aws · alexforsyth · May 7, 2021 · May 7, 2021 · May 7, 2021 · May 10, 2021
@@ -130,10 +130,10 @@ export class ACMPCA extends ACMPCAClient {
    * 			validity period of the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME
    * 			alias for the S3 bucket that is included in certificates issued by the CA. If
    * 			successful, this action returns the Amazon Resource Name (ARN) of the CA.</p>
-   * 		       <p>ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption.
+   * 		       <p>ACM Private CA assets that are stored in Amazon S3 can be protected with encryption.
    *   For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption">Encrypting Your
    * 			CRLs</a>.</p>
-   * 		       <note>
+   *          <note>
    *                         <p>Both PCA and the IAM principal must have permission to write to
    *                         the S3 bucket that you specify. If the IAM principal making the call
    *                         does not have permission to write to the bucket, then an exception is
@@ -176,15 +176,15 @@ export class ACMPCA extends ACMPCAClient {
    *
    * 			The <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html">IssueCertificate</a> and <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html">RevokeCertificate</a> actions use
    * 			the private key. </p>
-   * 		       <note>
+   *          <note>
    *                         <p>Both PCA and the IAM principal must have permission to write to
    *                         the S3 bucket that you specify. If the IAM principal making the call
    *                         does not have permission to write to the bucket, then an exception is
    *                         thrown. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html">Configure
    *                         Access to ACM Private CA</a>.</p>
    *                 </note>
    *
-   * 		       <p>ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption.
+   * 		       <p>ACM Private CA assets that are stored in Amazon S3 can be protected with encryption.
    *   For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption">Encrypting Your Audit
    * 				Reports</a>.</p>
    */
@@ -336,7 +336,7 @@ export class ACMPCA extends ACMPCAClient {
    * 			renew the affected certificates automatically.</p>
    * 		       <p>Permissions can be granted with the <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html">CreatePermission</a> action and
    * 			listed with the <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html">ListPermissions</a> action. </p>
-   * 		       <p class="title">
+   *          <p class="title">
    *             <b>About Permissions</b>
    *          </p>
    *          <ul>
@@ -675,7 +675,7 @@ export class ACMPCA extends ACMPCAClient {
    * 			resource or the policy cannot be found, this action returns a
    * 				<code>ResourceNotFoundException</code>. </p>
    * 		       <p>The policy can be attached or updated with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html">PutPolicy</a> and removed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html">DeletePolicy</a>.</p>
-   * 		       <p class="title">
+   *          <p class="title">
    *             <b>About Policies</b>
    *          </p>
    *          <ul>
@@ -1052,7 +1052,7 @@ export class ACMPCA extends ACMPCAClient {
    * 			Manager (RAM). For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html">Attach a Policy for Cross-Account
    * 			Access</a>.</p>
    * 		       <p>The policy can be displayed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html">GetPolicy</a> and removed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html">DeletePolicy</a>.</p>
-   * 		       <p class="title">
+   *          <p class="title">
    *             <b>About Policies</b>
    *          </p>
    *          <ul>
@@ -1154,15 +1154,15 @@ export class ACMPCA extends ACMPCAClient {
    * 			further attempts every 15 minutes. With Amazon CloudWatch, you can create alarms for the
    * 			metrics <code>CRLGenerated</code> and <code>MisconfiguredCRLBucket</code>. For more
    * 			information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html">Supported CloudWatch Metrics</a>.</p>
-   * 		       <note>
+   *          <note>
    *                         <p>Both PCA and the IAM principal must have permission to write to
    *                         the S3 bucket that you specify. If the IAM principal making the call
    *                         does not have permission to write to the bucket, then an exception is
    *                         thrown. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html">Configure
    *                         Access to ACM Private CA</a>.</p>
    *                 </note>
-   * 		       <p>ACM Private CA also writes revocation information to the audit report. For more information,
-   * 			see <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html">CreateCertificateAuthorityAuditReport</a>.</p>
+   *          <p>ACM Private CA also writes
+   * 			revocation information to the audit report. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html">CreateCertificateAuthorityAuditReport</a>.</p>
    * 		       <note>
    * 			         <p>You cannot revoke a root CA self-signed certificate.</p>
    * 		       </note>
@@ -1276,7 +1276,7 @@ export class ACMPCA extends ACMPCAClient {
    * 			private CA must be in the <code>ACTIVE</code> or <code>DISABLED</code> state before you
    * 			can update it. You can disable a private CA that is in the <code>ACTIVE</code> state or
    * 			make a CA that is in the <code>DISABLED</code> state active again.</p>
-   * 		       <note>
+   *          <note>
    *                         <p>Both PCA and the IAM principal must have permission to write to
    *                         the S3 bucket that you specify. If the IAM principal making the call
    *                         does not have permission to write to the bucket, then an exception is

