From d5823e323db50ab81ba22161f5ccacb0c4324c84 Mon Sep 17 00:00:00 2001
From: awstools <awstools@amazon.com>
Date: Tue, 19 Mar 2024 18:14:00 +0000
Subject: [PATCH] feat(client-cloudwatch-logs): Update LogSamples field in
 Anomaly model to be a list of LogEvent

---
 .../src/commands/CreateDeliveryCommand.ts     |  2 +-
 .../src/commands/DescribeDeliveriesCommand.ts |  2 +-
 .../src/commands/GetDeliveryCommand.ts        |  2 +-
 .../src/commands/ListAnomaliesCommand.ts      |  5 +-
 .../src/commands/PutAccountPolicyCommand.ts   |  6 +-
 .../commands/PutDeliveryDestinationCommand.ts |  2 +-
 .../src/commands/PutDeliverySourceCommand.ts  |  2 +-
 .../commands/PutSubscriptionFilterCommand.ts  |  2 +-
 .../src/models/models_0.ts                    | 58 ++++++++++++++-----
 .../src/protocols/Aws_json1_1.ts              |  2 +
 .../aws-models/cloudwatch-logs.json           | 54 ++++++++++-------
 11 files changed, 93 insertions(+), 44 deletions(-)

diff --git a/clients/client-cloudwatch-logs/src/commands/CreateDeliveryCommand.ts b/clients/client-cloudwatch-logs/src/commands/CreateDeliveryCommand.ts
index 0d6f88c5ce823..0340564d416e9 100644
--- a/clients/client-cloudwatch-logs/src/commands/CreateDeliveryCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/CreateDeliveryCommand.ts
@@ -35,7 +35,7 @@ export interface CreateDeliveryCommandOutput extends CreateDeliveryResponse, __M
  *        <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html">Enabling
  *          logging from Amazon Web Services services.</a>
  *          </p>
- *          <p>A delivery destination can represent a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.</p>
+ *          <p>A delivery destination can represent a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Firehose.</p>
  *          <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>
  *          <ul>
  *             <li>
diff --git a/clients/client-cloudwatch-logs/src/commands/DescribeDeliveriesCommand.ts b/clients/client-cloudwatch-logs/src/commands/DescribeDeliveriesCommand.ts
index 7bf842e900dd6..49e45ee332cc7 100644
--- a/clients/client-cloudwatch-logs/src/commands/DescribeDeliveriesCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/DescribeDeliveriesCommand.ts
@@ -36,7 +36,7 @@ export interface DescribeDeliveriesCommandOutput extends DescribeDeliveriesRespo
  *                <i>delivery destination</i>
  *             </a>.</p>
  *          <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination.
- *        The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.
+ *        The destination can be CloudWatch Logs, Amazon S3, or Firehose.
  *        Only some Amazon Web Services services support being configured as a delivery source. These services are listed
  *        in <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html">Enable logging from Amazon Web Services
  *          services.</a>
diff --git a/clients/client-cloudwatch-logs/src/commands/GetDeliveryCommand.ts b/clients/client-cloudwatch-logs/src/commands/GetDeliveryCommand.ts
index 00d9592b66fdb..568802f80b4be 100644
--- a/clients/client-cloudwatch-logs/src/commands/GetDeliveryCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/GetDeliveryCommand.ts
@@ -35,7 +35,7 @@ export interface GetDeliveryCommandOutput extends GetDeliveryResponse, __Metadat
  *                <i>delivery destination</i>
  *             </a>.</p>
  *          <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination.
- *        The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.
+ *        The destination can be CloudWatch Logs, Amazon S3, or Firehose.
  *        Only some Amazon Web Services services support being configured as a delivery source. These services are listed
  *        in <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html">Enable logging from Amazon Web Services
  *          services.</a>
diff --git a/clients/client-cloudwatch-logs/src/commands/ListAnomaliesCommand.ts b/clients/client-cloudwatch-logs/src/commands/ListAnomaliesCommand.ts
index 7626e8210bb2e..ad11903811494 100644
--- a/clients/client-cloudwatch-logs/src/commands/ListAnomaliesCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/ListAnomaliesCommand.ts
@@ -61,7 +61,10 @@ export interface ListAnomaliesCommandOutput extends ListAnomaliesResponse, __Met
  * //         "<keys>": Number("long"),
  * //       },
  * //       logSamples: [ // LogSamples // required
- * //         "STRING_VALUE",
+ * //         { // LogEvent
+ * //           timestamp: Number("long"),
+ * //           message: "STRING_VALUE",
+ * //         },
  * //       ],
  * //       patternTokens: [ // PatternTokens // required
  * //         { // PatternToken
diff --git a/clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts b/clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts
index e65d4b2238160..14d796112b883 100644
--- a/clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/PutAccountPolicyCommand.ts
@@ -65,7 +65,7 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  *          </p>
  *          <p>A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other Amazon Web Services services.
  *       Account-level subscription filter policies apply to both existing log groups and log groups that are created later in
- *       this account. Supported destinations are Kinesis Data Streams, Kinesis Data Firehose, and
+ *       this account. Supported destinations are Kinesis Data Streams, Firehose, and
  *       Lambda. When log events are sent to the receiving service, they are Base64 encoded and
  *       compressed with the GZIP format.</p>
  *          <p>The following destinations are supported for subscription filters:</p>
@@ -74,14 +74,14 @@ export interface PutAccountPolicyCommandOutput extends PutAccountPolicyResponse,
  *                <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>
  *             </li>
  *             <li>
- *                <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
+ *                <p>An Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
  *             </li>
  *             <li>
  *                <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>
  *             </li>
  *             <li>
  *                <p>A logical destination in a different account created with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html">PutDestination</a>, for cross-account
- *         delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>
+ *         delivery. Kinesis Data Streams and Firehose are supported as logical destinations.</p>
  *             </li>
  *          </ul>
  *          <p>Each account can have one account-level subscription filter policy.
