AWS SecurityHub Update: The AWS Security Finding Format is being augmented with the following changes. 21 new resource types without corresponding details objects are added. Another new resource type, AwsS3Object, has an accompanying details object. Severity.Label is a new string field that indicates the severity of a finding. The available values are: INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL. The new string field Workflow.Status indicates the status of the investigation into a finding. The available values are: NEW, NOTIFIED, RESOLVED, SUPPRESSED.

AWS · AWS · commit e52ac810eedd · 2020-03-12T19:40:12.000Z
diff --git a/.changes/next-release/feature-AWSSecurityHub-7af4f70.json b/.changes/next-release/feature-AWSSecurityHub-7af4f70.json
@@ -0,0 +1,5 @@
+{
+    "type": "feature",
+    "category": "AWS SecurityHub",
+    "description": "The AWS Security Finding Format is being augmented with the following changes. 21 new resource types without corresponding details objects are added. Another new resource type, AwsS3Object, has an accompanying details object. Severity.Label is a new string field that indicates the severity of a finding. The available values are: INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL. The new string field Workflow.Status indicates the status of the investigation into a finding. The available values are: NEW, NOTIFIED, RESOLVED, SUPPRESSED."
+}
diff --git a/services/securityhub/src/main/resources/codegen-resources/service-2.json b/services/securityhub/src/main/resources/codegen-resources/service-2.json
@@ -1854,10 +1854,86 @@
         "OwnerName":{
           "shape":"NonEmptyString",
           "documentation":"<p>The display name of the owner of the S3 bucket.</p>"
+        },
+        "CreatedAt":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>The date and time when the S3 bucket was created.</p>"
+        },
+        "ServerSideEncryptionConfiguration":{
+          "shape":"AwsS3BucketServerSideEncryptionConfiguration",
+          "documentation":"<p>The encryption rules that are applied to the S3 bucket.</p>"
         }
       },
       "documentation":"<p>The details of an Amazon S3 bucket.</p>"
     },
+    "AwsS3BucketServerSideEncryptionByDefault":{
+      "type":"structure",
+      "members":{
+        "SSEAlgorithm":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>Server-side encryption algorithm to use for the default encryption.</p>"
+        },
+        "KMSMasterKeyID":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>AWS KMS customer master key (CMK) ID to use for the default encryption.</p>"
+        }
+      },
+      "documentation":"<p>Specifies the default server-side encryption to apply to new objects in the bucket.</p>"
+    },
+    "AwsS3BucketServerSideEncryptionConfiguration":{
+      "type":"structure",
+      "members":{
+        "Rules":{
+          "shape":"AwsS3BucketServerSideEncryptionRules",
+          "documentation":"<p>The encryption rules that are applied to the S3 bucket.</p>"
+        }
+      },
+      "documentation":"<p>The encryption configuration for the S3 bucket.</p>"
+    },
+    "AwsS3BucketServerSideEncryptionRule":{
+      "type":"structure",
+      "members":{
+        "ApplyServerSideEncryptionByDefault":{
+          "shape":"AwsS3BucketServerSideEncryptionByDefault",
+          "documentation":"<p>Specifies the default server-side encryption to apply to new objects in the bucket. If a <code>PUT</code> Object request doesn't specify any server-side encryption, this default encryption is applied.</p>"
+        }
+      },
+      "documentation":"<p>An encryption rule to apply to the S3 bucket.</p>"
+    },
+    "AwsS3BucketServerSideEncryptionRules":{
+      "type":"list",
+      "member":{"shape":"AwsS3BucketServerSideEncryptionRule"}
+    },
+    "AwsS3ObjectDetails":{
+      "type":"structure",
+      "members":{
+        "LastModified":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>The date and time when the object was last modified.</p>"
+        },