@@ -32,15 +32,15 @@ export interface CreateCertificateAuthorityAuditReportCommandOutput
  *
  * 			The <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html">IssueCertificate</a> and <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html">RevokeCertificate</a> actions use
  * 			the private key. </p>
- * 		       <note>
+ *          <note>
  *                         <p>Both PCA and the IAM principal must have permission to write to
  *                         the S3 bucket that you specify. If the IAM principal making the call
  *                         does not have permission to write to the bucket, then an exception is
  *                         thrown. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html">Configure
  *                         Access to ACM Private CA</a>.</p>
  *                 </note>
  *
- * 		       <p>ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption.
+ * 		       <p>ACM Private CA assets that are stored in Amazon S3 can be protected with encryption.
  *   For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption">Encrypting Your Audit
  * 				Reports</a>.</p>
  * @example

@@ -30,10 +30,10 @@ export interface CreateCertificateAuthorityCommandOutput extends CreateCertifica
  * 			validity period of the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME
  * 			alias for the S3 bucket that is included in certificates issued by the CA. If
  * 			successful, this action returns the Amazon Resource Name (ARN) of the CA.</p>
- * 		       <p>ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption.
+ * 		       <p>ACM Private CA assets that are stored in Amazon S3 can be protected with encryption.
  *   For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption">Encrypting Your
  * 			CRLs</a>.</p>
- * 		       <note>
+ *          <note>
  *                         <p>Both PCA and the IAM principal must have permission to write to
  *                         the S3 bucket that you specify. If the IAM principal making the call
  *                         does not have permission to write to the bucket, then an exception is

@@ -28,7 +28,7 @@ export interface DeletePermissionCommandOutput extends __MetadataBearer {}
  * 			renew the affected certificates automatically.</p>
  * 		       <p>Permissions can be granted with the <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html">CreatePermission</a> action and
  * 			listed with the <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html">ListPermissions</a> action. </p>
- * 		       <p class="title">
+ *          <p class="title">
  *             <b>About Permissions</b>
  *          </p>
  *          <ul>

@@ -22,7 +22,7 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
  * 			resource or the policy cannot be found, this action returns a
  * 				<code>ResourceNotFoundException</code>. </p>
  * 		       <p>The policy can be attached or updated with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html">PutPolicy</a> and removed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html">DeletePolicy</a>.</p>
- * 		       <p class="title">
+ *          <p class="title">
  *             <b>About Policies</b>
  *          </p>
  *          <ul>

@@ -23,7 +23,7 @@ export interface PutPolicyCommandOutput extends __MetadataBearer {}
  * 			Manager (RAM). For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html">Attach a Policy for Cross-Account
  * 			Access</a>.</p>
  * 		       <p>The policy can be displayed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html">GetPolicy</a> and removed with <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html">DeletePolicy</a>.</p>
- * 		       <p class="title">
+ *          <p class="title">
  *             <b>About Policies</b>
  *          </p>
  *          <ul>

