Disassociates an Firewall Manager administrator account. To set a different account as an Firewall Manager administrator, submit a PutAdminAccount request. To set an account as a default administrator account, you must submit an AssociateAdminAccount request.
Disassociation of the default administrator account follows the first in, last out principle. If you are the default administrator, all Firewall Manager administrators within the organization must first disassociate their accounts before you can disassociate your account.
", "DisassociateThirdPartyFirewall": "Disassociates a Firewall Manager policy administrator from a third-party firewall tenant. When you call DisassociateThirdPartyFirewall, the third-party firewall vendor deletes all of the firewalls that are associated with the account.
Returns the Organizations account that is associated with Firewall Manager as the Firewall Manager default administrator.
", - "GetAdminScope": "Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.
", + "GetAdminScope": "Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.
", "GetAppsList": "Returns information about the specified Firewall Manager applications list.
", - "GetComplianceDetail": "Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
Resources are considered noncompliant for WAF and Shield Advanced policies if the specified policy has not been applied to them.
Resources are considered noncompliant for security group policies if they are in scope of the policy, they violate one or more of the policy rules, and remediation is disabled or not possible.
Resources are considered noncompliant for Network Firewall policies if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet, if a subnet created by the Firewall Manager doesn't have the expected route table, and for modifications to a firewall policy that violate the Firewall Manager policy's rules.
Resources are considered noncompliant for DNS Firewall policies if a DNS Firewall rule group is missing from the rule group associations for the VPC.
Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
The reasons for resources being considered compliant depend on the Firewall Manager policy type.
", "GetNotificationChannel": "Information about the Amazon Simple Notification Service (SNS) topic that is used to record Firewall Manager SNS logs.
", "GetPolicy": "Returns information about the specified Firewall Manager policy.
", "GetProtectionStatus": "If you created a Shield Advanced policy, returns policy-level attack summary information in the event of a potential DDoS attack. Other policy types are currently unsupported.
", @@ -39,7 +39,7 @@ "PutAdminAccount": "Creates or updates an Firewall Manager administrator account. The account must be a member of the organization that was onboarded to Firewall Manager by AssociateAdminAccount. Only the organization's management account can create an Firewall Manager administrator account. When you create an Firewall Manager administrator account, the service checks to see if the account is already a delegated administrator within Organizations. If the account isn't a delegated administrator, Firewall Manager calls Organizations to delegate the account within Organizations. For more information about administrator accounts within Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "PutAppsList": "Creates an Firewall Manager applications list.
", "PutNotificationChannel": "Designates the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
To perform this action outside of the console, you must first configure the SNS topic's access policy to allow the SnsRoleName to publish SNS logs. If the SnsRoleName provided is a role other than the AWSServiceRoleForFMS service-linked role, this role must have a trust relationship configured to allow the Firewall Manager service principal fms.amazonaws.com to assume this role. For information about configuring an SNS access policy, see Service roles for Firewall Manager in the Firewall Manager Developer Guide.
Creates an Firewall Manager policy.
A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.
If you add a new account to an organization that you created with Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.
Firewall Manager provides the following types of policies:
Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in Organizations and lets you enforce a baseline set of rules across your organization.
Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
DNS Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
Creates an Firewall Manager policy.
A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.
If you add a new account to an organization that you created with Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.
Firewall Manager provides the following types of policies:
WAF policy - This policy applies WAF web ACL protections to specified accounts and resources.
Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in Organizations and lets you enforce a baseline set of rules across your organization.
Network ACL policy - This type of policy gives you control over the network ACLs that are in use throughout your organization in Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
DNS Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
Creates an Firewall Manager protocols list.
", "PutResourceSet": "Creates the resource set.
An Firewall Manager resource set defines the resources to import into an Firewall Manager policy from another Amazon Web Services service.
", "TagResource": "Adds one or more tags to an Amazon Web Services resource.
", @@ -55,7 +55,7 @@ "AssociateAdminAccountRequest$AdminAccount": "The Amazon Web Services account ID to associate with Firewall Manager as the Firewall Manager default administrator account. This account must be a member account of the organization in Organizations whose resources you want to protect. For more information about Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "DiscoveredResource$AccountId": "The Amazon Web Services account ID associated with the discovered resource.