diff --git a/clients/client-cloudwatch-logs/src/commands/PutDeliveryDestinationCommand.ts b/clients/client-cloudwatch-logs/src/commands/PutDeliveryDestinationCommand.ts
index 3d77d9244d745..242e1ec62ea9b 100644
--- a/clients/client-cloudwatch-logs/src/commands/PutDeliveryDestinationCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/PutDeliveryDestinationCommand.ts
@@ -29,7 +29,7 @@ export interface PutDeliveryDestinationCommandOutput extends PutDeliveryDestinat
 /**
  * <p>Creates or updates a logical <i>delivery destination</i>. A delivery destination is an Amazon Web Services resource that represents an
  *        Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, and
- *        Kinesis Data Firehose are supported as logs delivery destinations.</p>
+ *        Firehose are supported as logs delivery destinations.</p>
  *          <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>
  *          <ul>
  *             <li>
diff --git a/clients/client-cloudwatch-logs/src/commands/PutDeliverySourceCommand.ts b/clients/client-cloudwatch-logs/src/commands/PutDeliverySourceCommand.ts
index c6cfb1f3e9d58..f9486b7b6f390 100644
--- a/clients/client-cloudwatch-logs/src/commands/PutDeliverySourceCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/PutDeliverySourceCommand.ts
@@ -28,7 +28,7 @@ export interface PutDeliverySourceCommandOutput extends PutDeliverySourceRespons
 
 /**
  * <p>Creates or updates a logical <i>delivery source</i>. A delivery source represents an Amazon Web Services resource that sends logs to an
- *        logs delivery destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>
+ *        logs delivery destination. The destination can be CloudWatch Logs, Amazon S3, or Firehose.</p>
  *          <p>To configure logs delivery between a delivery destination and an Amazon Web Services service that is supported as a delivery source, you must do the following:</p>
  *          <ul>
  *             <li>
diff --git a/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts b/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts
index c7180ebc8af46..d763eb5c007d1 100644
--- a/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts
+++ b/clients/client-cloudwatch-logs/src/commands/PutSubscriptionFilterCommand.ts
@@ -40,7 +40,7 @@ export interface PutSubscriptionFilterCommandOutput extends __MetadataBearer {}
  *             </li>
  *             <li>
  *                <p>A logical destination created with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html">PutDestination</a> that belongs to a different account, for cross-account delivery.
- *           We currently support Kinesis Data Streams and Kinesis Data Firehose as logical destinations.</p>
+ *           We currently support Kinesis Data Streams and Firehose as logical destinations.</p>
  *             </li>
  *             <li>
  *                <p>An Amazon Kinesis Data Firehose delivery stream that belongs to the same account as
diff --git a/clients/client-cloudwatch-logs/src/models/models_0.ts b/clients/client-cloudwatch-logs/src/models/models_0.ts
index bc829d29d557e..1838d72434b48 100644
--- a/clients/client-cloudwatch-logs/src/models/models_0.ts
+++ b/clients/client-cloudwatch-logs/src/models/models_0.ts
@@ -99,6 +99,25 @@ export interface AccountPolicy {
   accountId?: string;
 }
 
+/**
+ * <p>This structure contains the information for one sample log event that is associated
+ *     with an anomaly found by a log anomaly detector.</p>
+ * @public
+ */
+export interface LogEvent {
+  /**
+   * <p>The time stamp of the log event.</p>
+   * @public
+   */
+  timestamp?: number;
+
+  /**
+   * <p>The message content of the log event.</p>
+   * @public
+   */
+  message?: string;
+}
+
 /**
  * <p>A tructures that contains information about one pattern token related to
  *        an anomaly.</p>
@@ -247,7 +266,7 @@ export interface Anomaly {
    * <p>An array of sample log event messages that are considered to be part of this anomaly.</p>
    * @public
    */
-  logSamples: string[] | undefined;
+  logSamples: LogEvent[] | undefined;
 
   /**
    * <p>An array of structures where each structure contains information about one token that makes up the pattern.</p>
@@ -654,7 +673,7 @@ export interface Delivery {
   deliveryDestinationArn?: string;
 
   /**
-   * <p>Displays whether the delivery destination associated with this delivery is CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>
+   * <p>Displays whether the delivery destination associated with this delivery is CloudWatch Logs, Amazon S3, or Firehose.</p>
    * @public
    */
   deliveryDestinationType?: DeliveryDestinationType;
@@ -1262,7 +1281,7 @@ export interface DeleteSubscriptionFilterRequest {
 export interface DeliveryDestinationConfiguration {
   /**
    * <p>The ARN of the Amazon Web Services destination that this delivery destination represents. That Amazon Web Services destination
-   *        can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.</p>
+   *        can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Firehose.</p>
    * @public
    */
   destinationResourceArn: string | undefined;
@@ -1288,7 +1307,7 @@ export type OutputFormat = (typeof OutputFormat)[keyof typeof OutputFormat];
 /**
  * <p>This structure contains information about one <i>delivery destination</i> in your account.
  *      A delivery destination is an Amazon Web Services resource that represents an
- *      Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Kinesis Data Firehose delivery destinations.</p>
+ *      Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Firehose delivery destinations.</p>
  *          <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>
  *          <ul>
  *             <li>
@@ -1330,7 +1349,7 @@ export interface DeliveryDestination {
   arn?: string;
 
   /**
-   * <p>Displays whether this delivery destination is CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>
+   * <p>Displays whether this delivery destination is CloudWatch Logs, Amazon S3, or Firehose.</p>
    * @public
    */
   deliveryDestinationType?: DeliveryDestinationType;
@@ -1357,7 +1376,7 @@ export interface DeliveryDestination {
 /**
  * <p>This structure contains information about one <i>delivery source</i> in your account.
