }, @@ -240157,12 +241989,12 @@ "items": { "$ref": "#/definitions/AWS::Transfer::User.HomeDirectoryMapEntry" }, - "markdownDescription": "Logical directory mappings that specify what Amazon S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the \" `Entry` \" and \" `Target` \" pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your IAM role provides access to paths in `Target` . The following is an example.\n\n`'[ { \"Entry\": \"/\", \"Target\": \"/bucket3/customized-reports/\" } ]'`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\"chroot\"). To do this, you can set `Entry` to '/' and set `Target` to the HomeDirectory parameter value.\n\n> If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored. As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holders for your directory. If using the CLI, use the `s3api` call instead of `s3` so you can use the put-object operation. For example, you use the following: `AWS s3api put-object --bucket bucketname --key path/to/folder/` . Make sure that the end of the key name ends in a '/' for it to be considered a folder.", + "markdownDescription": "Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the `Entry` and `Target` pair, where `Entry` shows how the path is made visible and `Target` is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it is displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in `Target` . This value can be set only when `HomeDirectoryType` is set to *LOGICAL* .\n\nThe following is an `Entry` and `Target` pair example.\n\n`[ { \"Entry\": \"/directory1\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`\n\nIn most cases, you can use this value instead of the session policy to lock your user down to the designated home directory (\" `chroot` \"). To do this, you can set `Entry` to `/` and set `Target` to the value the user should see for their home directory when they log in.\n\nThe following is an `Entry` and `Target` pair example for `chroot` .\n\n`[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]`", "title": "HomeDirectoryMappings", "type": "array" }, "HomeDirectoryType": { - "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.", + "markdownDescription": "The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to `PATH` , the user will see the absolute Amazon S3 bucket or Amazon EFS path as is in their file transfer protocol clients. If you set it to `LOGICAL` , you need to provide mappings in the `HomeDirectoryMappings` for how you want to make Amazon S3 or Amazon EFS paths visible to your users.\n\n> If `HomeDirectoryType` is `LOGICAL` , you must provide mappings, using the `HomeDirectoryMappings` parameter. If, on the other hand, `HomeDirectoryType` is `PATH` , you provide an absolute path using the `HomeDirectory` parameter. You cannot have both `HomeDirectory` and `HomeDirectoryMappings` in your template.", "title": "HomeDirectoryType", "type": "string" }, @@ -240655,16 +242487,16 @@ "properties": { "Configuration": { "$ref": "#/definitions/AWS::VerifiedPermissions::IdentitySource.IdentitySourceConfiguration", - "markdownDescription": "Contains configuration information used when creating or updating an identity source.\n\n> At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` .", + "markdownDescription": "Contains configuration information used when creating a new .\n\n> At this time, the only valid member of this structure is a user pool configuration.\n> \n> You must specify a `userPoolArn` , and optionally, a `ClientId` . \n\nThis data type is used as a request parameter for the [CreateIdentitySource](https://docs.aws.amazon.com/API_CreateIdentitySource.html) operation.", "title": "Configuration" }, "PolicyStoreId": { - "markdownDescription": "Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.", + "markdownDescription": "Specifies the ID of the in which you want to store this . Only policies and requests made using this can reference identities from the identity provider configured in the new .", "title": "PolicyStoreId", "type": "string" }, "PrincipalEntityType": { - "markdownDescription": "Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.", + "markdownDescription": "Specifies the namespace and data type of the principals generated for identities authenticated by the new .", "title": "PrincipalEntityType", "type": "string" } @@ -240702,7 +242534,7 @@ "items": { "type": "string" }, - "markdownDescription": "The unique application client IDs that are associated with the specified Amazon Cognito user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", + "markdownDescription": "The unique application client IDs that are associated with the specified user pool.\n\nExample: `\"ClientIds\": [\"&ExampleCogClientId;\"]`", "title": "ClientIds", "type": "array" }, @@ -240748,7 +242580,7 @@ "type": "string" }, "OpenIdIssuer": { - "markdownDescription": "A string that identifies the type of OIDC service represented by this identity source.\n\nAt this time, the only valid value is `cognito` .", + "markdownDescription": "A string that identifies the type of OIDC service represented by this .\n\nAt this time, the only valid value is `cognito` .", "title": "OpenIdIssuer", "type": "string" }, @@ -240801,7 +242633,7 @@ "title": "Definition" }, "PolicyStoreId": { - "markdownDescription": "Specifies the `PolicyStoreId` of the policy store you want to store the policy in.", + "markdownDescription": "Specifies the `PolicyStoreId` of the you want to store the policy in.", "title": "PolicyStoreId", "type": "string" } @@ -240857,12 +242689,12 @@ "properties": { "Static": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.StaticPolicyDefinition", - "markdownDescription": "A structure that describes a static policy. An static policy doesn't use a template or allow placeholders for entities.", + "markdownDescription": "A structure that describes . An doesn't use a template or allow placeholders for entities.", "title": "Static" }, "TemplateLinked": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.TemplateLinkedPolicyDefinition", - "markdownDescription": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.", + "markdownDescription": "A structure that describes a policy that was instantiated from a template. The template can specify placeholders for `principal` and `resource` . When you use [CreatePolicy](https://docs.aws.amazon.com/API_CreatePolicy.html) to create a policy from a template, you specify the exact principal and resource to use for the instantiated policy.", "title": "TemplateLinked" } }, @@ -240872,12 +242704,12 @@ "additionalProperties": false, "properties": { "Description": { - "markdownDescription": "The description of the static policy.", + "markdownDescription": "The description of the .", "title": "Description", "type": "string" }, "Statement": { - "markdownDescription": "The policy content of the static policy, written in the Cedar policy language.", + "markdownDescription": "The policy content of the , written in the .", "title": "Statement", "type": "string" } @@ -240897,12 +242729,12 @@ }, "Principal": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.EntityIdentifier", - "markdownDescription": "The principal associated with this template-linked policy. Verified Permissions substitutes this principal for the `?principal` placeholder in the policy template when it evaluates an authorization request.", + "markdownDescription": "The principal associated with this . substitutes this principal for the `?principal` placeholder in the when it evaluates an authorization request.", "title": "Principal" }, "Resource": { "$ref": "#/definitions/AWS::VerifiedPermissions::Policy.EntityIdentifier", - "markdownDescription": "The resource associated with this template-linked policy. Verified Permissions substitutes this resource for the `?resource` placeholder in the policy template when it evaluates an authorization request.", + "markdownDescription": "The resource associated with this . substitutes this resource for the `?resource` placeholder in the when it evaluates an authorization request.", "title": "Resource" } }, @@ -240953,7 +242785,7 @@ }, "ValidationSettings": { "$ref": "#/definitions/AWS::VerifiedPermissions::PolicyStore.ValidationSettings", - "markdownDescription": "Specifies the validation setting for this policy store.\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on.", + "markdownDescription": "Specifies the validation setting for this .\n\nCurrently, the only valid and required value is `Mode` .\n\n> We recommend that you turn on `STRICT` mode only after you define a schema. If a schema doesn't exist, then `STRICT` mode causes any policy to fail validation, and rejects the policy. You can turn off validation by using the [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) . Then, when you have a schema defined, use [UpdatePolicyStore](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdatePolicyStore) again to turn validation back on.", "title": "ValidationSettings" } }, @@ -240987,7 +242819,7 @@ "additionalProperties": false, "properties": { "CedarJson": { - "markdownDescription": "A JSON string representation of the schema supported by applications that use this policy store. For more information, see [Policy store schema](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/schema.html) in the *Amazon Verified Permissions User Guide* .", + "markdownDescription": "A JSON string representation of the schema supported by applications that use this . For more information, see [Policy store schema](https://docs.aws.amazon.com/schema.html) in the ** .", "title": "CedarJson", "type": "string" } @@ -241054,7 +242886,7 @@ "type": "string" }, "Statement": { - "markdownDescription": "Specifies the content that you want to use for the new policy template, written in the Cedar policy language.", + "markdownDescription": "Specifies the content that you want to use for the new , written in the policy language.", "title": "Statement", "type": "string" } @@ -241375,7 +243207,7 @@ "properties": { "DefaultAction": { "$ref": "#/definitions/AWS::VpcLattice::Listener.DefaultAction", - "markdownDescription": "The action for the default rule. Each listener has a default rule. Each rule consists of a priority, one or more actions, and one or more conditions. The default rule is the rule that's used if no other rules match. