Merge branch 'release-1.35.61' into develop

* release-1.35.61:
  Bumping version to 1.35.61
  Update endpoints model
  Update to latest models
  Merge customizations for QuickSight

.changes/1.35.61.json

@@ -0,0 +1,67 @@
+[
+  {
+    "category": "``accessanalyzer``",
+    "description": "Expand analyzer configuration capabilities for unused access analyzers. Unused access analyzer configurations now support the ability to exclude accounts and resource tags from analysis providing more granular control over the scope of analysis.",
+    "type": "api-change"
+  },
+  {
+    "category": "``cloudcontrol``",
+    "description": "Added support for CloudFormation Hooks with Cloud Control API. The GetResourceRequestStatus API response now includes an optional HooksProgressEvent and HooksRequestToken parameter for Hooks Invocation Progress as part of resource operation with Cloud Control.",
+    "type": "api-change"
+  },
+  {
+    "category": "``deadline``",
+    "description": "Adds support for select GPU accelerated instance types when creating new service-managed fleets.",
+    "type": "api-change"
+  },
+  {
+    "category": "``iam``",
+    "description": "This release includes support for five new APIs and changes to existing APIs that give AWS Organizations customers the ability to use temporary root credentials, targeted to member accounts in the organization.",
+    "type": "api-change"
+  },
+  {
+    "category": "``iotwireless``",
+    "description": "New FuotaTask resource type to enable logging for your FUOTA tasks. A ParticipatingGatewaysforMulticast parameter to choose the list of gateways to receive the multicast downlink message and the transmission interval between them. Descriptor field which will be sent to devices during FUOTA transfer.",
+    "type": "api-change"
+  },
+  {
+    "category": "``ivs``",
+    "description": "IVS now offers customers the ability to stream multitrack video to Channels.",
+    "type": "api-change"
+  },
+  {
+    "category": "``license-manager-user-subscriptions``",
+    "description": "New and updated API operations to support License Included User-based Subscription of Microsoft Remote Desktop Services (RDS).",
+    "type": "api-change"
+  },
+  {
+    "category": "``partnercentral-selling``",
+    "description": "Announcing AWS Partner Central API for Selling: This service launch Introduces new APIs for co-selling opportunity management and related functions. Key features include notifications, a dynamic sandbox for testing, and streamlined validations.",
+    "type": "api-change"
+  },
+  {
+    "category": "``quicksight``",
+    "description": "This release adds APIs for Custom Permissions management in QuickSight, and APIs to support QuickSight Branding.",
+    "type": "api-change"
+  },
+  {
+    "category": "``redshift``",
+    "description": "Adds support for Amazon Redshift S3AccessGrants",
+    "type": "api-change"
+  },
+  {
+    "category": "``s3``",
+    "description": "This release updates the ListBuckets API Reference documentation in support of the new 10,000 general purpose bucket default quota on all AWS accounts. To increase your bucket quota from 10,000 to up to 1 million buckets, simply request a quota increase via Service Quotas.",
+    "type": "api-change"
+  },
+  {
+    "category": "``sagemaker``",
+    "description": "Add support for Neuron instance types [ trn1/trn1n/inf2 ] on SageMaker Notebook Instances Platform.",
+    "type": "api-change"
+  },
+  {
+    "category": "``sts``",
+    "description": "This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.",
+    "type": "api-change"
+  }
+]