  *        A delivery source is an Amazon Web Services resource that sends logs to an
- *        Amazon Web Services destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>
+ *        Amazon Web Services destination. The destination can be CloudWatch Logs, Amazon S3, or Firehose.</p>
  *          <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed
  *        as <b>Supported [V2 Permissions]</b> in the table at
  *        <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html">Enabling
@@ -3928,7 +3947,7 @@ export interface PutAccountPolicyRequest {
    *           sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>
    *           object. You can optionally use that <code>FindingsDestination</code> object to list one or more
    *           destinations to send audit findings to. If you specify destinations such as log groups,
-   *           Kinesis Data Firehose streams, and S3 buckets, they must already exist.</p>
+   *           Firehose streams, and S3 buckets, they must already exist.</p>
    *             </li>
    *             <li>
    *                <p>The second block must include both a <code>DataIdentifer</code> array and an
@@ -3965,14 +3984,14 @@ export interface PutAccountPolicyRequest {
    *                      <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>
    *                   </li>
    *                   <li>
-   *                      <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
+   *                      <p>An Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>
    *                   </li>
    *                   <li>
    *                      <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>
    *                   </li>
    *                   <li>
    *                      <p>A logical destination in a different account created with <a href="https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html">PutDestination</a>, for cross-account
-   *             delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>
+   *             delivery. Kinesis Data Streams and Firehose are supported as logical destinations.</p>
    *                   </li>
    *                </ul>
    *             </li>
@@ -4060,7 +4079,7 @@ export interface PutDataProtectionPolicyRequest {
    *           sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>
    *           object. You can optionally use that <code>FindingsDestination</code> object to list one or more
    *           destinations to send audit findings to. If you specify destinations such as log groups,
-   *           Kinesis Data Firehose streams, and S3 buckets, they must already exist.</p>
+   *           Firehose streams, and S3 buckets, they must already exist.</p>
    *             </li>
    *             <li>
    *                <p>The second block must include both a <code>DataIdentifer</code> array and an
@@ -4200,8 +4219,21 @@ export interface PutDeliverySourceRequest {
   resourceArn: string | undefined;
 
   /**
-   * <p>Defines the type of log that the source is sending. For Amazon CodeWhisperer, the valid value is
+   * <p>Defines the type of log that the source is sending.</p>
+   *          <ul>
+   *             <li>
+   *                <p>For Amazon CodeWhisperer, the valid value is
    *         <code>EVENT_LOGS</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>For IAM Identity Centerr, the valid value is
+   *          <code>ERROR_LOGS</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>For Amazon WorkMail, the valid values are
+   *          <code>ACCESS_CONTROL_LOGS</code>, <code>AUTHENTICATION_LOGS</code>, <code>WORKMAIL_AVAILABILITY_PROVIDER_LOGS</code>, and <code>WORKMAIL_MAILBOX_ACCESS_LOGS</code>.</p>
+   *             </li>
+   *          </ul>
    * @public
    */
   logType: string | undefined;
@@ -4347,13 +4379,13 @@ export interface PutLogEventsRequest {
  */
 export interface RejectedLogEventsInfo {
   /**
-   * <p>The log events that are too new.</p>
+   * <p>The index of the first log event that is too new. This field is inclusive.</p>
    * @public
    */
   tooNewLogEventStartIndex?: number;
 
   /**
-   * <p>The log events that are dated too far in the past.</p>
+   * <p>The index of the last log event that is too old. This field is exclusive.</p>
    * @public
    */
   tooOldLogEventEndIndex?: number;
diff --git a/clients/client-cloudwatch-logs/src/protocols/Aws_json1_1.ts b/clients/client-cloudwatch-logs/src/protocols/Aws_json1_1.ts
index 2dd3a5bf07138..5f4177ad848f0 100644
--- a/clients/client-cloudwatch-logs/src/protocols/Aws_json1_1.ts
+++ b/clients/client-cloudwatch-logs/src/protocols/Aws_json1_1.ts
@@ -3479,6 +3479,8 @@ const de_GetQueryResultsResponse = (output: any, context: __SerdeContext): GetQu
 
 // de_LiveTailSessionUpdate omitted.
 
+// de_LogEvent omitted.
+
 // de_LogGroup omitted.
 
 // de_LogGroupArnList omitted.
diff --git a/codegen/sdk-codegen/aws-models/cloudwatch-logs.json b/codegen/sdk-codegen/aws-models/cloudwatch-logs.json
index 8c0f174486937..ff44e31cb709f 100644
--- a/codegen/sdk-codegen/aws-models/cloudwatch-logs.json
+++ b/codegen/sdk-codegen/aws-models/cloudwatch-logs.json
@@ -586,7 +586,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates a <i>delivery</i>. A delivery is a connection between a logical <i>delivery source</i> and a logical\n       <i>delivery destination</i>\n       that you have already created.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source using this operation. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>A delivery destination can represent a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>You can't update an existing delivery. You can only create and delete deliveries.</p>"
+        "smithy.api#documentation": "<p>Creates a <i>delivery</i>. A delivery is a connection between a logical <i>delivery source</i> and a logical\n       <i>delivery destination</i>\n       that you have already created.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source using this operation. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>A delivery destination can represent a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Firehose.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>You can't update an existing delivery. You can only create and delete deliveries.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#CreateDeliveryRequest": {
@@ -1696,7 +1696,7 @@
         "deliveryDestinationType": {
           "target": "com.amazonaws.cloudwatchlogs#DeliveryDestinationType",
           "traits": {
-            "smithy.api#documentation": "<p>Displays whether the delivery destination associated with this delivery is CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>"
+            "smithy.api#documentation": "<p>Displays whether the delivery destination associated with this delivery is CloudWatch Logs, Amazon S3, or Firehose.</p>"
           }
         },
         "tags": {
@@ -1728,7 +1728,7 @@
         "deliveryDestinationType": {
           "target": "com.amazonaws.cloudwatchlogs#DeliveryDestinationType",
           "traits": {
-            "smithy.api#documentation": "<p>Displays whether this delivery destination is CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>"
+            "smithy.api#documentation": "<p>Displays whether this delivery destination is CloudWatch Logs, Amazon S3, or Firehose.</p>"
           }
         },
         "outputFormat": {
@@ -1751,7 +1751,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>This structure contains information about one <i>delivery destination</i> in your account. \n     A delivery destination is an Amazon Web Services resource that represents an \n     Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Kinesis Data Firehose delivery destinations.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination. </p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.</p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n     can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>"