@@ -29,15 +29,15 @@ export interface RevokeCertificateCommandOutput extends __MetadataBearer {}
  * 			further attempts every 15 minutes. With Amazon CloudWatch, you can create alarms for the
  * 			metrics <code>CRLGenerated</code> and <code>MisconfiguredCRLBucket</code>. For more
  * 			information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html">Supported CloudWatch Metrics</a>.</p>
- * 		       <note>
+ *          <note>
  *                         <p>Both PCA and the IAM principal must have permission to write to
  *                         the S3 bucket that you specify. If the IAM principal making the call
  *                         does not have permission to write to the bucket, then an exception is
  *                         thrown. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html">Configure
  *                         Access to ACM Private CA</a>.</p>
  *                 </note>
- * 		       <p>ACM Private CA also writes revocation information to the audit report. For more information,
- * 			see <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html">CreateCertificateAuthorityAuditReport</a>.</p>
+ *          <p>ACM Private CA also writes
+ * 			revocation information to the audit report. For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html">CreateCertificateAuthorityAuditReport</a>.</p>
  * 		       <note>
  * 			         <p>You cannot revoke a root CA self-signed certificate.</p>
  * 		       </note>

@@ -25,7 +25,7 @@ export interface UpdateCertificateAuthorityCommandOutput extends __MetadataBeare
  * 			private CA must be in the <code>ACTIVE</code> or <code>DISABLED</code> state before you
  * 			can update it. You can disable a private CA that is in the <code>ACTIVE</code> state or
  * 			make a CA that is in the <code>DISABLED</code> state active again.</p>
- * 		       <note>
+ *          <note>
  *                         <p>Both PCA and the IAM principal must have permission to write to
  *                         the S3 bucket that you specify. If the IAM principal making the call
  *                         does not have permission to write to the bucket, then an exception is

@@ -428,6 +428,11 @@ export enum CertificateAuthorityType {
   SUBORDINATE = "SUBORDINATE",
 }
 
+export enum KeyStorageSecurityStandard {
+  FIPS_140_2_LEVEL_2_OR_HIGHER = "FIPS_140_2_LEVEL_2_OR_HIGHER",
+  FIPS_140_2_LEVEL_3_OR_HIGHER = "FIPS_140_2_LEVEL_3_OR_HIGHER",
+}
+
 /**
  * <p>Contains configuration information for a certificate revocation list (CRL). Your
  * 			private certificate authority (CA) creates base CRLs. Delta CRLs are not supported. You
@@ -437,7 +442,7 @@ export enum CertificateAuthorityType {
  * 			private CA copies the CNAME or the S3 bucket name to the <b>CRL
  * 				Distribution Points</b> extension of each certificate it issues. Your S3
  * 			bucket policy must give write permission to ACM Private CA. </p>
- * 		       <p>ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption.
+ * 		       <p>ACM Private CA assets that are stored in Amazon S3 can be protected with encryption.
  *   For more information, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption">Encrypting Your
  * 			CRLs</a>.</p>
  * 		       <p>Your private CA uses the value in the <b>ExpirationInDays</b> parameter to calculate the <b>nextUpdate</b> field in the CRL. The CRL is refreshed at 1/2 the age of next
@@ -657,6 +662,18 @@ export interface CreateCertificateAuthorityRequest {
    */
   IdempotencyToken?: string;
 
+  /**
+   * <p>Specifies a cryptographic key management compliance standard used for handling CA
+   * 			keys.</p>
+   * 		       <p>Default: FIPS_140_2_LEVEL_3_OR_HIGHER</p>
+   * 		       <p>Note: AWS Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must
+   * 			explicitly specify this parameter and value when creating a CA in that Region.
+   * 			Specifying a different value (or no value) results in an
+   * 				<code>InvalidArgsException</code> with the message "A certificate authority cannot
+   * 			be created in this region with the specified security standard."</p>
+   */
+  KeyStorageSecurityStandard?: KeyStorageSecurityStandard | string;
+
   /**
    * <p>Key-value pairs that will be attached to the new private CA. You can associate up to
    * 			50 tags with a private CA. For information using tags with IAM to manage permissions,
@@ -1214,6 +1231,17 @@ export interface CertificateAuthority {
    * 				<code>PermanentDeletionTimeInDays</code> parameter of the <a href="https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html">DeleteCertificateAuthorityRequest</a> action. </p>
    */
   RestorableUntil?: Date;
+
+  /**
+   * <p>Defines a cryptographic key management compliance standard used for handling CA keys. </p>
+   * 		       <p>Default: FIPS_140_2_LEVEL_3_OR_HIGHER</p>
+   * 		       <p>Note: AWS Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must
+   * 			explicitly specify this parameter and value when creating a CA in that Region.
+   * 			Specifying a different value (or no value) results in an
+   * 				<code>InvalidArgsException</code> with the message "A certificate authority cannot
+   * 			be created in this region with the specified security standard."</p>
+   */
+  KeyStorageSecurityStandard?: KeyStorageSecurityStandard | string;
 }
 