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "The action for the default rule. Each listener has a default rule. The default rule is used if no other rules match.", "title": "DefaultAction" }, "Name": { @@ -241384,12 +243216,12 @@ "type": "string" }, "Port": { - "markdownDescription": "The listener port. You can specify a value from `1` to `65535` . For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The listener port. You can specify a value from 1 to 65535. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The listener protocol HTTP or HTTPS.", + "markdownDescription": "The listener protocol.", "title": "Protocol", "type": "string" }, @@ -241439,7 +243271,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Listener.FixedResponse", - "markdownDescription": "Information about an action that returns a custom HTTP response.", + "markdownDescription": "Describes an action that returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241471,7 +243303,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Listener.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241490,7 +243322,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241610,7 +243442,7 @@ "properties": { "Action": { "$ref": "#/definitions/AWS::VpcLattice::Rule.Action", - "markdownDescription": "Describes the action for a rule. Each rule must include exactly one of the following types of actions: `forward` or `fixed-response` , and it must be the last action to be performed.", + "markdownDescription": "Describes the action for a rule.", "title": "Action" }, "ListenerIdentifier": { @@ -241680,7 +243512,7 @@ "properties": { "FixedResponse": { "$ref": "#/definitions/AWS::VpcLattice::Rule.FixedResponse", - "markdownDescription": "Describes the rule action that returns a custom HTTP response.", + "markdownDescription": "The fixed response action. The rule returns a custom HTTP response.", "title": "FixedResponse" }, "Forward": { @@ -241712,7 +243544,7 @@ "items": { "$ref": "#/definitions/AWS::VpcLattice::Rule.WeightedTargetGroup" }, - "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.", + "markdownDescription": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1. This means that if only one target group is provided, there is no need to set the weight; 100% of the traffic goes to that target group.", "title": "TargetGroups", "type": "array" } @@ -241726,7 +243558,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241751,17 +243583,17 @@ "additionalProperties": false, "properties": { "Contains": { - "markdownDescription": "Specifies a contains type match.", + "markdownDescription": "A contains type match.", "title": "Contains", "type": "string" }, "Exact": { - "markdownDescription": "Specifies an exact type match.", + "markdownDescription": "An exact type match.", "title": "Exact", "type": "string" }, "Prefix": { - "markdownDescription": "Specifies a prefix type match. Matches the value with the prefix.", + "markdownDescription": "A prefix type match. Matches the value with the prefix.", "title": "Prefix", "type": "string" } @@ -241810,7 +243642,7 @@ "additionalProperties": false, "properties": { "CaseSensitive": { - "markdownDescription": "Indicates whether the match is case sensitive. Defaults to false.", + "markdownDescription": "Indicates whether the match is case sensitive.", "title": "CaseSensitive", "type": "boolean" }, @@ -241850,7 +243682,7 @@ "type": "string" }, "Weight": { - "markdownDescription": "Only required if you specify multiple target groups for a forward action. The \"weight\" determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", + "markdownDescription": "Only required if you specify multiple target groups for a forward action. The weight determines how requests are distributed to the target group. For example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. If there's only one target group specified, then the default value is 100.", "title": "Weight", "type": "number" } @@ -241912,7 +243744,7 @@ }, "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::Service.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "Name": { @@ -242080,7 +243912,7 @@ "properties": { "DnsEntry": { "$ref": "#/definitions/AWS::VpcLattice::ServiceNetworkServiceAssociation.DnsEntry", - "markdownDescription": "", + "markdownDescription": "The DNS information of the service.", "title": "DnsEntry" }, "ServiceIdentifier": { @@ -242261,7 +244093,7 @@ "properties": { "Config": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.TargetGroupConfig", - "markdownDescription": "The target group configuration. If `type` is set to `LAMBDA` , this parameter doesn't apply.", + "markdownDescription": "The target group configuration.", "title": "Config" }, "Name": { @@ -242342,7 +244174,7 @@ }, "Matcher": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.Matcher", - "markdownDescription": "The codes to use when checking for a successful response from a target. These are called *Success codes* in the console.", + "markdownDescription": "The codes to use when checking for a successful response from a target.", "title": "Matcher" }, "Path": { @@ -242391,12 +244223,12 @@ "additionalProperties": false, "properties": { "Id": { - "markdownDescription": "The ID of the target. If the target type of the target group is `INSTANCE` , this is an instance ID. If the target type is `IP` , this is an IP address. If the target type is `LAMBDA` , this is the ARN of the Lambda function. If the target type is `ALB` , this is the ARN of the Application Load Balancer.", + "markdownDescription": "The ID of the target. If the target group type is `INSTANCE` , this is an instance ID. If the target group type is `IP` , this is an IP address. If the target group type is `LAMBDA` , this is the ARN of a Lambda function. If the target group type is `ALB` , this is the ARN of an Application Load Balancer.", "title": "Id", "type": "string" }, "Port": { - "markdownDescription": "The port on which the target is listening. For HTTP, the default is `80` . For HTTPS, the default is `443` .", + "markdownDescription": "The port on which the target is listening. For HTTP, the default is 80. For HTTPS, the default is 443.", "title": "Port", "type": "number" } @@ -242411,34 +244243,36 @@ "properties": { "HealthCheck": { "$ref": "#/definitions/AWS::VpcLattice::TargetGroup.HealthCheckConfig", - "markdownDescription": "The health check configuration.", + "markdownDescription": "The health check configuration. Not supported if the target group type is `LAMBDA` or `ALB` .", "title": "HealthCheck" }, "IpAddressType": { - "markdownDescription": "The type of IP address used for the target group. The possible values are `ipv4` and `ipv6` . This is an optional parameter. If not specified, the IP address type defaults to `ipv4` .", + "markdownDescription": "The type of IP address used for the target group. Supported only if the target group type is `IP` . The default is `IPV4` .", "title": "IpAddressType", "type": "string" }, "LambdaEventStructureVersion": { + "markdownDescription": "The version of the event structure that your Lambda function receives. Supported only if the target group type is `LAMBDA` . The default is `V1` .", + "title": "LambdaEventStructureVersion", "type": "string" }, "Port": { - "markdownDescription": "The port on which the targets are listening. For HTTP, the default is `80` . For HTTPS, the default is `443`", + "markdownDescription": "The port on which the targets are listening. For HTTP, the default is 80. For HTTPS, the default is 443. Not supported if the target group type is `LAMBDA` .", "title": "Port", "type": "number" }, "Protocol": { - "markdownDescription": "The protocol to use for routing traffic to the targets. Default is the protocol of a target group.", + "markdownDescription": "The protocol to use for routing traffic to the targets. The default is the protocol of the target group. Not supported if the target group type is `LAMBDA` .", "title": "Protocol", "type": "string" }, "ProtocolVersion": { - "markdownDescription": "The protocol version. Default value is `HTTP1` .", + "markdownDescription": "The protocol version. The default is `HTTP1` . Not supported if the target group type is `LAMBDA` .", "title": "ProtocolVersion", "type": "string" }, "VpcIdentifier": { - "markdownDescription": "The ID of the VPC.", + "markdownDescription": "The ID of the VPC. Not supported if the target group type is `LAMBDA` .", "title": "VpcIdentifier", "type": "string" } @@ -244474,7 +246308,7 @@ "items": { "type": "string" }, - "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- To configure AWS WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- To configure AWS WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", + "markdownDescription": "Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want AWS WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0` .