+        "smithy.api#documentation": "<p>This structure contains information about one <i>delivery destination</i> in your account. \n     A delivery destination is an Amazon Web Services resource that represents an \n     Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Firehose delivery destinations.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination. </p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.</p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n     can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#DeliveryDestinationConfiguration": {
@@ -1760,7 +1760,7 @@
         "destinationResourceArn": {
           "target": "com.amazonaws.cloudwatchlogs#Arn",
           "traits": {
-            "smithy.api#documentation": "<p>The ARN of the Amazon Web Services destination that this delivery destination represents. That Amazon Web Services destination\n       can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Kinesis Data Firehose.</p>",
+            "smithy.api#documentation": "<p>The ARN of the Amazon Web Services destination that this delivery destination represents. That Amazon Web Services destination\n       can be a log group in CloudWatch Logs, an Amazon S3 bucket, or a delivery stream in Firehose.</p>",
             "smithy.api#required": {}
           }
         }
@@ -1868,7 +1868,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>This structure contains information about one <i>delivery source</i> in your account. \n       A delivery source is an Amazon Web Services resource that sends logs to an\n       Amazon Web Services destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.</p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>"
+        "smithy.api#documentation": "<p>This structure contains information about one <i>delivery source</i> in your account. \n       A delivery source is an Amazon Web Services resource that sends logs to an\n       Amazon Web Services destination. The destination can be CloudWatch Logs, Amazon S3, or Firehose.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Create a <i>delivery</i> by pairing exactly one delivery source and one delivery destination.\n         For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.</p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#DeliverySourceName": {
@@ -1980,7 +1980,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Retrieves a list of the deliveries that have been created in the account.</p>\n         <p>A <i>delivery</i> is a \n       connection between a <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">\n               <i>delivery source</i>\n            </a> and a \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">\n               <i>delivery destination</i>\n            </a>.</p>\n         <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination. \n       The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose. \n       Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       in <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enable logging from Amazon Web Services \n         services.</a>\n         </p>",
+        "smithy.api#documentation": "<p>Retrieves a list of the deliveries that have been created in the account.</p>\n         <p>A <i>delivery</i> is a \n       connection between a <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">\n               <i>delivery source</i>\n            </a> and a \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">\n               <i>delivery destination</i>\n            </a>.</p>\n         <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination. \n       The destination can be CloudWatch Logs, Amazon S3, or Firehose. \n       Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       in <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enable logging from Amazon Web Services \n         services.</a>\n         </p>",
         "smithy.api#paginated": {
           "inputToken": "nextToken",
           "outputToken": "nextToken",
@@ -3618,7 +3618,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Returns complete information about one logical <i>delivery</i>. A delivery is a \n       connection between a <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">\n               <i>delivery source</i>\n            </a> and a \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">\n               <i>delivery destination</i>\n            </a>.</p>\n         <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination. \n       The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose. \n       Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       in <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enable logging from Amazon Web Services \n         services.</a>\n         </p>\n         <p>You need to specify the delivery <code>id</code> in this operation. You can find the IDs of the deliveries in your account with the  \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDeliveries.html\">DescribeDeliveries</a> operation.</p>"
+        "smithy.api#documentation": "<p>Returns complete information about one logical <i>delivery</i>. A delivery is a \n       connection between a <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">\n               <i>delivery source</i>\n            </a> and a \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">\n               <i>delivery destination</i>\n            </a>.</p>\n         <p>A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination. \n       The destination can be CloudWatch Logs, Amazon S3, or Firehose. \n       Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       in <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enable logging from Amazon Web Services \n         services.</a>\n         </p>\n         <p>You need to specify the delivery <code>id</code> in this operation. You can find the IDs of the deliveries in your account with the  \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDeliveries.html\">DescribeDeliveries</a> operation.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#GetDeliveryDestination": {
@@ -4789,11 +4789,23 @@
       }
     },
     "com.amazonaws.cloudwatchlogs#LogEvent": {
-      "type": "string",
-      "traits": {
-        "smithy.api#length": {
-          "min": 1
+      "type": "structure",
+      "members": {
+        "timestamp": {
+          "target": "com.amazonaws.cloudwatchlogs#Timestamp",
+          "traits": {
+            "smithy.api#documentation": "<p>The time stamp of the log event.</p>"
+          }
+        },
+        "message": {
+          "target": "com.amazonaws.cloudwatchlogs#EventMessage",
+          "traits": {
+            "smithy.api#documentation": "<p>The message content of the log event.</p>"
+          }
         }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This structure contains the information for one sample log event that is associated \n    with an anomaly found by a log anomaly detector.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#LogEventIndex": {
@@ -6796,7 +6808,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates an account-level data protection policy or subscription filter policy that applies to all log groups \n      or a subset of log groups in the account.</p>\n         <p>\n            <b>Data protection policy</b>\n         </p>\n         <p>A data protection policy can help safeguard sensitive \n      data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only\n    one account-level data protection policy.</p>\n         <important>\n            <p>Sensitive data is detected and masked when it is ingested into a log group. When you set a \n      data protection policy, log events ingested into the log groups before that time are not masked.</p>\n         </important>\n         <p>If you use <code>PutAccountPolicy</code> to create a data protection policy for your whole account, it applies to both existing log groups\n    and all log groups that are created later in this account. The account-level policy is applied to existing log groups\n    with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.</p>\n         <p>By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks.\n      A user who has the <code>logs:Unmask</code> permission can use a \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html\">GetLogEvents</a> or \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html\">FilterLogEvents</a>\n      operation with the <code>unmask</code> parameter set to <code>true</code> to view the unmasked \n      log events. Users with the <code>logs:Unmask</code> can also view unmasked data in the CloudWatch Logs\n      console by running a CloudWatch Logs Insights query with the <code>unmask</code> query command.</p>\n         <p>For more information, including a list of types of data that can be audited and masked, see\n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html\">Protect sensitive log data with masking</a>.</p>\n         <p>To use the <code>PutAccountPolicy</code> operation for a data protection policy, you must be signed on with \n      the <code>logs:PutDataProtectionPolicy</code>\n    and <code>logs:PutAccountPolicy</code> permissions.</p>\n         <p>The <code>PutAccountPolicy</code> operation applies to all log groups in the account. You can use \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html\">PutDataProtectionPolicy</a>\n      to create a data protection policy that applies to just one log group. \n      If a log group has its own data protection policy and \n      the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term\n      specified in either policy is masked.</p>\n         <p>\n            <b>Subscription filter policy</b>\n         </p>\n         <p>A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other Amazon Web Services services.\n      Account-level subscription filter policies apply to both existing log groups and log groups that are created later in \n      this account. Supported destinations are Kinesis Data Streams, Kinesis Data Firehose, and \n      Lambda. When log events are sent to the receiving service, they are Base64 encoded and \n      compressed with the GZIP format.</p>\n         <p>The following destinations are supported for subscription filters:</p>\n         <ul>\n            <li>\n               <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A logical destination in a different account created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a>, for cross-account\n        delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>\n            </li>\n         </ul>\n         <p>Each account can have one account-level subscription filter policy. \n      If you are updating an existing filter, you must specify the correct name in <code>PolicyName</code>.\n      To perform a <code>PutAccountPolicy</code> subscription filter operation for any destination except a Lambda \n      function, you must also have the <code>iam:PassRole</code> permission.</p>"
+        "smithy.api#documentation": "<p>Creates an account-level data protection policy or subscription filter policy that applies to all log groups \n      or a subset of log groups in the account.</p>\n         <p>\n            <b>Data protection policy</b>\n         </p>\n         <p>A data protection policy can help safeguard sensitive \n      data that's ingested by your log groups by auditing and masking the sensitive log data. Each account can have only\n    one account-level data protection policy.</p>\n         <important>\n            <p>Sensitive data is detected and masked when it is ingested into a log group. When you set a \n      data protection policy, log events ingested into the log groups before that time are not masked.</p>\n         </important>\n         <p>If you use <code>PutAccountPolicy</code> to create a data protection policy for your whole account, it applies to both existing log groups\n    and all log groups that are created later in this account. The account-level policy is applied to existing log groups\n    with eventual consistency. It might take up to 5 minutes before sensitive data in existing log groups begins to be masked.</p>\n         <p>By default, when a user views a log event that includes masked data, the sensitive data is replaced by asterisks.\n      A user who has the <code>logs:Unmask</code> permission can use a \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html\">GetLogEvents</a> or \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_FilterLogEvents.html\">FilterLogEvents</a>\n      operation with the <code>unmask</code> parameter set to <code>true</code> to view the unmasked \n      log events. Users with the <code>logs:Unmask</code> can also view unmasked data in the CloudWatch Logs\n      console by running a CloudWatch Logs Insights query with the <code>unmask</code> query command.</p>\n         <p>For more information, including a list of types of data that can be audited and masked, see\n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html\">Protect sensitive log data with masking</a>.</p>\n         <p>To use the <code>PutAccountPolicy</code> operation for a data protection policy, you must be signed on with \n      the <code>logs:PutDataProtectionPolicy</code>\n    and <code>logs:PutAccountPolicy</code> permissions.</p>\n         <p>The <code>PutAccountPolicy</code> operation applies to all log groups in the account. You can use \n      <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html\">PutDataProtectionPolicy</a>\n      to create a data protection policy that applies to just one log group. \n      If a log group has its own data protection policy and \n      the account also has an account-level data protection policy, then the two policies are cumulative. Any sensitive term\n      specified in either policy is masked.</p>\n         <p>\n            <b>Subscription filter policy</b>\n         </p>\n         <p>A subscription filter policy sets up a real-time feed of log events from CloudWatch Logs to other Amazon Web Services services.\n      Account-level subscription filter policies apply to both existing log groups and log groups that are created later in \n      this account. Supported destinations are Kinesis Data Streams, Firehose, and \n      Lambda. When log events are sent to the receiving service, they are Base64 encoded and \n      compressed with the GZIP format.</p>\n         <p>The following destinations are supported for subscription filters:</p>\n         <ul>\n            <li>\n               <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>An Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A logical destination in a different account created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a>, for cross-account\n        delivery. Kinesis Data Streams and Firehose are supported as logical destinations.</p>\n            </li>\n         </ul>\n         <p>Each account can have one account-level subscription filter policy. \n      If you are updating an existing filter, you must specify the correct name in <code>PolicyName</code>.\n      To perform a <code>PutAccountPolicy</code> subscription filter operation for any destination except a Lambda \n      function, you must also have the <code>iam:PassRole</code> permission.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#PutAccountPolicyRequest": {
@@ -6812,7 +6824,7 @@
         "policyDocument": {
           "target": "com.amazonaws.cloudwatchlogs#AccountPolicyDocument",
           "traits": {
