feat(client-securityhub): Security Hub now lets you opt-out of auto-enabling the defaults standards (CIS and FSBP) in accounts that are auto-enabled with Security Hub via Security Hub's integration with AWS Organizations.

Author: awstools

clients/client-securityhub/README.md

@@ -11,9 +11,10 @@ AWS SDK for JavaScript SecurityHub Client for Node.js, Browser and React Native.
 of your environment based on controls from supported security standards. Security Hub collects
 security data from Amazon Web Services accounts, services, and integrated third-party products and helps
 you analyze security trends in your environment to identify the highest priority security
-issues. For more information about Security Hub, see the <i>Security Hub<a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">User
-Guide</a>
-</i>.</p>
+issues. For more information about Security Hub, see the <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">
+<i>Security HubUser
+Guide</i>
+</a>.</p>
 <p>When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services
 Region that is currently active or in the specific Amazon Web Services Region that you specify in your
 request. Any configuration or settings change that results from the operation is applied

clients/client-securityhub/src/SecurityHub.ts

@@ -263,9 +263,10 @@ import { SecurityHubClient } from "./SecurityHubClient";
  *          of your environment based on controls from supported security standards. Security Hub collects
  *          security data from Amazon Web Services accounts, services, and integrated third-party products and helps
  *          you analyze security trends in your environment to identify the highest priority security
- *          issues. For more information about Security Hub, see the <i>Security Hub<a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">User
- *                Guide</a>
- *             </i>.</p>
+ *          issues. For more information about Security Hub, see the <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">
+ *                <i>Security HubUser
+ *             Guide</i>
+ *             </a>.</p>
  *          <p>When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services
  *          Region that is currently active or in the specific Amazon Web Services Region that you specify in your
  *          request. Any configuration or settings change that results from the operation is applied
@@ -680,7 +681,7 @@ export class SecurityHub extends SecurityHubClient {
 
   /**
    * <p>Used to enable finding aggregation. Must be called from the aggregation Region.</p>
-   *          <p>For more details about cross-Region replication, see <a href="securityhub/latest/userguide/finding-aggregation.html">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.
+   *          <p>For more details about cross-Region replication, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.
    *       </p>
    */
   public createFindingAggregator(

clients/client-securityhub/src/SecurityHubClient.ts

@@ -470,9 +470,10 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv
  *          of your environment based on controls from supported security standards. Security Hub collects
  *          security data from Amazon Web Services accounts, services, and integrated third-party products and helps
  *          you analyze security trends in your environment to identify the highest priority security
- *          issues. For more information about Security Hub, see the <i>Security Hub<a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">User
- *                Guide</a>
- *             </i>.</p>
+ *          issues. For more information about Security Hub, see the <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html">
+ *                <i>Security HubUser
+ *             Guide</i>
+ *             </a>.</p>
  *          <p>When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services
  *          Region that is currently active or in the specific Amazon Web Services Region that you specify in your
  *          request. Any configuration or settings change that results from the operation is applied

clients/client-securityhub/src/commands/CreateFindingAggregatorCommand.ts

@@ -23,7 +23,7 @@ export interface CreateFindingAggregatorCommandOutput extends CreateFindingAggre
 
 /**
  * <p>Used to enable finding aggregation. Must be called from the aggregation Region.</p>
- *          <p>For more details about cross-Region replication, see <a href="securityhub/latest/userguide/finding-aggregation.html">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.
+ *          <p>For more details about cross-Region replication, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.
  *       </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

clients/client-securityhub/src/models/models_0.ts

@@ -821,6 +821,11 @@ export namespace AdminAccount {
   });
 }
 
+export enum AutoEnableStandards {
+  DEFAULT = "DEFAULT",
+  NONE = "NONE",
+}
+
 /**
  * <p>Information about an Availability Zone.</p>
  */
@@ -11454,32 +11459,3 @@ export namespace AwsRdsDbSubnetGroup {
     ...obj,
   });
 }
-
-/**
- * <p>Specifies the connection endpoint.</p>
- */
-export interface AwsRdsDbInstanceEndpoint {
-  /**
-   * <p>Specifies the DNS address of the DB instance.</p>
-   */
-  Address?: string;
-
-  /**
-   * <p>Specifies the port that the database engine is listening on.</p>
-   */
-  Port?: number;
-
-  /**
-   * <p>Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.</p>
-   */
-  HostedZoneId?: string;
-}
-
-export namespace AwsRdsDbInstanceEndpoint {
-  /**
-   * @internal
-   */
-  export const filterSensitiveLog = (obj: AwsRdsDbInstanceEndpoint): any => ({
-    ...obj,
-  });
-}