\n\nExample address strings:\n\n- For requests that originated from the IP address 192.0.2.44, specify `192.0.2.44/32` .\n- For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24` .\n- For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128` .\n- For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64` .\n\nFor more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) .\n\nExample JSON `Addresses` specifications:\n\n- Empty array: `\"Addresses\": []`\n- Array with one address: `\"Addresses\": [\"192.0.2.44/32\"]`\n- Array with three addresses: `\"Addresses\": [\"192.0.2.44/32\", \"192.0.2.0/24\", \"192.0.0.0/16\"]`\n- INVALID specification: `\"Addresses\": [\"\"]` INVALID", "title": "Addresses", "type": "array" }, @@ -244728,7 +246562,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" } @@ -245078,7 +246912,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245204,7 +247038,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245286,7 +247120,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -245326,7 +247160,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -245341,7 +247175,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -245447,7 +247281,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -245537,12 +247371,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -245652,7 +247486,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -245660,6 +247494,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -245668,13 +247504,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -245688,31 +247524,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -245721,12 +247575,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245740,12 +247598,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245759,6 +247621,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -245771,12 +247635,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245793,6 +247661,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245808,6 +247678,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -245893,7 +247765,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -245917,7 +247789,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -246091,7 +247963,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -246106,7 +247978,7 @@ }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::RuleGroup.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -246131,7 +248003,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -246228,7 +248100,7 @@ "properties": { "AssociationConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AssociationConfig", - "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Specifies custom configurations for the associations between the web ACL and protected resources.\n\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "AssociationConfig" }, "CaptchaConfig": { @@ -246271,7 +248143,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Rule" }, - "markdownDescription": "The rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", + "markdownDescription": "The rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.", "title": "Rules", "type": "array" }, @@ -246334,19 +248206,29 @@ "additionalProperties": false, "properties": { "CreationPath": { + "markdownDescription": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept `POST` requests.\n\nFor example, for the URL `https://example.com/web/newaccount` , you would provide the path `/web/newaccount` . Account creation page paths that start with the path that you provide are considered a match. For example `/web/newaccount` matches the account creation paths `/web/newaccount` , `/web/newaccount/` , `/web/newaccountPage` , and `/web/newaccount/thisPage` , but doesn't match the path `/home/web/newaccount` or `/website/newaccount` .", + "title": "CreationPath", "type": "string" }, "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the registration page path and the account creation path.", + "title": "EnableRegexInPath", "type": "boolean" }, "RegistrationPagePath": { + "markdownDescription": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.\n\n> This page must accept `GET` text/html requests. \n\nFor example, for the URL `https://example.com/web/registration` , you would provide the path `/web/registration` . Registration page paths that start with the path that you provide are considered a match. For example `/web/registration` matches the registration paths `/web/registration` , `/web/registration/` , `/web/registrationPage` , and `/web/registration/thisPage` , but doesn't match the path `/home/web/registration` or `/website/registration` .", + "title": "RegistrationPagePath", "type": "string" }, "RequestInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestInspectionACFP", + "markdownDescription": "The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.", + "title": "RequestInspection" }, "ResponseInspection": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection" + "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", + "markdownDescription": "The criteria for inspecting responses to account creation requests, used by the ACFP rule group to track account creation success rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ACFP rule group evaluates the responses that your protected resources send back to client account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many successful account creation attempts in a short amount of time.", + "title": "ResponseInspection" } }, "required": [ @@ -246360,10 +248242,12 @@ "additionalProperties": false, "properties": { "EnableRegexInPath": { + "markdownDescription": "Allow the use of regular expressions in the login page path.", + "title": "EnableRegexInPath", "type": "boolean" }, "LoginPath": { - "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", + "markdownDescription": "The path of the login endpoint for your application. For example, for the URL `https://example.com/web/login` , you would provide the path `/web/login` . Login paths that start with the path that you provide are considered a match. For example `/web/login` matches the login paths `/web/login` , `/web/login/` , `/web/loginPage` , and `/web/login/thisPage` , but doesn't match the login path `/home/web/login` or `/website/login` .\n\nThe rule group inspects only HTTP `POST` requests to your specified login endpoint.", "title": "LoginPath", "type": "string" }, @@ -246374,7 +248258,7 @@ }, "ResponseInspection": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspection", - "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.", + "markdownDescription": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.\n\n> Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. \n\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.", "title": "ResponseInspection" } }, @@ -246387,10 +248271,12 @@ "additionalProperties": false, "properties": { "EnableMachineLearning": { + "markdownDescription": "Applies only to the targeted inspection level.\n\nDetermines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules `TGT_ML_CoordinatedActivityLow` and `TGT_ML_CoordinatedActivityMedium` , which\ninspect for anomalous behavior that might indicate distributed, coordinated bot activity.\n\nFor more information about this choice, see the listing for these rules in the table at [Bot Control rules listing](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules) in the *AWS WAF Developer Guide* .\n\nDefault: `TRUE`", + "title": "EnableMachineLearning", "type": "boolean" }, "InspectionLevel": { - "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) .", + "markdownDescription": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see [AWS WAF Bot Control rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) in the *AWS WAF Developer Guide* .", "title": "InspectionLevel", "type": "string" } @@ -246433,7 +248319,7 @@ "properties": { "RequestBody": { "additionalProperties": false, - "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 kilobytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", + "markdownDescription": "Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).\n\n> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "patternProperties": { "^[a-zA-Z0-9]+$": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RequestBodyAssociatedResourceTypeConfig" @@ -246460,7 +248346,7 @@ "additionalProperties": false, "properties": { "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -246533,7 +248419,7 @@ "properties": { "CustomRequestHandling": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomRequestHandling", - "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", + "markdownDescription": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.\n\nFor information about customizing web requests and responses, see [Customizing web requests and responses in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .", "title": "CustomRequestHandling" } }, @@ -246586,7 +248472,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the cookies to inspect with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246668,7 +248554,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.CustomHTTPHeader" }, - "markdownDescription": "The HTTP headers to use in the response. Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", + "markdownDescription": "The HTTP headers to use in the response. You can specify any header name except for `content-type` . Duplicate header names are not allowed.\n\nFor information about the limits on count and size for custom request and response settings, see [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the *AWS WAF Developer Guide* .", "title": "ResponseHeaders", "type": "array" } @@ -246732,7 +248618,7 @@ "additionalProperties": false, "properties": { "Identifier": { - "markdownDescription": "The name of the username or password field, used in the `ManagedRuleGroupConfig` settings.\n\nWhen the `PayloadType` is `JSON` , the identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .", + "markdownDescription": "The name of the field.\n\nWhen the `PayloadType` in the request inspection is `JSON` , this identifier must be in JSON pointer syntax. For example `/form/username` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nWhen the `PayloadType` is `FORM_ENCODED` , use the HTML form names. For example, `username` .\n\nFor more information, see the descriptions for each field type in the request inspection properties.", "title": "Identifier", "type": "string" } @@ -246752,7 +248638,7 @@ }, "Body": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Body", - "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", + "markdownDescription": "Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `Body` object configuration.", "title": "Body" }, "Cookies": { @@ -246767,7 +248653,7 @@ }, "JsonBody": { "$ref": "#/definitions/AWS::WAFv2::WebACL.JsonBody", - "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", + "markdownDescription": "Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.\n\nA limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's `AssociationConfig` , for additional processing fees.\n\nFor information about how to handle oversized request bodies, see the `JsonBody` object configuration.", "title": "JsonBody" }, "Method": { @@ -246873,7 +248759,7 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `All` , AWS WAF inspects both keys and values.", + "markdownDescription": "The parts of the headers to match with the rule inspection criteria. If you specify `ALL` , AWS WAF inspects both keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, @@ -246963,12 +248849,12 @@ "title": "MatchPattern" }, "MatchScope": { - "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `All` , AWS WAF matches against keys and values.", + "markdownDescription": "The parts of the JSON to match against using the `MatchPattern` . If you specify `ALL` , AWS WAF matches against keys and values.\n\n`All` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical `AND` statement to combine two match rules, one that inspects the keys and another that inspects the values.", "title": "MatchScope", "type": "string" }, "OversizeHandling": { - "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", + "markdownDescription": "What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.\n\nThe default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL `AssociationConfig` , for additional processing fees.\n\nThe options for oversize handling are the following:\n\n- `CONTINUE` - Inspect the available body contents normally, according to the rule inspection criteria.\n- `MATCH` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.\n- `NO_MATCH` - Treat the web request as not matching the rule statement.\n\nYou can combine the `MATCH` or `NO_MATCH` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.\n\nDefault: `CONTINUE`", "title": "OversizeHandling", "type": "string" } @@ -247036,7 +248922,9 @@ "additionalProperties": false, "properties": { "AWSManagedRulesACFPRuleSet": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet" + "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesACFPRuleSet", + "markdownDescription": "Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, `AWSManagedRulesACFPRuleSet` . Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.\n\nFor information about using the ACFP managed rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html) and [AWS WAF Fraud Control account creation fraud prevention (ACFP)](https://docs.aws.amazon.com/waf/latest/developerguide/waf-acfp.html) in the *AWS WAF Developer Guide* .", + "title": "AWSManagedRulesACFPRuleSet" }, "AWSManagedRulesATPRuleSet": { "$ref": "#/definitions/AWS::WAFv2::WebACL.AWSManagedRulesATPRuleSet", @@ -247055,17 +248943,17 @@ }, "PasswordField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PasswordField" }, "PayloadType": { - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "PayloadType", "type": "string" }, "UsernameField": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", - "markdownDescription": "> Instead of this setting, provide your configuration under `AWSManagedRulesATPRuleSet` `RequestInspection` .", + "markdownDescription": "> Instead of this setting, provide your configuration under the request inspection configuration for `AWSManagedRulesATPRuleSet` or `AWSManagedRulesACFPRuleSet` .", "title": "UsernameField" } }, @@ -247086,7 +248974,7 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupConfig" }, - "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nUse the `AWSManagedRulesATPRuleSet` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.\n\nUse the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", + "markdownDescription": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.\n\nThe rule groups used for intelligent threat mitigation require additional configuration:\n\n- Use the `AWSManagedRulesACFPRuleSet` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.\n- Use the `AWSManagedRulesATPRuleSet` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.\n- Use the `AWSManagedRulesBotControlRuleSet` configuration object to configure the protection level that you want the Bot Control rule group to use.", "title": "ManagedRuleGroupConfigs", "type": "array" }, @@ -247176,7 +249064,7 @@ "additionalProperties": false, "properties": { "AggregateKeyType": { - "markdownDescription": "Setting that indicates how to aggregate the request counts. The options are the following:\n\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure the `ForwardedIPConfig` , to specify the header to use.\n\n> You can only use the `IP` and `FORWARDED_IP` key types.", + "markdownDescription": "Setting that indicates how to aggregate the request counts.\n\n> Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. \n\n- `CONSTANT` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement.\n\nWith this option, you must configure the `ScopeDownStatement` property.\n- `CUSTOM_KEYS` - Aggregate the request counts using one or more web request components as the aggregate keys.\n\nWith this option, you must specify the aggregate keys in the `CustomKeys` property.\n\nTo aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to `IP` or `FORWARDED_IP` .\n- `FORWARDED_IP` - Aggregate the request counts on the first IP address in an HTTP header.\n\nWith this option, you must specify the header to use in the `ForwardedIPConfig` property.\n\nTo aggregate on a combination of the forwarded IP address with other aggregate keys, use `CUSTOM_KEYS` .\n- `IP` - Aggregate the request counts on the IP address from the web request origin.\n\nTo aggregate on a combination of the IP address with other aggregate keys, use `CUSTOM_KEYS` .", "title": "AggregateKeyType", "type": "string" }, @@ -247184,6 +249072,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatementCustomKey" }, + "markdownDescription": "Specifies the aggregate keys to use in a rate-base rule.", + "title": "CustomKeys", "type": "array" }, "ForwardedIPConfig": { @@ -247192,13 +249082,13 @@ "title": "ForwardedIPConfig" }, "Limit": { - "markdownDescription": "The limit on requests per 5-minute period for a single originating IP address. If the statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.", + "markdownDescription": "The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a `ScopeDownStatement` , this limit is applied only to the requests that match the statement.\n\nExamples:\n\n- If you aggregate on just the IP address, this is the limit on requests from any single IP address.\n- If you aggregate on the HTTP method and the query argument name \"city\", then this is the limit on requests for any single method, city pair.", "title": "Limit", "type": "number" }, "ScopeDownStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.Statement", - "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement. Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", + "markdownDescription": "An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable `Statement` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.", "title": "ScopeDownStatement" } }, @@ -247212,31 +249102,49 @@ "additionalProperties": false, "properties": { "Cookie": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitCookie", + "markdownDescription": "Use the value of a cookie in the request as an aggregate key. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.", + "title": "Cookie" }, "ForwardedIP": { + "markdownDescription": "Use the first IP address in an HTTP header as an aggregate key. Each distinct forwarded IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying `FORWARDED_IP` in your rate-based statement's `AggregateKeyType` .