CHANGELOG.rst

@@ -2,6 +2,24 @@
 CHANGELOG
 =========
 
+1.35.61
+=======
+
+* api-change:``accessanalyzer``: Expand analyzer configuration capabilities for unused access analyzers. Unused access analyzer configurations now support the ability to exclude accounts and resource tags from analysis providing more granular control over the scope of analysis.
+* api-change:``cloudcontrol``: Added support for CloudFormation Hooks with Cloud Control API. The GetResourceRequestStatus API response now includes an optional HooksProgressEvent and HooksRequestToken parameter for Hooks Invocation Progress as part of resource operation with Cloud Control.
+* api-change:``deadline``: Adds support for select GPU accelerated instance types when creating new service-managed fleets.
+* api-change:``iam``: This release includes support for five new APIs and changes to existing APIs that give AWS Organizations customers the ability to use temporary root credentials, targeted to member accounts in the organization.
+* api-change:``iotwireless``: New FuotaTask resource type to enable logging for your FUOTA tasks. A ParticipatingGatewaysforMulticast parameter to choose the list of gateways to receive the multicast downlink message and the transmission interval between them. Descriptor field which will be sent to devices during FUOTA transfer.
+* api-change:``ivs``: IVS now offers customers the ability to stream multitrack video to Channels.
+* api-change:``license-manager-user-subscriptions``: New and updated API operations to support License Included User-based Subscription of Microsoft Remote Desktop Services (RDS).
+* api-change:``partnercentral-selling``: Announcing AWS Partner Central API for Selling: This service launch Introduces new APIs for co-selling opportunity management and related functions. Key features include notifications, a dynamic sandbox for testing, and streamlined validations.
+* api-change:``quicksight``: This release adds APIs for Custom Permissions management in QuickSight, and APIs to support QuickSight Branding.
+* api-change:``redshift``: Adds support for Amazon Redshift S3AccessGrants
+* api-change:``s3``: This release updates the ListBuckets API Reference documentation in support of the new 10,000 general purpose bucket default quota on all AWS accounts. To increase your bucket quota from 10,000 to up to 1 million buckets, simply request a quota increase via Service Quotas.
+* api-change:``sagemaker``: Add support for Neuron instance types [ trn1/trn1n/inf2 ] on SageMaker Notebook Instances Platform.
+* api-change:``sts``: This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.
+
+
 1.35.60
 =======
 

botocore/__init__.py

@@ -16,7 +16,7 @@
 import os
 import re
 
-__version__ = '1.35.60'
+__version__ = '1.35.61'
 
 
 class NullHandler(logging.Handler):