", "GetAdminAccountResponse$AdminAccount": "The account that is set as the Firewall Manager default administrator.
", - "GetAdminScopeRequest$AdminAccount": "The administator account that you want to get the details for.
", + "GetAdminScopeRequest$AdminAccount": "The administrator account that you want to get the details for.
", "GetComplianceDetailRequest$MemberAccount": "The Amazon Web Services account that owns the resources that you want to get the details for.
", "GetProtectionStatusRequest$MemberAccountId": "The Amazon Web Services account that is in scope of the policy that you want to get the details for.
", "GetProtectionStatusResponse$AdminAccountId": "The ID of the Firewall Manager administrator account for this policy.
", @@ -110,6 +110,9 @@ "ActionTarget": { "base": "Describes a remediation action target.
", "refs": { + "CreateNetworkAclAction$Vpc": "The VPC that's associated with the remediation action.
", + "CreateNetworkAclEntriesAction$NetworkAclId": "The network ACL that's associated with the remediation action.
", + "DeleteNetworkAclEntriesAction$NetworkAclId": "The network ACL that's associated with the remediation action.
", "EC2AssociateRouteTableAction$RouteTableId": "The ID of the EC2 route table that is associated with the remediation action.
", "EC2AssociateRouteTableAction$SubnetId": "The ID of the subnet for the EC2 route table that is associated with the remediation action.
", "EC2AssociateRouteTableAction$GatewayId": "The ID of the gateway to be used with the EC2 route table that is associated with the remediation action.
", @@ -123,7 +126,9 @@ "EC2ReplaceRouteAction$GatewayId": "Information about the ID of an internet gateway or virtual private gateway.
", "EC2ReplaceRouteAction$RouteTableId": "Information about the ID of the route table.
", "EC2ReplaceRouteTableAssociationAction$AssociationId": "Information about the association ID.
", - "EC2ReplaceRouteTableAssociationAction$RouteTableId": "Information about the ID of the new route table to associate with the subnet.
" + "EC2ReplaceRouteTableAssociationAction$RouteTableId": "Information about the ID of the new route table to associate with the subnet.
", + "ReplaceNetworkAclAssociationAction$AssociationId": null, + "ReplaceNetworkAclAssociationAction$NetworkAclId": "The network ACL that's associated with the remediation action.
" } }, "AdminAccountSummary": { @@ -262,6 +267,9 @@ "AccountScope$AllAccountsEnabled": "A boolean value that indicates if the administrator can apply policies to all accounts within an organization. If true, the administrator can apply policies to all accounts within the organization. You can either enable management of all accounts through this operation, or you can specify a list of accounts to manage in AccountScope$Accounts. You cannot specify both.
A boolean value that excludes the accounts in AccountScope$Accounts from the administrator's scope. If true, the Firewall Manager administrator can apply policies to all members of the organization except for the accounts listed in AccountScope$Accounts. You can either specify a list of accounts to exclude by AccountScope$Accounts, or you can enable management of all accounts by AccountScope$AllAccountsEnabled. You cannot specify both.
A boolean value that indicates if the administrator is the default administrator. If true, then this is the default administrator account. The default administrator can manage third-party firewalls and has full administrative scope. There is only one default administrator account per organization. For information about Firewall Manager default administrator accounts, see Managing Firewall Manager administrators in the Firewall Manager Developer Guide.
", + "CreateNetworkAclAction$FMSCanRemediate": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
", + "CreateNetworkAclEntriesAction$FMSCanRemediate": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
", + "DeleteNetworkAclEntriesAction$FMSCanRemediate": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
", "DeletePolicyRequest$DeleteAllPolicyResources": "If True, the request performs cleanup according to the policy type.
For WAF and Shield Advanced policies, the cleanup does the following:
Deletes rule groups created by Firewall Manager
Removes web ACLs from in-scope resources
Deletes web ACLs that contain no rules or rule groups
For security group policies, the cleanup does the following for each security group in the policy:
Disassociates the security group from in-scope resources
Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy
For security group common policies, even if set to False, Firewall Manager deletes all security groups created by Firewall Manager that aren't associated with any other resources through another policy.