\n\nWith this option, you must specify the header to use in the rate-based rule's `ForwardedIPConfig` property.", + "title": "ForwardedIP", "type": "object" }, "HTTPMethod": { + "markdownDescription": "Use the request's HTTP method as an aggregate key. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.", + "title": "HTTPMethod", "type": "object" }, "Header": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitHeader", + "markdownDescription": "Use the value of a header in the request as an aggregate key. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.", + "title": "Header" }, "IP": { + "markdownDescription": "Use the request's originating IP address as an aggregate key. Each distinct IP address contributes to the aggregation instance.\n\nWhen you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the IP address by specifying `IP` in your rate-based statement's `AggregateKeyType` .", + "title": "IP", "type": "object" }, "LabelNamespace": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitLabelNamespace", + "markdownDescription": "Use the specified label namespace as an aggregate key. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.\n\nThis uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.\n\nFor information about label namespaces and names, see [Label syntax and naming requirements](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) in the *AWS WAF Developer Guide* .", + "title": "LabelNamespace" }, "QueryArgument": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryArgument", + "markdownDescription": "Use the specified query argument as an aggregate key. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.", + "title": "QueryArgument" }, "QueryString": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitQueryString", + "markdownDescription": "Use the request's query string as an aggregate key. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.", + "title": "QueryString" }, "UriPath": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath" + "$ref": "#/definitions/AWS::WAFv2::WebACL.RateLimitUriPath", + "markdownDescription": "Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.", + "title": "UriPath" } }, "type": "object" @@ -247245,12 +249153,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the cookie to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247264,12 +249176,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the header to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247283,6 +249199,8 @@ "additionalProperties": false, "properties": { "Namespace": { + "markdownDescription": "The namespace to use for aggregation.", + "title": "Namespace", "type": "string" } }, @@ -247295,12 +249213,16 @@ "additionalProperties": false, "properties": { "Name": { + "markdownDescription": "The name of the query argument to use.", + "title": "Name", "type": "string" }, "TextTransformations": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247317,6 +249239,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247332,6 +249256,8 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.TextTransformation" }, + "markdownDescription": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the `FieldToMatch` request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, AWS WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.", + "title": "TextTransformations", "type": "array" } }, @@ -247402,7 +249328,7 @@ "additionalProperties": false, "properties": { "DefaultSizeInspectionLimit": { - "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 kilobytes)`", + "markdownDescription": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.\n\nDefault: `16 KB (16,384 bytes)`", "title": "DefaultSizeInspectionLimit", "type": "string" } @@ -247445,25 +249371,37 @@ "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary physical address.\n\nOrder the address fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the address fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryaddressline1\": \"THE_ADDRESS1\", \"primaryaddressline2\": \"THE_ADDRESS2\", \"primaryaddressline3\": \"THE_ADDRESS3\" } }` , the address field idenfiers are `/form/primaryaddressline1` , `/form/primaryaddressline2` , and `/form/primaryaddressline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` , the address fields identifiers are `primaryaddressline1` , `primaryaddressline2` , and `primaryaddressline3` .", + "title": "AddressFields", "type": "array" }, "EmailField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's email.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"email\": \"THE_EMAIL\" } }` , the email field specification is `/form/email` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `email1` , the email field specification is `email1` .", + "title": "EmailField" }, "PasswordField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's password.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"password\": \"THE_PASSWORD\" } }` , the password field specification is `/form/password` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `password1` , the password field specification is `password1` .", + "title": "PasswordField" }, "PayloadType": { + "markdownDescription": "The payload type for your account creation endpoint, either JSON or form encoded.", + "title": "PayloadType", "type": "string" }, "PhoneNumberFields": { "items": { "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" }, + "markdownDescription": "The names of the fields in the request payload that contain your customer's primary phone number.\n\nOrder the phone number fields in the array exactly as they are ordered in the request payload.\n\nHow you specify the phone number fields depends on the request inspection payload type.\n\n- For JSON payloads, specify the field identifiers in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"primaryphoneline1\": \"THE_PHONE1\", \"primaryphoneline2\": \"THE_PHONE2\", \"primaryphoneline3\": \"THE_PHONE3\" } }` , the phone number field identifiers are `/form/primaryphoneline1` , `/form/primaryphoneline2` , and `/form/primaryphoneline3` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with input elements named `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` , the phone number field identifiers are `primaryphoneline1` , `primaryphoneline2` , and `primaryphoneline3` .", + "title": "PhoneNumberFields", "type": "array" }, "UsernameField": { - "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier" + "$ref": "#/definitions/AWS::WAFv2::WebACL.FieldIdentifier", + "markdownDescription": "The name of the field in the request payload that contains your customer's username.\n\nHow you specify this depends on the request inspection payload type.\n\n- For JSON payloads, specify the field name in JSON pointer syntax. For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation [JavaScript Object Notation (JSON) Pointer](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901) .\n\nFor example, for the JSON payload `{ \"form\": { \"username\": \"THE_USERNAME\" } }` , the username field specification is `/form/username` .\n- For form encoded payload types, use the HTML form names.\n\nFor example, for an HTML form with the input element named `username1` , the username field specification is `username1`", + "title": "UsernameField" } }, "required": [ @@ -247476,22 +249414,22 @@ "properties": { "BodyContains": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionBodyContains", - "markdownDescription": "Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", + "markdownDescription": "Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.", "title": "BodyContains" }, "Header": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionHeader", - "markdownDescription": "Configures inspection of the response header.", + "markdownDescription": "Configures inspection of the response header for success and failure indicators.", "title": "Header" }, "Json": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionJson", - "markdownDescription": "Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", + "markdownDescription": "Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.", "title": "Json" }, "StatusCode": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ResponseInspectionStatusCode", - "markdownDescription": "Configures inspection of the response status code.", + "markdownDescription": "Configures inspection of the response status code for success and failure indicators.", "title": "StatusCode" } }, @@ -247504,7 +249442,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Login failed\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a failed login or account creation attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"FailureStrings\": [ \"Request failed\" ]`", "title": "FailureStrings", "type": "array" }, @@ -247512,7 +249450,7 @@ "items": { "type": "string" }, - "markdownDescription": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON example: `\"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]`", + "markdownDescription": "Strings in the body of the response that indicate a successful login or account creation attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.\n\nJSON examples: `\"SuccessStrings\": [ \"Login successful\" ]` and `\"SuccessStrings\": [ \"Account creation successful\", \"Welcome to our site!