clients/client-securityhub/src/models/models_1.ts

@@ -7,6 +7,7 @@ import {
   ActionTarget,
   Adjustment,
   AdminAccount,
+  AutoEnableStandards,
   AwsApiGatewayRestApiDetails,
   AwsApiGatewayStageDetails,
   AwsApiGatewayV2ApiDetails,
@@ -54,13 +55,41 @@ import {
   AwsRdsDbClusterSnapshotDetails,
   AwsRdsDbDomainMembership,
   AwsRdsDbInstanceAssociatedRole,
-  AwsRdsDbInstanceEndpoint,
   AwsRdsDbInstanceVpcSecurityGroup,
   AwsRdsDbParameterGroup,
   AwsRdsDbSubnetGroup,
 } from "./models_0";
 import { SecurityHubServiceException as __BaseException } from "./SecurityHubServiceException";
 
+/**
+ * <p>Specifies the connection endpoint.</p>
+ */
+export interface AwsRdsDbInstanceEndpoint {
+  /**
+   * <p>Specifies the DNS address of the DB instance.</p>
+   */
+  Address?: string;
+
+  /**
+   * <p>Specifies the port that the database engine is listening on.</p>
+   */
+  Port?: number;
+
+  /**
+   * <p>Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.</p>
+   */
+  HostedZoneId?: string;
+}
+
+export namespace AwsRdsDbInstanceEndpoint {
+  /**
+   * @internal
+   */
+  export const filterSensitiveLog = (obj: AwsRdsDbInstanceEndpoint): any => ({
+    ...obj,
+  });
+}
+
 /**
  * <p>An option group membership.</p>
  */
@@ -5298,19 +5327,15 @@ export interface AwsSecurityFinding {
 
   /**
    * <p>The name of the product that generated the finding.</p>
-   *          <p>Security Hub populates this attribute automatically for each finding. You cannot update it using <code>BatchImportFindings</code> or <code>BatchUpdateFindings</code>. The exception to this is when you use a custom integration.</p>
-   *          <p>When you use the Security Hub console to filter findings by product name, you use this attribute.</p>
-   *          <p>When you use the Security Hub API to filter findings by product name, you use the <code>aws/securityhub/ProductName</code> attribute under <code>ProductFields</code>.</p>
-   *          <p>Security Hub does not synchronize those two attributes.</p>
+   *          <p>Security Hub populates this attribute automatically for each finding. You cannot update this attribute with <code>BatchImportFindings</code> or <code>BatchUpdateFindings</code>. The exception to this is a custom integration.</p>
+   *          <p>When you use the Security Hub console or API to filter findings by product name, you use this attribute.</p>
    */
   ProductName?: string;
 
   /**
    * <p>The name of the company for the product that generated the finding.</p>
-   *          <p>Security Hub populates this attribute automatically for each finding. You cannot be updated using <code>BatchImportFindings</code> or <code>BatchUpdateFindings</code>. The exception to this is when you use a custom integration.</p>
-   *          <p>When you use the Security Hub console to filter findings by company name, you use this attribute.</p>
-   *          <p>When you use the Security Hub API to filter findings by company name, you use the <code>aws/securityhub/CompanyName</code> attribute under <code>ProductFields</code>.</p>
-   *          <p>Security Hub does not synchronize those two attributes.</p>
+   *          <p>Security Hub populates this attribute automatically for each finding. You cannot update this attribute with <code>BatchImportFindings</code> or <code>BatchUpdateFindings</code>. The exception to this is a custom integration.</p>
+   *          <p>When you use the Security Hub console or API to filter findings by company name, you use this attribute.</p>
    */
   CompanyName?: string;
 
@@ -5985,14 +6010,12 @@ export interface AwsSecurityFindingFilters {
 
   /**
    * <p>The name of the solution (product) that generates findings.</p>
-   *          <p>Note that this is a filter against the <code>aws/securityhub/ProductName</code> field in <code>ProductFields</code>. It is not a filter for the top-level <code>ProductName</code> field.</p>
    */
   ProductName?: StringFilter[];
 