After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you create and accounts that you associate with the policy. When creating the policy, if you specify that only resources in specific accounts or with specific tags are in scope of the policy, those accounts and resources are handled by the policy. All others are out of scope. If you don't specify tags or accounts, all resources are in scope.
", "EvaluationResult$EvaluationLimitExceeded": "Indicates that over 100 resources are noncompliant with the Firewall Manager policy.
", "GetAppsListRequest$DefaultList": "Specifies whether the list to retrieve is a default list owned by Firewall Manager.
", @@ -281,9 +289,18 @@ "PolicyTypeScope$AllPolicyTypesEnabled": "Allows the specified Firewall Manager administrator to manage all Firewall Manager policy types, except for third-party policy types. Third-party policy types can only be managed by the Firewall Manager default administrator.
", "PossibleRemediationAction$IsDefaultAction": "Information about whether an action is taken by default.
", "RegionScope$AllRegionsEnabled": "Allows the specified Firewall Manager administrator to manage all Amazon Web Services Regions.
", + "ReplaceNetworkAclAssociationAction$FMSCanRemediate": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
", "SecurityGroupRemediationAction$IsDefaultAction": "Indicates if the current action is the default action.
" } }, + "BooleanObject": { + "base": null, + "refs": { + "NetworkAclEntry$Egress": "Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet). If it's not an egress rule, then it's an ingress, or inbound, rule.
", + "NetworkAclEntrySet$ForceRemediateForFirstEntries": "Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see Network access control list (ACL) policies in the Firewall Manager Developer Guide.
", + "NetworkAclEntrySet$ForceRemediateForLastEntries": "Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see Network access control list (ACL) policies in the Firewall Manager Developer Guide.
" + } + }, "CIDR": { "base": null, "refs": { @@ -318,6 +335,18 @@ "PolicyComplianceDetail$Violators": "An array of resources that aren't protected by the WAF or Shield Advanced policy or that aren't in compliance with the security group policy.
" } }, + "CreateNetworkAclAction": { + "base": "Information about the CreateNetworkAcl action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the CreateNetworkAclEntries action in Amazon EC2.
Information about the DeleteNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the DeleteNetworkAclEntries action in Amazon EC2.
Information about the ReplaceRouteTableAssociation action in the Amazon EC2 API.
" } }, + "EntriesDescription": { + "base": null, + "refs": { + "CreateNetworkAclEntriesAction$NetworkAclEntriesToBeCreated": "Lists the entries that the remediation action would create.
", + "DeleteNetworkAclEntriesAction$NetworkAclEntriesToBeDeleted": "Lists the entries that the remediation action would delete.
" + } + }, + "EntriesWithConflicts": { + "base": null, + "refs": { + "EntryViolation$EntriesWithConflicts": "The list of entries that are in conflict with ExpectedEntry.
Describes a single rule in a network ACL.
", + "refs": { + "EntriesDescription$member": null, + "EntriesWithConflicts$member": null, + "EntryViolation$ExpectedEntry": "The Firewall Manager-managed network ACL entry that is involved in the entry violation.
", + "EntryViolation$EntryAtExpectedEvaluationOrder": "The entry that's currently in the ExpectedEvaluationOrder location, in place of the expected entry.
Specifies whether the entry is managed by Firewall Manager or by a user, and, for Firewall Manager-managed entries, specifies whether the entry is among those that run first in the network ACL or those that run last.
" + } + }, + "EntryViolation": { + "base": "Detailed information about an entry violation in a network ACL. The violation is against the network ACL specification inside the Firewall Manager network ACL policy. This data object is part of InvalidNetworkAclEntriesViolation.
Descriptions of the violations that Firewall Manager found for these entries.
" + } + }, + "EntryViolations": { + "base": null, + "refs": { + "InvalidNetworkAclEntriesViolation$EntryViolations": "Detailed information about the entry violations in the network ACL.