\" ]`", "title": "SuccessStrings", "type": "array" } @@ -247530,12 +249468,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]` and `\"FailureValues\": [ \"AccountCreationFailed\" ]`", "title": "FailureValues", "type": "array" }, "Name": { - "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"LoginResult\" ]`", + "markdownDescription": "The name of the header to match against. The name must be an exact match, including case.\n\nJSON example: `\"Name\": [ \"RequestResult\" ]`", "title": "Name", "type": "string" }, @@ -247543,7 +249481,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]`", + "markdownDescription": "Values in the response header with the specified name that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON examples: `\"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]` and `\"SuccessValues\": [ \"AccountCreated\", \"Successful account creation\" ]`", "title": "SuccessValues", "type": "array" } @@ -247562,12 +249500,12 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a failed login or account creation attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"FailureValues\": [ \"False\", \"Failed\" ]`", "title": "FailureValues", "type": "array" }, "Identifier": { - "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON example: `\"Identifier\": [ \"/login/success\" ]`", + "markdownDescription": "The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.\n\nJSON examples: `\"Identifier\": [ \"/login/success\" ]` and `\"Identifier\": [ \"/sign-up/success\" ]`", "title": "Identifier", "type": "string" }, @@ -247575,7 +249513,7 @@ "items": { "type": "string" }, - "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", + "markdownDescription": "Values for the specified identifier in the response JSON that indicate a successful login or account creation attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.\n\nJSON example: `\"SuccessValues\": [ \"True\", \"Succeeded\" ]`", "title": "SuccessValues", "type": "array" } @@ -247594,7 +249532,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", + "markdownDescription": "Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"FailureCodes\": [ 400, 404 ]`", "title": "FailureCodes", "type": "array" }, @@ -247602,7 +249540,7 @@ "items": { "type": "number" }, - "markdownDescription": "Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", + "markdownDescription": "Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.\n\nJSON example: `\"SuccessCodes\": [ 200, 201 ]`", "title": "SuccessCodes", "type": "array" } @@ -247632,7 +249570,7 @@ "title": "ChallengeConfig" }, "Name": { - "markdownDescription": "The name of the rule. You can't change the name of a `Rule` after you create it.", + "markdownDescription": "The name of the rule.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name in the rule's `VisibilityConfig` settings. AWS WAF doesn't automatically update the metric name when you update the rule name.", "title": "Name", "type": "string" }, @@ -247661,7 +249599,7 @@ }, "VisibilityConfig": { "$ref": "#/definitions/AWS::WAFv2::WebACL.VisibilityConfig", - "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.", + "markdownDescription": "Defines and enables Amazon CloudWatch metrics and web request sample collection.\n\nIf you change the name of a `Rule` after you create it and you want the rule's metric name to reflect the change, update the metric name as well. AWS WAF doesn't automatically update the metric name.", "title": "VisibilityConfig" } }, @@ -247875,7 +249813,7 @@ }, "ManagedRuleGroupStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.ManagedRuleGroupStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.", + "markdownDescription": "A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call `ListAvailableManagedRuleGroups` .\n\nYou cannot nest a `ManagedRuleGroupStatement` , for example for use inside a `NotStatement` or `OrStatement` . It can only be referenced as a top-level statement within a rule.\n\n> You are charged additional fees when you use the AWS WAF Bot Control managed rule group `AWSManagedRulesBotControlRuleSet` , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet` , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` . For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .", "title": "ManagedRuleGroupStatement" }, "NotStatement": { @@ -247890,7 +249828,7 @@ }, "RateBasedStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RateBasedStatement", - "markdownDescription": "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .\n\nWhen the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:\n\n- An IP match statement with an IP set that specifies the address 192.0.2.44.\n- A string match statement that searches in the User-Agent header for the string BadBot.\n\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.", + "markdownDescription": "A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.\n\nYou can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.\n\nEach unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.\n\nFor example, assume the rule evaluates web requests with the following IP address and HTTP method values:\n\n- IP address 10.1.1.1, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n- IP address 127.0.0.0, HTTP method POST\n- IP address 10.1.1.1, HTTP method GET\n\nThe rule would create different aggregation instances according to your aggregation criteria, for example:\n\n- If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1: count 3\n- IP address 127.0.0.0: count 1\n- If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- HTTP method POST: count 2\n- HTTP method GET: count 2\n- If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:\n\n- IP address 10.1.1.1, HTTP method POST: count 1\n- IP address 10.1.1.1, HTTP method GET: count 2\n- IP address 127.0.0.0, HTTP method POST: count 1\n\nFor any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually.\n\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.\n\nYou cannot nest a `RateBasedStatement` inside another statement, for example inside a `NotStatement` or `OrStatement` . You can define a `RateBasedStatement` inside a web ACL and inside a rule group.\n\nFor additional information about the options, see [Rate limiting web requests using rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) in the *AWS WAF Developer Guide* .\n\nIf you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call `GetRateBasedStatementManagedKeys` . This option is not available for other aggregation configurations.\n\nAWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .", "title": "RateBasedStatement" }, "RegexMatchStatement": { @@ -247905,12 +249843,12 @@ }, "RuleGroupReferenceStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.RuleGroupReferenceStatement", - "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You can only use a rule group reference statement at the top level inside a web ACL.", + "markdownDescription": "A rule statement used to run the rules that are defined in a `RuleGroup` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.\n\nYou cannot nest a `RuleGroupReferenceStatement` , for example for use inside a `NotStatement` or `OrStatement` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.", "title": "RuleGroupReferenceStatement" }, "SizeConstraintStatement": { "$ref": "#/definitions/AWS::WAFv2::WebACL.SizeConstraintStatement", - "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", + "markdownDescription": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.\n\nIf you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.\n\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long.", "title": "SizeConstraintStatement" }, "SqliMatchStatement": { @@ -247935,7 +249873,7 @@ "type": "number" }, "Type": { - "markdownDescription": "You can specify the following transformation types:\n\n*BASE64_DECODE* - Decode a `Base64` -encoded string.\n\n*BASE64_DECODE_EXT* - Decode a `Base64` -encoded string, but use a forgiving implementation that ignores characters that aren't valid.\n\n*CMD_LINE* - Command-line transformations. These are helpful in reducing effectiveness of attackers who inject an operating system command-line command and use unusual formatting to disguise some or all of the command.\n\n- Delete the following characters: `\\ \" ' ^`\n- Delete spaces before the following characters: `/ (`\n- Replace the following characters with a space: `, ;`\n- Replace multiple spaces with one space\n- Convert uppercase letters (A-Z) to lowercase (a-z)\n\n*COMPRESS_WHITE_SPACE* - Replace these characters with a space character (decimal 32):\n\n- `\\f` , formfeed, decimal 12\n- `\\t` , tab, decimal 9\n- `\\n` , newline, decimal 10\n- `\\r` , carriage return, decimal 13\n- `\\v` , vertical tab, decimal 11\n- Non-breaking space, decimal 160\n\n`COMPRESS_WHITE_SPACE` also replaces multiple spaces with one space.\n\n*CSS_DECODE* - Decode characters that were encoded using CSS 2.x escape rules `syndata.html#characters` . This function uses up to two bytes in the decoding process, so it can help to uncover ASCII characters that were encoded using CSS encoding that wouldn\u2019t typically be encoded. It's also useful in countering evasion, which is a combination of a backslash and non-hexadecimal characters. For example, `ja\\vascript` for javascript.\n\n*ESCAPE_SEQ_DECODE* - Decode the following ANSI C escape sequences: `\\a` , `\\b` , `\\f` , `\\n` , `\\r` , `\\t` , `\\v` , `\\\\` , `\\?