   /**
    * <p>The name of the findings provider (company) that owns the solution (product) that
    *          generates findings.</p>
-   *          <p>Note that this is a filter against the <code>aws/securityhub/CompanyName</code> field in <code>ProductFields</code>. It is not a filter for the top-level <code>CompanyName</code> field.</p>
    */
   CompanyName?: StringFilter[];
 
@@ -7624,6 +7647,16 @@ export interface DescribeOrganizationConfigurationResponse {
    *          Security Hub administrator account.</p>
    */
   MemberAccountLimitReached?: boolean;
+
+  /**
+   * <p>Whether to automatically enable Security Hub <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html">default standards</a>
+   *          for new member accounts in the organization.</p>
+   *          <p>The default value of this parameter is equal to <code>DEFAULT</code>.</p>
+   *          <p>If equal to <code>DEFAULT</code>, then Security Hub default standards are automatically enabled for new member
+   *          accounts. If equal to <code>NONE</code>, then default standards are not automatically enabled for new member
+   *          accounts.</p>
+   */
+  AutoEnableStandards?: AutoEnableStandards | string;
 }
 
 export namespace DescribeOrganizationConfigurationResponse {
@@ -9428,6 +9461,14 @@ export interface UpdateOrganizationConfigurationRequest {
    *          <p>To automatically enable Security Hub for new accounts, set this to <code>true</code>.</p>
    */
   AutoEnable: boolean | undefined;
+
+  /**
+   * <p>Whether to automatically enable Security Hub <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html">default standards</a>
+   *          for new member accounts in the organization.</p>
+   *          <p>By default, this parameter is equal to <code>DEFAULT</code>, and new member accounts are automatically enabled with default Security Hub standards.</p>
+   *          <p>To opt out of enabling default standards for new member accounts, set this parameter equal to <code>NONE</code>.</p>
+   */
+  AutoEnableStandards?: AutoEnableStandards | string;
 }
 
 export namespace UpdateOrganizationConfigurationRequest {

clients/client-securityhub/src/protocols/Aws_restJson1.ts

@@ -406,7 +406,6 @@ import {
   AwsRdsDbClusterSnapshotDetails,
   AwsRdsDbDomainMembership,
   AwsRdsDbInstanceAssociatedRole,
-  AwsRdsDbInstanceEndpoint,
   AwsRdsDbInstanceVpcSecurityGroup,
   AwsRdsDbParameterGroup,
   AwsRdsDbSubnetGroup,
@@ -460,6 +459,7 @@ import {
 import {
   _Record,
   AwsRdsDbInstanceDetails,
+  AwsRdsDbInstanceEndpoint,
   AwsRdsDbOptionGroupMembership,
   AwsRdsDbPendingModifiedValues,
   AwsRdsDbProcessorFeature,
@@ -2118,6 +2118,8 @@ export const serializeAws_restJson1UpdateOrganizationConfigurationCommand = asyn
   let body: any;
   body = JSON.stringify({
     ...(input.AutoEnable !== undefined && input.AutoEnable !== null && { AutoEnable: input.AutoEnable }),
+    ...(input.AutoEnableStandards !== undefined &&
+      input.AutoEnableStandards !== null && { AutoEnableStandards: input.AutoEnableStandards }),
   });
   return new __HttpRequest({
     protocol,
@@ -3233,12 +3235,16 @@ export const deserializeAws_restJson1DescribeOrganizationConfigurationCommand =
   const contents: DescribeOrganizationConfigurationCommandOutput = {
     $metadata: deserializeMetadata(output),
     AutoEnable: undefined,
+    AutoEnableStandards: undefined,
     MemberAccountLimitReached: undefined,
   };
   const data: { [key: string]: any } = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body");
   if (data.AutoEnable !== undefined && data.AutoEnable !== null) {
     contents.AutoEnable = __expectBoolean(data.AutoEnable);
   }
+  if (data.AutoEnableStandards !== undefined && data.AutoEnableStandards !== null) {
+    contents.AutoEnableStandards = __expectString(data.AutoEnableStandards);
+  }
   if (data.MemberAccountLimitReached !== undefined && data.MemberAccountLimitReached !== null) {
     contents.MemberAccountLimitReached = __expectBoolean(data.MemberAccountLimitReached);
   }