" + } + }, "ErrorMessage": { "base": null, "refs": { @@ -713,6 +800,13 @@ "SecurityGroupRuleDescription$ToPort": "The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes.
The beginning port number of the range.
", + "NetworkAclPortRange$To": "The ending port number of the range.
" + } + }, "Identifier": { "base": null, "refs": { @@ -733,6 +827,19 @@ "BatchDisassociateResourceRequest$Items": "The uniform resource identifiers (URI) of resources that should be disassociated from the resource set. The URIs must be Amazon Resource Names (ARNs).
" } }, + "IntegerObject": { + "base": null, + "refs": { + "NetworkAclIcmpTypeCode$Code": "ICMP code.
", + "NetworkAclIcmpTypeCode$Type": "ICMP type.
" + } + }, + "IntegerObjectMinimum0": { + "base": null, + "refs": { + "EntryDescription$EntryRuleNumber": "The rule number for the entry. ACL entries are processed in ascending order by rule number. In a Firewall Manager network ACL policy, Firewall Manager assigns rule numbers.
" + } + }, "InternalErrorException": { "base": "The operation failed because of a system problem, even though the request was valid. Retry your request.
", "refs": { @@ -743,6 +850,12 @@ "refs": { } }, + "InvalidNetworkAclEntriesViolation": { + "base": "Violation detail for the entries in a network ACL resource.
", + "refs": { + "ResourceViolation$InvalidNetworkAclEntriesViolation": "Violation detail for the entries in a network ACL resource.
" + } + }, "InvalidOperationException": { "base": "The operation failed because there was nothing to do or the operation wasn't possible. For example, you might have submitted an AssociateAdminAccount request for an account ID that was already set as the Firewall Manager administrator. Or you might have tried to access a Region that's disabled by default, and that you need to enable for the Firewall Manager administrator account and for Organizations before you can access it.
Details about problems with dependent services, such as WAF or Config, and the error message received that indicates the problem with the service.
" } }, + "LengthBoundedNonEmptyString": { + "base": null, + "refs": { + "NetworkAclEntry$CidrBlock": "The IPv4 network range to allow or deny, in CIDR notation.
", + "NetworkAclEntry$Ipv6CidrBlock": "The IPv6 network range to allow or deny, in CIDR notation.
" + } + }, "LengthBoundedString": { "base": null, "refs": { @@ -767,6 +887,9 @@ "AwsVPCSecurityGroupViolation$ViolationTargetDescription": "A description of the security group that violates the policy.
", "ComplianceViolatorMetadata$key": null, "ComplianceViolatorMetadata$value": null, + "CreateNetworkAclAction$Description": "Brief description of this remediation action.
", + "CreateNetworkAclEntriesAction$Description": "Brief description of this remediation action.
", + "DeleteNetworkAclEntriesAction$Description": "Brief description of this remediation action.
", "DnsDuplicateRuleGroupViolation$ViolationTargetDescription": "A description of the violation that specifies the rule group and VPC.
", "DnsRuleGroupLimitExceededViolation$ViolationTargetDescription": "A description of the violation that specifies the rule group and VPC.
", "DnsRuleGroupPriorityConflictViolation$ViolationTargetDescription": "A description of the violation that specifies the VPC and the rule group that's already associated with it.
", @@ -777,12 +900,16 @@ "EC2DeleteRouteAction$Description": "A description of the DeleteRoute action.
", "EC2ReplaceRouteAction$Description": "A description of the ReplaceRoute action in Amazon EC2.
", "EC2ReplaceRouteTableAssociationAction$Description": "A description of the ReplaceRouteTableAssociation action in Amazon EC2.
", + "EntryViolation$ExpectedEvaluationOrder": "The evaluation location within the ordered list of entries where the ExpectedEntry should be, according to the network ACL policy specifications.
The evaluation location within the ordered list of entries where the ExpectedEntry is currently located.
Describes the remedial action.
", "FirewallSubnetIsOutOfScopeViolation$SubnetAvailabilityZone": "The Availability Zone of the firewall subnet that violates the policy scope.