botocore/data/accessanalyzer/2019-11-01/service-2.json

@@ -415,7 +415,7 @@
         {"shape":"ThrottlingException"},
         {"shape":"AccessDeniedException"}
       ],
-      "documentation":"<p>Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers.</p>"
+      "documentation":"<p>Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.</p>"
     },
     "ListAnalyzers":{
       "name":"ListAnalyzers",
@@ -597,6 +597,26 @@
       "documentation":"<p>Removes a tag from the specified resource.</p>",
       "idempotent":true
     },
+    "UpdateAnalyzer":{
+      "name":"UpdateAnalyzer",
+      "http":{
+        "method":"PUT",
+        "requestUri":"/analyzer/{analyzerName}",
+        "responseCode":200
+      },
+      "input":{"shape":"UpdateAnalyzerRequest"},
+      "output":{"shape":"UpdateAnalyzerResponse"},
+      "errors":[
+        {"shape":"ResourceNotFoundException"},
+        {"shape":"ConflictException"},
+        {"shape":"ValidationException"},
+        {"shape":"InternalServerException"},
+        {"shape":"ThrottlingException"},
+        {"shape":"AccessDeniedException"}
+      ],
+      "documentation":"<p>Modifies the configuration of an existing analyzer.</p>",
+      "idempotent":true
+    },
     "UpdateArchiveRule":{
       "name":"UpdateArchiveRule",
       "http":{
@@ -913,6 +933,10 @@
       "max":100,
       "min":0
     },
+    "AccountIdsList":{
+      "type":"list",
+      "member":{"shape":"String"}
+    },
     "AclCanonicalId":{"type":"string"},
     "AclGrantee":{
       "type":"structure",
@@ -945,6 +969,34 @@
       "type":"list",
       "member":{"shape":"String"}
     },
+    "AnalysisRule":{
+      "type":"structure",
+      "members":{
+        "exclusions":{
+          "shape":"AnalysisRuleCriteriaList",
+          "documentation":"<p>A list of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings.</p>"
+        }
+      },
+      "documentation":"<p>Contains information about analysis rules for the analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.</p>"
+    },
+    "AnalysisRuleCriteria":{
+      "type":"structure",
+      "members":{
+        "accountIds":{
+          "shape":"AccountIdsList",
+          "documentation":"<p>A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers. The list cannot include more than 2,000 account IDs.</p>"
+        },
+        "resourceTags":{
+          "shape":"TagsList",
+          "documentation":"<p>An array of key-value pairs to match for your resources. You can use the set of Unicode letters, digits, whitespace, <code>_</code>, <code>.</code>, <code>/</code>, <code>=</code>, <code>+</code>, and <code>-</code>.</p> <p>For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with <code>aws:</code>.</p> <p>For the tag value, you can specify a value that is 0 to 256 characters in length. If the specified tag value is 0 characters, the rule is applied to all principals with the specified tag key.</p>"
+        }
+      },
+      "documentation":"<p>The criteria for an analysis rule for an analyzer. The criteria determine which entities will generate findings.</p>"
+    },
+    "AnalysisRuleCriteriaList":{
+      "type":"list",
+      "member":{"shape":"AnalysisRuleCriteria"}
+    },
     "AnalyzedResource":{
       "type":"structure",
       "required":[
@@ -1040,10 +1092,10 @@
       "members":{
         "unusedAccess":{
           "shape":"UnusedAccessConfiguration",
-          "documentation":"<p>Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account. External access analyzers do not support any configuration.</p>"
+          "documentation":"<p>Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account.</p>"
         }
       },
-      "documentation":"<p>Contains information about the configuration of an unused access analyzer for an Amazon Web Services organization or account.</p>",
+      "documentation":"<p>Contains information about the configuration of an analyzer for an Amazon Web Services organization or account.</p>",
       "union":true
     },
     "AnalyzerStatus":{
@@ -1161,7 +1213,7 @@
           "documentation":"<p>The time at which the archive rule was last updated.</p>"
         }
       },
-      "documentation":"<p>Contains information about an archive rule.</p>"
+      "documentation":"<p>Contains information about an archive rule. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.</p>"
     },
     "ArchiveRulesList":{
       "type":"list",
@@ -1533,7 +1585,7 @@
         },
         "tags":{
           "shape":"TagsMap",
-          "documentation":"<p>An array of key-value pairs to apply to the analyzer.</p>"
+          "documentation":"<p>An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace, <code>_</code>, <code>.</code>, <code>/</code>, <code>=</code>, <code>+</code>, and <code>-</code>.</p> <p>For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with <code>aws:</code>.</p> <p>For the tag value, you can specify a value that is 0 to 256 characters in length.</p>"
         },
         "clientToken":{
           "shape":"String",
@@ -1542,7 +1594,7 @@
         },
         "configuration":{
           "shape":"AnalyzerConfiguration",
-          "documentation":"<p>Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration. If the analyzer is an external access analyzer, this field is not used.</p>"
+          "documentation":"<p>Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration.</p>"
         }
       },
       "documentation":"<p>Creates an analyzer.</p>"
@@ -3522,7 +3574,8 @@
         "AWS::SNS::Topic",
         "AWS::S3Express::DirectoryBucket",
         "AWS::DynamoDB::Table",
-        "AWS::DynamoDB::Stream"
+        "AWS::DynamoDB::Stream",
+        "AWS::IAM::User"
       ]
     },
     "RetiringPrincipal":{"type":"string"},
@@ -3849,6 +3902,10 @@
       },
       "documentation":"<p>The response to the request.</p>"
     },
+    "TagsList":{
+      "type":"list",
+      "member":{"shape":"TagsMap"}
+    },
     "TagsMap":{
       "type":"map",
       "key":{"shape":"String"},
@@ -3981,8 +4038,9 @@
       "members":{
         "unusedAccessAge":{
           "shape":"Integer",
-          "documentation":"<p>The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.</p>"
-        }
+          "documentation":"<p>The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days.</p>"
+        },
+        "analysisRule":{"shape":"AnalysisRule"}
       },
       "documentation":"<p>Contains information about an unused access analyzer.</p>"
     },
@@ -4082,6 +4140,25 @@
       },
       "documentation":"<p>Contains information about the action to take for a policy in an unused permissions finding.</p>"
     },
+    "UpdateAnalyzerRequest":{
+      "type":"structure",
+      "required":["analyzerName"],
+      "members":{
+        "analyzerName":{
+          "shape":"Name",
+          "documentation":"<p>The name of the analyzer to modify.</p>",
+          "location":"uri",
+          "locationName":"analyzerName"
+        },
+        "configuration":{"shape":"AnalyzerConfiguration"}
+      }
+    },
+    "UpdateAnalyzerResponse":{
+      "type":"structure",
+      "members":{
+        "configuration":{"shape":"AnalyzerConfiguration"}
+      }
+    },
     "UpdateArchiveRuleRequest":{
       "type":"structure",
       "required":[