 export namespace CertificateAuthority {
@@ -1731,8 +1759,8 @@ export namespace Extensions {
  * 				<code>APIPassthrough</code> or <code>APICSRPassthrough</code> template variant must
  * 			be selected, or else this parameter is ignored. </p>
  * 		       <p>If conflicting or duplicate certificate information is supplied from other sources,
- * 			ACM Private CA applies <a href="xxxxx">order of operation rules</a> to determine what
- * 			information is used.</p>
+ * 			ACM Private CA applies <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations">order of
+ * 				operation rules</a> to determine what information is used.</p>
  */
 export interface ApiPassthrough {
   /**
@@ -1850,8 +1878,8 @@ export interface IssueCertificateRequest {
    * 			be selected, or else this parameter is ignored. For more information about using these
    * 			templates, see <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html">Understanding Certificate Templates</a>.</p>
    * 		       <p>If conflicting or duplicate certificate information is supplied during certificate
-   * 			issuance, ACM Private CA applies <a href="xxxxx">order of operation rules</a> to determine
-   * 			what information is used.</p>
+   * 			issuance, ACM Private CA applies <a href="https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations">order of
+   * 				operation rules</a> to determine what information is used.</p>
    */
   ApiPassthrough?: ApiPassthrough;
 

@@ -2767,6 +2767,8 @@ const serializeAws_json1_1CreateCertificateAuthorityRequest = (
       input.CertificateAuthorityType !== null && { CertificateAuthorityType: input.CertificateAuthorityType }),
     ...(input.IdempotencyToken !== undefined &&
       input.IdempotencyToken !== null && { IdempotencyToken: input.IdempotencyToken }),
+    ...(input.KeyStorageSecurityStandard !== undefined &&
+      input.KeyStorageSecurityStandard !== null && { KeyStorageSecurityStandard: input.KeyStorageSecurityStandard }),
     ...(input.RevocationConfiguration !== undefined &&
       input.RevocationConfiguration !== null && {
         RevocationConfiguration: serializeAws_json1_1RevocationConfiguration(input.RevocationConfiguration, context),
@@ -3293,6 +3295,10 @@ const deserializeAws_json1_1CertificateAuthority = (output: any, context: __Serd
         : undefined,
     FailureReason:
       output.FailureReason !== undefined && output.FailureReason !== null ? output.FailureReason : undefined,
+    KeyStorageSecurityStandard:
+      output.KeyStorageSecurityStandard !== undefined && output.KeyStorageSecurityStandard !== null
+        ? output.KeyStorageSecurityStandard
+        : undefined,
     LastStateChangeAt:
       output.LastStateChangeAt !== undefined && output.LastStateChangeAt !== null
         ? new Date(Math.round(output.LastStateChangeAt * 1000))

@@ -1972,7 +1972,7 @@ export interface CreateAssessmentFrameworkControlSet {
    * The name of the specified control set.
    * </p>
    */
-  name?: string;
+  name: string | undefined;
 
   /**
    * <p>
@@ -3508,7 +3508,7 @@ export interface Evidence {
 
   /**
    * <p>
-   *          Specifies whether the evidence is inclded in the assessment report.
+   *          Specifies whether the evidence is included in the assessment report.
    *       </p>
    */
   assessmentReportSelection?: string;
@@ -4850,7 +4850,7 @@ export interface UpdateAssessmentFrameworkControlSet {
    * The name of the control set.
    * </p>
    */
-  name?: string;
+  name: string | undefined;
 
   /**
    * <p>