", "FirewallSubnetIsOutOfScopeViolation$SubnetAvailabilityZoneId": "The Availability Zone ID of the firewall subnet that violates the policy scope.
", "FirewallSubnetMissingVPCEndpointViolation$SubnetAvailabilityZone": "The name of the Availability Zone of the deleted VPC subnet.
", "FirewallSubnetMissingVPCEndpointViolation$SubnetAvailabilityZoneId": "The ID of the Availability Zone of the deleted VPC subnet.
", + "InvalidNetworkAclEntriesViolation$SubnetAvailabilityZone": "The Availability Zone where the network ACL is in use.
", "LengthBoundedStringList$member": null, + "NetworkAclEntry$Protocol": "The protocol number. A value of \"-1\" means all protocols.
", "NetworkFirewallInternetTrafficNotInspectedViolation$SubnetAvailabilityZone": "The subnet Availability Zone.
", "NetworkFirewallMissingExpectedRTViolation$AvailabilityZone": "The Availability Zone of a violating subnet.
", "NetworkFirewallMissingFirewallViolation$AvailabilityZone": "The Availability Zone of a violating subnet.
", @@ -790,6 +917,7 @@ "PossibleRemediationAction$Description": "A description of the list of remediation actions.
", "PossibleRemediationActions$Description": "A description of the possible remediation actions list.
", "RemediationAction$Description": "A description of a remediation action.
", + "ReplaceNetworkAclAssociationAction$Description": "Brief description of this remediation action.
", "Route$Destination": "The destination of the route.
", "Route$Target": "The route's target.
", "RouteHasOutOfScopeEndpointViolation$SubnetAvailabilityZone": "The subnet's Availability Zone.
", @@ -949,7 +1077,7 @@ "base": null, "refs": { "FMSPolicyUpdateFirewallCreationConfigAction$FirewallCreationConfig": "A FirewallCreationConfig that you can copy into your current policy's SecurityServiceData in order to remedy scope violations.
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL
\"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Example: SHIELD_ADVANCED with web ACL management
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"
CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAFV2 - Logging configurations
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference
In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL
\"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distribute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Example: SHIELD_ADVANCED with web ACL management
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"
CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAFV2 - Logging configurations
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference
In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
The descriptive name of the resource set. You can't change the name of a resource set after you create it.
" } }, + "NetworkAclCommonPolicy": { + "base": "Defines a Firewall Manager network ACL policy. This is used in the PolicyOption of a SecurityServicePolicyData for a Policy, when the SecurityServicePolicyData type is set to NETWORK_ACL_COMMON.
For information about network ACLs, see Control traffic to subnets using network ACLs in the Amazon Virtual Private Cloud User Guide.
", + "refs": { + "PolicyOption$NetworkAclCommonPolicy": "Defines a Firewall Manager network ACL policy.
" + } + }, + "NetworkAclEntries": { + "base": null, + "refs": { + "NetworkAclEntrySet$FirstEntries": "The rules that you want to run first in the Firewall Manager managed network ACLs.
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
The rules that you want to run last in the Firewall Manager managed network ACLs.
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
Describes a rule in a network ACL.
Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the entries in the network ACL according to the rule numbers, in ascending order.
When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
", + "refs": { + "EntryDescription$EntryDetail": "Describes a rule in a network ACL.
Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the entries in the network ACL according to the rule numbers, in ascending order.
When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
", + "NetworkAclEntries$member": null + } + }, + "NetworkAclEntrySet": { + "base": "The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
", + "refs": { + "NetworkAclCommonPolicy$NetworkAclEntrySet": "The definition of the first and last rules for the network ACL policy.
" + } + }, + "NetworkAclIcmpTypeCode": { + "base": "ICMP protocol: The ICMP type and code.
", + "refs": { + "NetworkAclEntry$IcmpTypeCode": "ICMP protocol: The ICMP type and code.
" + } + }, + "NetworkAclPortRange": { + "base": "TCP or UDP protocols: The range of ports the rule applies to.
", + "refs": { + "NetworkAclEntry$PortRange": "TCP or UDP protocols: The range of ports the rule applies to.