` , `\\'` , `\\\"` , `\\xHH` (hexadecimal), `\\0OOO` (octal). Encodings that aren't valid remain in the output.\n\n*HEX_DECODE* - Decode a string of hexadecimal characters into a binary.\n\n*HTML_ENTITY_DECODE* - Replace HTML-encoded characters with unencoded characters. `HTML_ENTITY_DECODE` performs these operations:\n\n- Replaces `(ampersand)quot;` with `\"`\n- Replaces `(ampersand)nbsp;` with a non-breaking space, decimal 160\n- Replaces `(ampersand)lt;` with a \"less than\" symbol\n- Replaces `(ampersand)gt;` with `>`\n- Replaces characters that are represented in hexadecimal format, `(ampersand)#xhhhh;` , with the corresponding characters\n- Replaces characters that are represented in decimal format, `(ampersand)#nnnn;` , with the corresponding characters\n\n*JS_DECODE* - Decode JavaScript escape sequences. If a `\\` `u` `HHHH` code is in the full-width ASCII code range of `FF01-FF5E` , then the higher byte is used to detect and adjust the lower byte. If not, only the lower byte is used and the higher byte is zeroed, causing a possible loss of information.\n\n*LOWERCASE* - Convert uppercase letters (A-Z) to lowercase (a-z).\n\n*MD5* - Calculate an MD5 hash from the data in the input. The computed hash is in a raw binary form.\n\n*NONE* - Specify `NONE` if you don't want any text transformations.\n\n*NORMALIZE_PATH* - Remove multiple slashes, directory self-references, and directory back-references that are not at the beginning of the input from an input string.\n\n*NORMALIZE_PATH_WIN* - This is the same as `NORMALIZE_PATH` , but first converts backslash characters to forward slashes.\n\n*REMOVE_NULLS* - Remove all `NULL` bytes from the input.\n\n*REPLACE_COMMENTS* - Replace each occurrence of a C-style comment ( `/* ... */` ) with a single space. Multiple consecutive occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII 0x20). However, a standalone termination of a comment ( `*/` ) is not acted upon.\n\n*REPLACE_NULLS* - Replace NULL bytes in the input with space characters (ASCII `0x20` ).\n\n*SQL_HEX_DECODE* - Decode SQL hex data. Example ( `0x414243` ) will be decoded to ( `ABC` ).\n\n*URL_DECODE* - Decode a URL-encoded value.\n\n*URL_DECODE_UNI* - Like `URL_DECODE` , but with support for Microsoft-specific `%u` encoding. If the code is in the full-width ASCII code range of `FF01-FF5E` , the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is zeroed.\n\n*UTF8_TO_UNICODE* - Convert all UTF-8 character sequences to Unicode. This helps input normalization, and minimizing false-positives and false-negatives for non-English languages.", + "markdownDescription": "For detailed descriptions of each of the transformation types, see [Text transformations](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-transformation.html) in the *AWS WAF Developer Guide* .", "title": "Type", "type": "string" } @@ -248115,7 +250053,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::Assistant.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "The configuration information for the customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) .", "title": "ServerSideEncryptionConfiguration" }, "Tags": { @@ -248163,7 +250101,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption. The customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. To use Wisdom with chat, the key policy must also allow `kms:Decrypt` , `kms:GenerateDataKey*` , and `kms:DescribeKey` permissions to the `connect.amazonaws.com` service principal. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "KmsKeyId", "type": "string" } @@ -248328,7 +250266,7 @@ }, "ServerSideEncryptionConfiguration": { "$ref": "#/definitions/AWS::Wisdom::KnowledgeBase.ServerSideEncryptionConfiguration", - "markdownDescription": "The KMS key used for encryption.", + "markdownDescription": "This customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom. For more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "title": "ServerSideEncryptionConfiguration" }, "SourceConfiguration": { @@ -248376,7 +250314,7 @@ "additionalProperties": false, "properties": { "AppIntegrationArn": { - "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .", + "markdownDescription": "The Amazon Resource Name (ARN) of the AppIntegrations DataIntegration to use for ingesting content.\n\n- For [Salesforce](https://docs.aws.amazon.com/https://developer.salesforce.com/docs/atlas.en-us.knowledge_dev.meta/knowledge_dev/sforce_api_objects_knowledge__kav.htm) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `Id` , `ArticleNumber` , `VersionNumber` , `Title` , `PublishStatus` , and `IsDeleted` as source fields.\n- For [ServiceNow](https://docs.aws.amazon.com/https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/knowledge-management-api) , your AppIntegrations DataIntegration must have an ObjectConfiguration if objectFields is not provided, including at least `number` , `short_description` , `sys_mod_count` , `workflow_state` , and `active` as source fields.\n- For [Zendesk](https://docs.aws.amazon.com/https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) , your AppIntegrations DataIntegration must have an ObjectConfiguration if `objectFields` is not provided, including at least `id` , `title` , `updated_at` , and `draft` as source fields.\n- For [SharePoint](https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-api-index) , your AppIntegrations DataIntegration must have a FileConfiguration, including only file extensions that are among `docx` , `pdf` , `html` , `htm` , and `txt` .\n- For [Amazon S3](https://docs.aws.amazon.com/https://aws.amazon.com/s3/) , the ObjectConfiguration and FileConfiguration of your AppIntegrations DataIntegration must be null. The `SourceURI` of your DataIntegration must use the following format: `s3://your_s3_bucket_name` .\n\n> The bucket policy of the corresponding S3 bucket must allow the AWS principal `app-integrations.amazonaws.com` to perform `s3:ListBucket` , `s3:GetObject` , and `s3:GetBucketLocation` against the bucket.", "title": "AppIntegrationArn", "type": "string" }, @@ -248409,7 +250347,7 @@ "additionalProperties": false, "properties": { "KmsKeyId": { - "markdownDescription": "The KMS key . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "markdownDescription": "The customer managed key used for encryption.\n\nThis customer managed key must have a policy that allows `kms:CreateGrant` and `kms:DescribeKey` permissions to the IAM identity using the key to invoke Wisdom.\n\nFor more information about setting up a customer managed key for Wisdom, see [Enable Amazon Connect Wisdom for your instance](https://docs.aws.amazon.com/connect/latest/adminguide/enable-wisdom.html) . For information about valid ID values, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) .", "title": "KmsKeyId", "type": "string" } @@ -248509,22 +250447,22 @@ "additionalProperties": false, "properties": { "AssociatedAccountId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the AWS account that associated the connection alias with a directory.", "title": "AssociatedAccountId", "type": "string" }, "AssociationStatus": { - "markdownDescription": "", + "markdownDescription": "The association status of the connection alias.", "title": "AssociationStatus", "type": "string" }, "ConnectionIdentifier": { - "markdownDescription": "", + "markdownDescription": "The identifier of the connection alias association. You use the connection identifier in the DNS TXT record when you're configuring your DNS routing policies.", "title": "ConnectionIdentifier", "type": "string" }, "ResourceId": { - "markdownDescription": "", + "markdownDescription": "The identifier of the directory associated with a connection alias.", "title": "ResourceId", "type": "string" } @@ -248706,23 +250644,31 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the browser settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "BrowserPolicy": { + "markdownDescription": "A JSON string containing Chrome Enterprise policies that will be applied to all streaming sessions.", + "title": "BrowserPolicy", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the browser settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248785,20 +250731,28 @@ "properties": { "IdentityProviderDetails": { "additionalProperties": true, + "markdownDescription": "The identity provider details. The following list describes the provider detail keys for each identity provider type.\n\n- For Google and Login with Amazon:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- For Facebook:\n\n- `client_id`\n- `client_secret`\n- `authorize_scopes`\n- `api_version`\n- For Sign in with Apple:\n\n- `client_id`\n- `team_id`\n- `key_id`\n- `private_key`\n- `authorize_scopes`\n- For OIDC providers:\n\n- `client_id`\n- `client_secret`\n- `attributes_request_method`\n- `oidc_issuer`\n- `authorize_scopes`\n- `authorize_url` *if not available from discovery URL specified by oidc_issuer key*\n- `token_url` *if not available from discovery URL specified by oidc_issuer key*\n- `attributes_url` *if not available from discovery URL specified by oidc_issuer key*\n- `jwks_uri` *if not available from discovery URL specified by oidc_issuer key*\n- For SAML providers:\n\n- `MetadataFile` OR `MetadataURL`\n- `IDPSignout` *optional*", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "IdentityProviderDetails", "type": "object" }, "IdentityProviderName": { + "markdownDescription": "The identity provider name.", + "title": "IdentityProviderName", "type": "string" }, "IdentityProviderType": { + "markdownDescription": "The identity provider type.", + "title": "IdentityProviderType", "type": "string" }, "PortalArn": { + "markdownDescription": "The ARN of the identity provider.", + "title": "PortalArn", "type": "string" } }, @@ -248867,32 +250821,44 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "Additional encryption context of the IP access settings.