-            "smithy.api#documentation": "<p>Specify the policy, in JSON.</p>\n         <p>\n            <b>Data protection policy</b>\n         </p>\n         <p>A data protection policy must include two JSON blocks:</p>\n         <ul>\n            <li>\n               <p>The first block must include both a <code>DataIdentifer</code> array and an \n        <code>Operation</code> property with an <code>Audit</code> action. The <code>DataIdentifer</code> array lists the types of sensitive data that\n        you want to mask. For more information about the available options, see \n        <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html\">Types of data that you can mask</a>.</p>\n               <p>The <code>Operation</code> property with an <code>Audit</code> action is required to find the \n          sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>\n          object. You can optionally use that <code>FindingsDestination</code> object to list one or more \n          destinations to send audit findings to. If you specify destinations such as log groups, \n          Kinesis Data Firehose streams, and S3 buckets, they must already exist.</p>\n            </li>\n            <li>\n               <p>The second block must include both a <code>DataIdentifer</code> array and an\n        <code>Operation</code> property with an <code>Deidentify</code> action. The\n        <code>DataIdentifer</code> array must exactly match the <code>DataIdentifer</code> array\n        in the first block of the policy.</p>\n               <p>The <code>Operation</code> property with the <code>Deidentify</code> action is what actually masks the \n          data, and it must \n          contain the <code>\n            \"MaskConfig\": {}</code> object. The <code>\n              \"MaskConfig\": {}</code> object must be empty.</p>\n            </li>\n         </ul>\n         <p>For an example data protection policy, see the <b>Examples</b> section on this page.</p>\n         <important>\n            <p>The contents of the two <code>DataIdentifer</code> arrays must match exactly.</p>\n         </important>\n         <p>In addition to the two JSON blocks, the <code>policyDocument</code> can also include <code>Name</code>,\n    <code>Description</code>, and <code>Version</code> fields. The <code>Name</code> is different than the \n      operation's <code>policyName</code> parameter, and is used as a dimension when\n    CloudWatch Logs reports audit findings metrics to CloudWatch.</p>\n         <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters long.</p>\n         <p>\n            <b>Subscription filter policy</b>\n         </p>\n         <p>A subscription filter policy can include the following attributes in a JSON block:</p>\n         <ul>\n            <li>\n               <p>\n                  <b>DestinationArn</b> The ARN of the destination\n      to deliver log events to. Supported destinations are:</p>\n               <ul>\n                  <li>\n                     <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>An Kinesis Data Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>A logical destination in a different account created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a>, for cross-account\n            delivery. Kinesis Data Streams and Kinesis Data Firehose are supported as logical destinations.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <b>RoleArn</b> The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log\n        events to the destination stream. You don't need to provide the ARN when you are working with\n        a logical destination for cross-account delivery.</p>\n            </li>\n            <li>\n               <p>\n                  <b>FilterPattern</b> A filter pattern for subscribing to a \n        filtered stream of log events.</p>\n            </li>\n            <li>\n               <p>\n                  <b>Distribution</b>The method used to distribute log data to the destination. \n        By default, log data is\n        grouped by log stream, but the grouping can be set to <code>Random</code> for a more even distribution.\n        This property is only applicable when the destination is an Kinesis Data Streams data stream.</p>\n            </li>\n         </ul>",
+            "smithy.api#documentation": "<p>Specify the policy, in JSON.</p>\n         <p>\n            <b>Data protection policy</b>\n         </p>\n         <p>A data protection policy must include two JSON blocks:</p>\n         <ul>\n            <li>\n               <p>The first block must include both a <code>DataIdentifer</code> array and an \n        <code>Operation</code> property with an <code>Audit</code> action. The <code>DataIdentifer</code> array lists the types of sensitive data that\n        you want to mask. For more information about the available options, see \n        <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html\">Types of data that you can mask</a>.</p>\n               <p>The <code>Operation</code> property with an <code>Audit</code> action is required to find the \n          sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>\n          object. You can optionally use that <code>FindingsDestination</code> object to list one or more \n          destinations to send audit findings to. If you specify destinations such as log groups, \n          Firehose streams, and S3 buckets, they must already exist.</p>\n            </li>\n            <li>\n               <p>The second block must include both a <code>DataIdentifer</code> array and an\n        <code>Operation</code> property with an <code>Deidentify</code> action. The\n        <code>DataIdentifer</code> array must exactly match the <code>DataIdentifer</code> array\n        in the first block of the policy.</p>\n               <p>The <code>Operation</code> property with the <code>Deidentify</code> action is what actually masks the \n          data, and it must \n          contain the <code>\n            \"MaskConfig\": {}</code> object. The <code>\n              \"MaskConfig\": {}</code> object must be empty.</p>\n            </li>\n         </ul>\n         <p>For an example data protection policy, see the <b>Examples</b> section on this page.</p>\n         <important>\n            <p>The contents of the two <code>DataIdentifer</code> arrays must match exactly.</p>\n         </important>\n         <p>In addition to the two JSON blocks, the <code>policyDocument</code> can also include <code>Name</code>,\n    <code>Description</code>, and <code>Version</code> fields. The <code>Name</code> is different than the \n      operation's <code>policyName</code> parameter, and is used as a dimension when\n    CloudWatch Logs reports audit findings metrics to CloudWatch.</p>\n         <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters long.</p>\n         <p>\n            <b>Subscription filter policy</b>\n         </p>\n         <p>A subscription filter policy can include the following attributes in a JSON block:</p>\n         <ul>\n            <li>\n               <p>\n                  <b>DestinationArn</b> The ARN of the destination\n      to deliver log events to. Supported destinations are:</p>\n               <ul>\n                  <li>\n                     <p>An Kinesis Data Streams data stream in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>An Firehose data stream in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>A Lambda function in the same account as the subscription policy, for same-account delivery.</p>\n                  </li>\n                  <li>\n                     <p>A logical destination in a different account created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a>, for cross-account\n            delivery. Kinesis Data Streams and Firehose are supported as logical destinations.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <b>RoleArn</b> The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log\n        events to the destination stream. You don't need to provide the ARN when you are working with\n        a logical destination for cross-account delivery.</p>\n            </li>\n            <li>\n               <p>\n                  <b>FilterPattern</b> A filter pattern for subscribing to a \n        filtered stream of log events.</p>\n            </li>\n            <li>\n               <p>\n                  <b>Distribution</b>The method used to distribute log data to the destination. \n        By default, log data is\n        grouped by log stream, but the grouping can be set to <code>Random</code> for a more even distribution.\n        This property is only applicable when the destination is an Kinesis Data Streams data stream.</p>\n            </li>\n         </ul>",
             "smithy.api#required": {}
           }
         },
@@ -6896,7 +6908,7 @@
         "policyDocument": {
           "target": "com.amazonaws.cloudwatchlogs#DataProtectionPolicyDocument",
           "traits": {