" + } + }, + "NetworkAclRuleAction": { + "base": null, + "refs": { + "NetworkAclEntry$RuleAction": "Indicates whether to allow or deny the traffic that matches the rule.
" + } + }, "NetworkFirewallAction": { "base": null, "refs": { @@ -1087,8 +1259,8 @@ "OrganizationStatus": { "base": null, "refs": { - "AdminAccountSummary$Status": "The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The ID of the policy that you want to get the details for. PolicyId is returned by PutPolicy and by ListPolicies.
The ID of the Firewall Manager policy that you want the details for.
", "GetProtectionStatusRequest$PolicyId": "The ID of the policy for which you want to get the attack information.
", - "GetViolationDetailsRequest$PolicyId": "The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
DNS Firewall
Imported Network Firewall
Network Firewall
Security group content audit
Third-party firewall
The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
DNS Firewall
Imported Network Firewall
Network Firewall
Security group content audit
Network ACL
Third-party firewall
The ID of the Firewall Manager policy that you want the details for.
", "Policy$PolicyId": "The ID of the Firewall Manager policy.
", "PolicyComplianceDetail$PolicyId": "The ID of the Firewall Manager policy.
", @@ -1217,9 +1389,9 @@ } }, "PolicyOption": { - "base": "Contains the Network Firewall firewall policy options to configure the policy's deployment model and third-party firewall policy settings.
", + "base": "Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
", "refs": { - "SecurityServicePolicyData$PolicyOption": "Contains the Network Firewall firewall policy options to configure a centralized deployment model.
" + "SecurityServicePolicyData$PolicyOption": "Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
" } }, "PolicySummary": { @@ -1416,6 +1588,12 @@ "OrderedRemediationActions$member": null } }, + "ReplaceNetworkAclAssociationAction": { + "base": "Information about the ReplaceNetworkAclAssociation action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the ReplaceNetworkAclAssociation action in Amazon EC2.
Details of a resource that is associated to an Firewall Manager resource set.
", "refs": { @@ -1472,6 +1650,9 @@ "FirewallSubnetMissingVPCEndpointViolation$FirewallSubnetId": "The ID of the firewall that this VPC endpoint is associated with.
", "FirewallSubnetMissingVPCEndpointViolation$VpcId": "The resource ID of the VPC associated with the deleted VPC subnet.
", "GetViolationDetailsRequest$ResourceId": "The ID of the resource that has violations.
", + "InvalidNetworkAclEntriesViolation$Vpc": "The VPC where the violation was found.
", + "InvalidNetworkAclEntriesViolation$Subnet": "The subnet that's associated with the network ACL.
", + "InvalidNetworkAclEntriesViolation$CurrentAssociatedNetworkAcl": "The network ACL containing the entry violations.
", "ListResourceSetResourcesRequest$Identifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", "NetworkFirewallBlackHoleRouteDetectedViolation$RouteTableId": "Information about the route table ID.
", "NetworkFirewallBlackHoleRouteDetectedViolation$VpcId": "Information about the VPC ID.
", @@ -1621,8 +1802,8 @@ "DiscoveredResource$Type": "The type of the discovered resource.
", "GetViolationDetailsRequest$ResourceType": "The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference. Supported resource types are: AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::NetworkFirewall::FirewallPolicy, and AWS::EC2::Subnet.
The type of resources to discover.
", - "Policy$ResourceType": "The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
Security group usage audit - AWS::EC2::SecurityGroup.
The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. For WAF and Shield Advanced, examples include AWS::ElasticLoadBalancingV2::LoadBalancer and AWS::CloudFront::Distribution. For a security group common policy, valid values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a security group content audit policy, valid values are AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security group usage audit policy, the value is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference.
", "ResourceTypeList$member": null, "ViolationDetail$ResourceType": "The resource type that the violation details were requested for.