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CustomerManagedKey": { + "markdownDescription": "The custom managed key of the IP access settings.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "Description": { + "markdownDescription": "The description of the IP access settings.", + "title": "Description", "type": "string" }, "DisplayName": { + "markdownDescription": "The display name of the IP access settings.", + "title": "DisplayName", "type": "string" }, "IpRules": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::IpAccessSettings.IpRule" }, + "markdownDescription": "The IP rules of the IP access settings.", + "title": "IpRules", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the browser settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -248926,9 +250892,13 @@ "additionalProperties": false, "properties": { "Description": { + "markdownDescription": "The description of the IP rule.", + "title": "Description", "type": "string" }, "IpRange": { + "markdownDescription": "The IP range of the IP rule. This can either be a single IP address or a range using CIDR notation.", + "title": "IpRange", "type": "string" } }, @@ -248976,21 +250946,29 @@ "items": { "type": "string" }, + "markdownDescription": "One or more security groups used to control access from streaming instances to your VPC.\n\n*Pattern* : `^[\\w+\\-]+$`", + "title": "SecurityGroupIds", "type": "array" }, "SubnetIds": { "items": { "type": "string" }, + "markdownDescription": "The subnets in which network interfaces are created to connect streaming instances to your VPC. At least two of these subnets must be in different availability zones.\n\n*Pattern* : `^subnet-([0-9a-f]{8}|[0-9a-f]{17})$`", + "title": "SubnetIds", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the network settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "VpcId": { + "markdownDescription": "The VPC that streaming instances will connect to.\n\n*Pattern* : `^vpc-[0-9a-z]*$`", + "title": "VpcId", "type": "string" } }, @@ -249059,44 +251037,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "The additional encryption context of the portal.", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "AuthenticationType": { + "markdownDescription": "The type of authentication integration points used when signing into the web portal. Defaults to `Standard` .\n\n`Standard` web portals are authenticated directly through your identity provider (IdP). User and group access to your web portal is controlled through your IdP. You need to include an IdP resource in your template to integrate your IdP with your web portal. Completing the configuration for your IdP requires exchanging WorkSpaces Web\u2019s SP metadata with your IdP\u2019s IdP metadata. If your IdP requires the SP metadata first before returning the IdP metadata, you should follow these steps:\n\n1. Create and deploy a CloudFormation template with a `Standard` portal with no `IdentityProvider` resource.\n\n2. Retrieve the SP metadata using `Fn:GetAtt` , the WorkSpaces Web console, or by the calling the `GetPortalServiceProviderMetadata` API.\n\n3. Submit the data to your IdP.\n\n4. Add an `IdentityProvider` resource to your CloudFormation template.\n\n`IAM Identity Center` web portals are authenticated through AWS IAM Identity Center . They provide additional features, such as IdP-initiated authentication. Identity sources (including external identity provider integration) and other identity provider information must be configured in IAM Identity Center . User and group assignment must be done through the WorkSpaces Web console. These cannot be configured in CloudFormation.", + "title": "AuthenticationType", "type": "string" }, "BrowserSettingsArn": { + "markdownDescription": "The ARN of the browser settings that is associated with this web portal.", + "title": "BrowserSettingsArn", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "The customer managed key of the web portal.\n\n*Pattern* : `^arn:[\\w+=\\/,.@-]+:kms:[a-zA-Z0-9\\-]*:[a-zA-Z0-9]{1,12}:key\\/[a-zA-Z0-9-]+$`", + "title": "CustomerManagedKey", "type": "string" }, "DisplayName": { + "markdownDescription": "The name of the web portal.", + "title": "DisplayName", "type": "string" }, "IpAccessSettingsArn": { + "markdownDescription": "The ARN of the IP access settings that is associated with the web portal.", + "title": "IpAccessSettingsArn", "type": "string" }, "NetworkSettingsArn": { + "markdownDescription": "The ARN of the network settings that is associated with the web portal.", + "title": "NetworkSettingsArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the web portal. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "TrustStoreArn": { + "markdownDescription": "The ARN of the trust store that is associated with the web portal.", + "title": "TrustStoreArn", "type": "string" }, "UserAccessLoggingSettingsArn": { + "markdownDescription": "The ARN of the user access logging settings that is associated with the web portal.", + "title": "UserAccessLoggingSettingsArn", "type": "string" }, "UserSettingsArn": { + "markdownDescription": "The ARN of the user settings that is associated with the web portal.", + "title": "UserSettingsArn", "type": "string" } }, @@ -249161,12 +251161,16 @@ "items": { "type": "string" }, + "markdownDescription": "A list of CA certificates to be added to the trust store.", + "title": "CertificateList", "type": "array" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the trust store. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249232,12 +251236,16 @@ "additionalProperties": false, "properties": { "KinesisStreamArn": { + "markdownDescription": "The ARN of the Kinesis stream.", + "title": "KinesisStreamArn", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user access logging settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" } }, @@ -249304,44 +251312,66 @@ "properties": { "AdditionalEncryptionContext": { "additionalProperties": true, + "markdownDescription": "", "patternProperties": { "^[a-zA-Z0-9]+$": { "type": "string" } }, + "title": "AdditionalEncryptionContext", "type": "object" }, "CookieSynchronizationConfiguration": { - "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration" + "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSynchronizationConfiguration", + "markdownDescription": "The configuration that specifies which cookies should be synchronized from the end user's local browser to the remote browser.", + "title": "CookieSynchronizationConfiguration" }, "CopyAllowed": { + "markdownDescription": "Specifies whether the user can copy text from the streaming session to the local device.", + "title": "CopyAllowed", "type": "string" }, "CustomerManagedKey": { + "markdownDescription": "", + "title": "CustomerManagedKey", "type": "string" }, "DisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that a streaming session remains active after users disconnect.", + "title": "DisconnectTimeoutInMinutes", "type": "number" }, "DownloadAllowed": { + "markdownDescription": "Specifies whether the user can download files from the streaming session to the local device.", + "title": "DownloadAllowed", "type": "string" }, "IdleDisconnectTimeoutInMinutes": { + "markdownDescription": "The amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect timeout interval begins.", + "title": "IdleDisconnectTimeoutInMinutes", "type": "number" }, "PasteAllowed": { + "markdownDescription": "Specifies whether the user can paste text from the local device to the streaming session.", + "title": "PasteAllowed", "type": "string" }, "PrintAllowed": { + "markdownDescription": "Specifies whether the user can print to the local device.", + "title": "PrintAllowed", "type": "string" }, "Tags": { "items": { "$ref": "#/definitions/Tag" }, + "markdownDescription": "The tags to add to the user settings resource. A tag is a key-value pair.", + "title": "Tags", "type": "array" }, "UploadAllowed": { + "markdownDescription": "Specifies whether the user can upload files from the local device to the streaming session.", + "title": "UploadAllowed", "type": "string" } }, @@ -249379,12 +251409,18 @@ "additionalProperties": false, "properties": { "Domain": { + "markdownDescription": "The domain of the cookie.", + "title": "Domain", "type": "string" }, "Name": { + "markdownDescription": "The name of the cookie.", + "title": "Name", "type": "string" }, "Path": { + "markdownDescription": "The path of the cookie.", + "title": "Path", "type": "string" } }, @@ -249400,12 +251436,16 @@ "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are allowed to be synchronized to the remote browser.", + "title": "Allowlist", "type": "array" }, "Blocklist": { "items": { "$ref": "#/definitions/AWS::WorkSpacesWeb::UserSettings.CookieSpecification" }, + "markdownDescription": "The list of cookie specifications that are blocked from being synchronized to the remote browser.", + "title": "Blocklist", "type": "array" } },