+        "ETag":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>The opaque identifier assigned by a web server to a specific version of a resource found at a URL.</p>"
+        },
+        "VersionId":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>The version of the object.</p>"
+        },
+        "ContentType":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>A standard MIME type describing the format of the object data.</p>"
+        },
+        "ServerSideEncryption":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>If the object is stored using server-side encryption, the value of the server-side encryption algorithm used when storing this object in Amazon S3.</p>"
+        },
+        "SSEKMSKeyId":{
+          "shape":"NonEmptyString",
+          "documentation":"<p>The identifier of the AWS Key Management Service (AWS KMS) symmetric customer managed customer master key (CMK) that was used for the object.</p>"
+        }
+      },
+      "documentation":"<p>Details about an AWS S3 object.</p>"
+    },
     "AwsSecurityFinding":{
       "type":"structure",
       "required":[
@@ -1885,7 +1961,7 @@
         },
         "ProductArn":{
           "shape":"NonEmptyString",
-          "documentation":"<p>The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. </p>"
+          "documentation":"<p>The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration.</p>"
         },
         "GeneratorId":{
           "shape":"NonEmptyString",
@@ -1983,6 +2059,10 @@
           "shape":"WorkflowState",
           "documentation":"<p>The workflow state of a finding. </p>"
         },
+        "Workflow":{
+          "shape":"Workflow",
+          "documentation":"<p>Provides information about the status of the investigation into a finding.</p>"
+        },
         "RecordState":{
           "shape":"RecordState",
           "documentation":"<p>The record state of a finding.</p>"
@@ -2305,6 +2385,10 @@
           "shape":"StringFilterList",
           "documentation":"<p>The workflow state of a finding.</p>"
         },
+        "WorkflowStatus":{
+          "shape":"StringFilterList",
+          "documentation":"<p>The status of the investigation into a finding. Allowed values are the following.</p> <ul> <li> <p> <code>NEW</code> - The initial state of a finding, before it is reviewed.</p> </li> <li> <p> <code>NOTIFIED</code> - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.</p> </li> <li> <p> <code>SUPPRESSED</code> - The finding will not be reviewed again and will not be acted upon.</p> </li> <li> <p> <code>RESOLVED</code> - The finding was reviewed and remediated and is now considered resolved. </p> </li> </ul>"
+        },
         "RecordState":{
           "shape":"StringFilterList",
           "documentation":"<p>The updated record state for the finding.</p>"
@@ -3141,7 +3225,7 @@
       "members":{
         "InsightArns":{
           "shape":"ArnList",
-          "documentation":"<p>The ARNs of the insights to describe.</p>"
+          "documentation":"<p>The ARNs of the insights to describe. If you do not provide any insight ARNs, then <code>GetInsights</code> returns all of your custom insights. It does not return any managed insights.</p>"
         },
         "NextToken":{
           "shape":"NextToken",
@@ -4055,6 +4139,10 @@
           "shape":"AwsS3BucketDetails",
           "documentation":"<p>Details about an Amazon S3 Bucket related to a finding.</p>"
         },
+        "AwsS3Object":{
+          "shape":"AwsS3ObjectDetails",
+          "documentation":"<p>Details about an Amazon S3 object related to a finding.</p>"
+        },
         "AwsIamAccessKey":{
           "shape":"AwsIamAccessKeyDetails",
           "documentation":"<p>Details about an IAM access key related to a finding.</p>"
@@ -4140,19 +4228,32 @@
     },
     "Severity":{
       "type":"structure",
-      "required":["Normalized"],
       "members":{
         "Product":{
           "shape":"Double",
           "documentation":"<p>The native severity as defined by the AWS service or integrated partner product that generated the finding.</p>"
         },
+        "Label":{
+          "shape":"SeverityLabel",