" } diff --git a/models/apis/ivs-realtime/2020-07-14/api-2.json b/models/apis/ivs-realtime/2020-07-14/api-2.json index 92c38d5092..bad17f22a0 100644 --- a/models/apis/ivs-realtime/2020-07-14/api-2.json +++ b/models/apis/ivs-realtime/2020-07-14/api-2.json @@ -457,6 +457,7 @@ {"shape":"ValidationException"}, {"shape":"AccessDeniedException"}, {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"}, {"shape":"PendingVerification"} ] } @@ -489,7 +490,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" }, "ChannelDestinationConfiguration":{ "type":"structure", @@ -1366,7 +1367,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" }, "ResourceNotFoundException":{ "type":"structure", diff --git a/models/apis/ivs/2020-07-14/api-2.json b/models/apis/ivs/2020-07-14/api-2.json index 43a950d2dc..f5fddfd3c2 100644 --- a/models/apis/ivs/2020-07-14/api-2.json +++ b/models/apis/ivs/2020-07-14/api-2.json @@ -690,7 +690,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" }, "ChannelArnList":{ "type":"list", @@ -1216,7 +1216,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" }, "PlaybackKeyPairFingerprint":{"type":"string"}, "PlaybackKeyPairList":{ @@ -1421,7 +1421,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" }, "ResourceNotFoundException":{ "type":"structure", @@ -1558,7 +1558,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" }, "StreamKeyArnList":{ "type":"list", diff --git a/models/apis/ivs/2020-07-14/docs-2.json b/models/apis/ivs/2020-07-14/docs-2.json index 328aeed023..8a8f406ce9 100644 --- a/models/apis/ivs/2020-07-14/docs-2.json +++ b/models/apis/ivs/2020-07-14/docs-2.json @@ -809,7 +809,7 @@ "ResourceArn": { "base": null, "refs": { - "BatchError$arn": "Channel ARN.
", + "BatchError$arn": "ARN of an IVS resource; e.g., channel.
", "ListTagsForResourceRequest$resourceArn": "The ARN of the resource to be retrieved. The ARN must be URL-encoded.
", "TagResourceRequest$resourceArn": "ARN of the resource for which tags are to be added or updated. The ARN must be URL-encoded.
", "UntagResourceRequest$resourceArn": "ARN of the resource for which tags are to be removed. The ARN must be URL-encoded.
" diff --git a/models/apis/rds/2014-10-31/api-2.json b/models/apis/rds/2014-10-31/api-2.json index 12e55fd0d7..c7158f15bc 100644 --- a/models/apis/rds/2014-10-31/api-2.json +++ b/models/apis/rds/2014-10-31/api-2.json @@ -4,6 +4,7 @@ "apiVersion":"2014-10-31", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", diff --git a/models/apis/rds/2014-10-31/docs-2.json b/models/apis/rds/2014-10-31/docs-2.json index 16f1707b2f..c960a74424 100644 --- a/models/apis/rds/2014-10-31/docs-2.json +++ b/models/apis/rds/2014-10-31/docs-2.json @@ -657,7 +657,7 @@ "ModifyDBInstanceMessage$EnableIAMDatabaseAuthentication": "Specifies whether to enable mapping of Amazon Web Services Identity and Access Management (IAM) accounts to database accounts. By default, mapping isn't enabled.
This setting doesn't apply to Amazon Aurora. Mapping Amazon Web Services IAM accounts to database accounts is managed by the DB cluster.
For more information about IAM database authentication, see IAM Database Authentication for MySQL and PostgreSQL in the Amazon RDS User Guide.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$EnablePerformanceInsights": "Specifies whether to enable Performance Insights for the DB instance.
For more information, see Using Amazon Performance Insights in the Amazon RDS User Guide.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$UseDefaultProcessorFeatures": "Specifies whether the DB instance class of the DB instance uses its default processor features.
This setting doesn't apply to RDS Custom DB instances.
", - "ModifyDBInstanceMessage$DeletionProtection": "Specifies whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection isn't enabled. For more information, see Deleting a DB Instance.
", + "ModifyDBInstanceMessage$DeletionProtection": "Specifies whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection isn't enabled. For more information, see Deleting a DB Instance.