-            "smithy.api#documentation": "<p>Specify the data protection policy, in JSON.</p>\n         <p>This policy must include two JSON blocks:</p>\n         <ul>\n            <li>\n               <p>The first block must include both a <code>DataIdentifer</code> array and an \n        <code>Operation</code> property with an <code>Audit</code> action. The <code>DataIdentifer</code> array lists the types of sensitive data that\n        you want to mask. For more information about the available options, see \n        <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html\">Types of data that you can mask</a>.</p>\n               <p>The <code>Operation</code> property with an <code>Audit</code> action is required to find the \n          sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>\n          object. You can optionally use that <code>FindingsDestination</code> object to list one or more \n          destinations to send audit findings to. If you specify destinations such as log groups, \n          Kinesis Data Firehose streams, and S3 buckets, they must already exist.</p>\n            </li>\n            <li>\n               <p>The second block must include both a <code>DataIdentifer</code> array and an\n            <code>Operation</code> property with an <code>Deidentify</code> action. The\n            <code>DataIdentifer</code> array must exactly match the <code>DataIdentifer</code> array\n          in the first block of the policy.</p>\n               <p>The <code>Operation</code> property with the <code>Deidentify</code> action is what actually masks the \n        data, and it must \n        contain the <code>\n          \"MaskConfig\": {}</code> object. The <code>\n            \"MaskConfig\": {}</code> object must be empty.</p>\n            </li>\n         </ul>\n         <p>For an example data protection policy, see the <b>Examples</b> section on this page.</p>\n         <important>\n            <p>The contents of the two <code>DataIdentifer</code> arrays must match exactly.</p>\n         </important>\n         <p>In addition to the two JSON blocks, the <code>policyDocument</code> can also include <code>Name</code>,\n      <code>Description</code>, and <code>Version</code> fields. The <code>Name</code> is used as a dimension when\n      CloudWatch Logs reports audit findings metrics to CloudWatch.</p>\n         <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters.</p>",
+            "smithy.api#documentation": "<p>Specify the data protection policy, in JSON.</p>\n         <p>This policy must include two JSON blocks:</p>\n         <ul>\n            <li>\n               <p>The first block must include both a <code>DataIdentifer</code> array and an \n        <code>Operation</code> property with an <code>Audit</code> action. The <code>DataIdentifer</code> array lists the types of sensitive data that\n        you want to mask. For more information about the available options, see \n        <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html\">Types of data that you can mask</a>.</p>\n               <p>The <code>Operation</code> property with an <code>Audit</code> action is required to find the \n          sensitive data terms. This <code>Audit</code> action must contain a <code>FindingsDestination</code>\n          object. You can optionally use that <code>FindingsDestination</code> object to list one or more \n          destinations to send audit findings to. If you specify destinations such as log groups, \n          Firehose streams, and S3 buckets, they must already exist.</p>\n            </li>\n            <li>\n               <p>The second block must include both a <code>DataIdentifer</code> array and an\n            <code>Operation</code> property with an <code>Deidentify</code> action. The\n            <code>DataIdentifer</code> array must exactly match the <code>DataIdentifer</code> array\n          in the first block of the policy.</p>\n               <p>The <code>Operation</code> property with the <code>Deidentify</code> action is what actually masks the \n        data, and it must \n        contain the <code>\n          \"MaskConfig\": {}</code> object. The <code>\n            \"MaskConfig\": {}</code> object must be empty.</p>\n            </li>\n         </ul>\n         <p>For an example data protection policy, see the <b>Examples</b> section on this page.</p>\n         <important>\n            <p>The contents of the two <code>DataIdentifer</code> arrays must match exactly.</p>\n         </important>\n         <p>In addition to the two JSON blocks, the <code>policyDocument</code> can also include <code>Name</code>,\n      <code>Description</code>, and <code>Version</code> fields. The <code>Name</code> is used as a dimension when\n      CloudWatch Logs reports audit findings metrics to CloudWatch.</p>\n         <p>The JSON specified in <code>policyDocument</code> can be up to 30,720 characters.</p>",
             "smithy.api#required": {}
           }
         }
@@ -6960,7 +6972,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates or updates a logical <i>delivery destination</i>. A delivery destination is an Amazon Web Services resource that represents an \n       Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, and\n       Kinesis Data Firehose are supported as logs delivery destinations.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Use <code>PutDeliveryDestination</code> to create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  </p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly \n         one delivery source and one delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.\n       </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>If you use this operation to update an existing delivery destination, all the current delivery destination parameters are overwritten\n       with the new parameter values that you specify.</p>"
+        "smithy.api#documentation": "<p>Creates or updates a logical <i>delivery destination</i>. A delivery destination is an Amazon Web Services resource that represents an \n       Amazon Web Services service that logs can be sent to. CloudWatch Logs, Amazon S3, and\n       Firehose are supported as logs delivery destinations.</p>\n         <p>To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html\">PutDeliverySource</a>.</p>\n            </li>\n            <li>\n               <p>Use <code>PutDeliveryDestination</code> to create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination.  </p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly \n         one delivery source and one delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.\n       </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n         logging from Amazon Web Services services.</a>\n         </p>\n         <p>If you use this operation to update an existing delivery destination, all the current delivery destination parameters are overwritten\n       with the new parameter values that you specify.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#PutDeliveryDestinationPolicy": {
@@ -7102,7 +7114,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates or updates a logical <i>delivery source</i>. A delivery source represents an Amazon Web Services resource that sends logs to an\n       logs delivery destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose.</p>\n         <p>To configure logs delivery between a delivery destination and an Amazon Web Services service that is supported as a delivery source, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Use <code>PutDeliverySource</code> to create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. </p>\n            </li>\n            <li>\n               <p>Use <code>PutDeliveryDestination</code> to create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly \n         one delivery source and one delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.\n       </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n       logging from Amazon Web Services services.</a>\n         </p>\n         <p>If you use this operation to update an existing delivery source, all the current delivery source parameters are overwritten\n     with the new parameter values that you specify.</p>"