+          "documentation":"<p>The severity value of the finding. The allowed values are the following.</p> <ul> <li> <p> <code>INFORMATIONAL</code> - No issue was found.</p> </li> <li> <p> <code>LOW</code> - The issue does not require action on its own.</p> </li> <li> <p> <code>MEDIUM</code> - The issue must be addressed but not urgently.</p> </li> <li> <p> <code>HIGH</code> - The issue must be addressed as a priority.</p> </li> <li> <p> <code>CRITICAL</code> - The issue must be remediated immediately to avoid it escalating.</p> </li> </ul>"
+        },
         "Normalized":{
           "shape":"Integer",
-          "documentation":"<p>The normalized severity of a finding.</p>"
+          "documentation":"<p>Deprecated. This attribute is being deprecated. Instead of providing <code>Normalized</code>, provide <code>Label</code>.</p> <p>If you provide <code>Normalized</code> and do not provide <code>Label</code>, <code>Label</code> is set automatically as follows. </p> <ul> <li> <p>0 - <code>INFORMATIONAL</code> </p> </li> <li> <p>1–39 - <code>LOW</code> </p> </li> <li> <p>40–69 - <code>MEDIUM</code> </p> </li> <li> <p>70–89 - <code>HIGH</code> </p> </li> <li> <p>90–100 - <code>CRITICAL</code> </p> </li> </ul>"
         }
       },
       "documentation":"<p>The severity of the finding.</p>"
     },
+    "SeverityLabel":{
+      "type":"string",
+      "enum":[
+        "INFORMATIONAL",
+        "LOW",
+        "MEDIUM",
+        "HIGH",
+        "CRITICAL"
+      ]
+    },
     "SeverityRating":{
       "type":"string",
       "enum":[
@@ -4649,15 +4750,36 @@
       },
       "documentation":"<p>Details about an override action for a rule.</p>"
     },
+    "Workflow":{
+      "type":"structure",
+      "members":{
+        "Status":{
+          "shape":"WorkflowStatus",
+          "documentation":"<p>The status of the investigation into the finding. The allowed values are the following.</p> <ul> <li> <p> <code>NEW</code> - The initial state of a finding, before it is reviewed.</p> </li> <li> <p> <code>NOTIFIED</code> - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.</p> </li> <li> <p> <code>SUPPRESSED</code> - The finding will not be reviewed again and will not be acted upon.</p> </li> <li> <p> <code>RESOLVED</code> - The finding was reviewed and remediated and is now considered resolved. </p> </li> </ul>"
+        }
+      },
+      "documentation":"<p>Provides information about the status of the investigation into a finding.</p>"
+    },
     "WorkflowState":{
       "type":"string",
+      "deprecated":true,
+      "deprecatedMessage":"This field is deprecated, use Workflow.Status instead.",
       "enum":[
         "NEW",
         "ASSIGNED",
         "IN_PROGRESS",
         "DEFERRED",
         "RESOLVED"
       ]
+    },
+    "WorkflowStatus":{
+      "type":"string",
+      "enum":[
+        "NEW",
+        "NOTIFIED",
+        "RESOLVED",
+        "SUPPRESSED"
+      ]
     }
   },
   "documentation":"<p>Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the <i> <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html\">AWS Security Hub User Guide</a> </i>.</p> <p>When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the specific AWS Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.</p> <p>For example, if your Region is set to <code>us-west-2</code>, when you use <code> <a>CreateMembers</a> </code> to add a member account to Security Hub, the association of the member account with the master account is created only in the <code>us-west-2</code> Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.</p> <p>The following throttling limits apply to using Security Hub API operations.</p> <ul> <li> <p> <code> <a>GetFindings</a> </code> - <code>RateLimit</code> of 3 requests per second. <code>BurstLimit</code> of 6 requests per second.</p> </li> <li> <p> <code> <a>UpdateFindings</a> </code> - <code>RateLimit</code> of 1 request per second. <code>BurstLimit</code> of 5 requests per second.</p> </li> <li> <p>All other operations - <code>RateLimit</code> of 10 requests per second. <code>BurstLimit</code> of 30 requests per second.</p> </li> </ul>"