+        "smithy.api#documentation": "<p>Creates or updates a logical <i>delivery source</i>. A delivery source represents an Amazon Web Services resource that sends logs to an\n       logs delivery destination. The destination can be CloudWatch Logs, Amazon S3, or Firehose.</p>\n         <p>To configure logs delivery between a delivery destination and an Amazon Web Services service that is supported as a delivery source, you must do the following:</p>\n         <ul>\n            <li>\n               <p>Use <code>PutDeliverySource</code> to create a delivery source, which is a logical object that represents the resource that is actually\n         sending the logs. </p>\n            </li>\n            <li>\n               <p>Use <code>PutDeliveryDestination</code> to create a <i>delivery destination</i>, which is a logical object that represents the actual\n         delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html\">PutDeliveryDestination</a>.</p>\n            </li>\n            <li>\n               <p>If you are delivering logs cross-account, you must use \n         <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html\">PutDeliveryDestinationPolicy</a>\n         in the destination account to assign an IAM policy to the \n         destination. This policy allows delivery to that destination.\n       </p>\n            </li>\n            <li>\n               <p>Use <code>CreateDelivery</code> to create a <i>delivery</i> by pairing exactly \n         one delivery source and one delivery destination. For more \n         information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html\">CreateDelivery</a>.\n       </p>\n            </li>\n         </ul>\n         <p>You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You \n       can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.</p>\n         <p>Only some Amazon Web Services services support being configured as a delivery source. These services are listed\n       as <b>Supported [V2 Permissions]</b> in the table at \n       <a href=\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html\">Enabling \n       logging from Amazon Web Services services.</a>\n         </p>\n         <p>If you use this operation to update an existing delivery source, all the current delivery source parameters are overwritten\n     with the new parameter values that you specify.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#PutDeliverySourceRequest": {
@@ -7125,7 +7137,7 @@
         "logType": {
           "target": "com.amazonaws.cloudwatchlogs#LogType",
           "traits": {
-            "smithy.api#documentation": "<p>Defines the type of log that the source is sending. For Amazon CodeWhisperer, the valid value is \n        <code>EVENT_LOGS</code>.</p>",
+            "smithy.api#documentation": "<p>Defines the type of log that the source is sending.</p>\n         <ul>\n            <li>\n               <p>For Amazon CodeWhisperer, the valid value is \n        <code>EVENT_LOGS</code>.</p>\n            </li>\n            <li>\n               <p>For IAM Identity Centerr, the valid value is \n         <code>ERROR_LOGS</code>.</p>\n            </li>\n            <li>\n               <p>For Amazon WorkMail, the valid values are \n         <code>ACCESS_CONTROL_LOGS</code>, <code>AUTHENTICATION_LOGS</code>, <code>WORKMAIL_AVAILABILITY_PROVIDER_LOGS</code>, and <code>WORKMAIL_MAILBOX_ACCESS_LOGS</code>.</p>\n            </li>\n         </ul>",
             "smithy.api#required": {}
           }
         },
@@ -7640,7 +7652,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates or updates a subscription filter and associates it with the specified log\n      group. With subscription filters, you can subscribe to a real-time stream of log events\n      ingested through <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html\">PutLogEvents</a>\n      and have them delivered to a specific destination. When log events are sent to the receiving\n      service, they are Base64 encoded and compressed with the GZIP format.</p>\n         <p>The following destinations are supported for subscription filters:</p>\n         <ul>\n            <li>\n               <p>An Amazon Kinesis data stream belonging to the same account as the subscription\n          filter, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A logical destination created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a> that belongs to a different account, for cross-account delivery.\n          We currently support Kinesis Data Streams and Kinesis Data Firehose as logical destinations.</p>\n            </li>\n            <li>\n               <p>An Amazon Kinesis Data Firehose delivery stream that belongs to the same account as\n          the subscription filter, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>An Lambda function that belongs to the same account as the\n          subscription filter, for same-account delivery.</p>\n            </li>\n         </ul>\n         <p>Each log group can have up to two subscription filters associated with it. If you are\n      updating an existing filter, you must specify the correct name in <code>filterName</code>.\n      </p>\n         <p>To perform a <code>PutSubscriptionFilter</code> operation for any destination except a Lambda function, \n    you must also have the \n      <code>iam:PassRole</code> permission.</p>"
+        "smithy.api#documentation": "<p>Creates or updates a subscription filter and associates it with the specified log\n      group. With subscription filters, you can subscribe to a real-time stream of log events\n      ingested through <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html\">PutLogEvents</a>\n      and have them delivered to a specific destination. When log events are sent to the receiving\n      service, they are Base64 encoded and compressed with the GZIP format.</p>\n         <p>The following destinations are supported for subscription filters:</p>\n         <ul>\n            <li>\n               <p>An Amazon Kinesis data stream belonging to the same account as the subscription\n          filter, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>A logical destination created with <a href=\"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html\">PutDestination</a> that belongs to a different account, for cross-account delivery.\n          We currently support Kinesis Data Streams and Firehose as logical destinations.</p>\n            </li>\n            <li>\n               <p>An Amazon Kinesis Data Firehose delivery stream that belongs to the same account as\n          the subscription filter, for same-account delivery.</p>\n            </li>\n            <li>\n               <p>An Lambda function that belongs to the same account as the\n          subscription filter, for same-account delivery.</p>\n            </li>\n         </ul>\n         <p>Each log group can have up to two subscription filters associated with it. If you are\n      updating an existing filter, you must specify the correct name in <code>filterName</code>.\n      </p>\n         <p>To perform a <code>PutSubscriptionFilter</code> operation for any destination except a Lambda function, \n    you must also have the \n      <code>iam:PassRole</code> permission.</p>"
       }
     },
     "com.amazonaws.cloudwatchlogs#PutSubscriptionFilterRequest": {
@@ -7955,13 +7967,13 @@
         "tooNewLogEventStartIndex": {
           "target": "com.amazonaws.cloudwatchlogs#LogEventIndex",
           "traits": {
-            "smithy.api#documentation": "<p>The log events that are too new.</p>"
+            "smithy.api#documentation": "<p>The index of the first log event that is too new. This field is inclusive.</p>"
           }
         },
         "tooOldLogEventEndIndex": {
           "target": "com.amazonaws.cloudwatchlogs#LogEventIndex",
           "traits": {
-            "smithy.api#documentation": "<p>The log events that are dated too far in the past.</p>"
+            "smithy.api#documentation": "<p>The index of the last log event that is too old. This field is exclusive.</p>"
           }
         },
         "expiredLogEventEndIndex": {