This setting doesn't apply to Amazon Aurora DB instances. You can enable or disable deletion protection for the DB cluster. For more information, see ModifyDBCluster. DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.
Specifies whether the DB instance is restarted when you rotate your SSL/TLS certificate.
By default, the DB instance is restarted when you rotate your SSL/TLS certificate. The certificate is not updated until the DB instance is restarted.
Set this parameter only if you are not using SSL/TLS to connect to the DB instance.
If you are using SSL/TLS to connect to the DB instance, follow the appropriate instructions for your DB engine to rotate your SSL/TLS certificate:
For more information about rotating your SSL/TLS certificate for RDS DB engines, see Rotating Your SSL/TLS Certificate. in the Amazon RDS User Guide.
For more information about rotating your SSL/TLS certificate for Aurora DB engines, see Rotating Your SSL/TLS Certificate in the Amazon Aurora User Guide.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$EnableCustomerOwnedIp": "Specifies whether to enable a customer-owned IP address (CoIP) for an RDS on Outposts DB instance.
A CoIP provides local or external connectivity to resources in your Outpost subnets through your on-premises network. For some use cases, a CoIP can provide lower latency for connections to the DB instance from outside of its virtual private cloud (VPC) on your local network.
For more information about RDS on Outposts, see Working with Amazon RDS on Amazon Web Services Outposts in the Amazon RDS User Guide.
For more information about CoIPs, see Customer-owned IP addresses in the Amazon Web Services Outposts User Guide.
", "ModifyDBInstanceMessage$ManageMasterUserPassword": "Specifies whether to manage the master user password with Amazon Web Services Secrets Manager.
If the DB instance doesn't manage the master user password with Amazon Web Services Secrets Manager, you can turn on this management. In this case, you can't specify MasterUserPassword.
If the DB instance already manages the master user password with Amazon Web Services Secrets Manager, and you specify that the master user password is not managed with Amazon Web Services Secrets Manager, then you must specify MasterUserPassword. In this case, Amazon RDS deletes the secret and uses the new password for the master user specified by MasterUserPassword.
For more information, see Password management with Amazon Web Services Secrets Manager in the Amazon RDS User Guide.
Constraints:
Can't manage the master user password with Amazon Web Services Secrets Manager if MasterUserPassword is specified.
The ARN for the Secrets Manager secret with the credentials for the user joining the domain.
Example: arn:aws:secretsmanager:region:account-number:secret:myselfmanagedADtestsecret-123456
The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, see Setting Up and Enabling Enhanced Monitoring in the Amazon RDS User Guide.
If MonitoringInterval is set to a value other than 0, then you must supply a MonitoringRoleArn value.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceMessage$DomainIAMRoleName": "The name of the IAM role to use when making API calls to the Directory Service.
This setting doesn't apply to the following DB instances:
Amazon Aurora (The domain is managed by the DB cluster.)
RDS Custom
The time zone of the DB instance. The time zone parameter is currently supported only by Microsoft SQL Server.
", + "CreateDBInstanceMessage$Timezone": "The time zone of the DB instance. The time zone parameter is currently supported only by RDS for Db2 and RDS for SQL Server.
", "CreateDBInstanceMessage$PerformanceInsightsKMSKeyId": "The Amazon Web Services KMS key identifier for encryption of Performance Insights data.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
If you don't specify a value for PerformanceInsightsKMSKeyId, then Amazon RDS uses your default KMS key. There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceMessage$CustomIamInstanceProfile": "The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance.
This setting is required for RDS Custom.
Constraints:
The profile must exist in your account.
The profile must have an IAM role that Amazon EC2 has permissions to assume.
The instance profile name and the associated IAM role name must start with the prefix AWSRDSCustom.
For the list of permissions required for the IAM role, see Configure IAM and your VPC in the Amazon RDS User Guide.
", "CreateDBInstanceMessage$BackupTarget": "The location for storing automated backups and manual snapshots.
Valid Values:
outposts (Amazon Web Services Outposts)
region (Amazon Web Services Region)
Default: region
For more information, see Working with Amazon RDS on Amazon Web Services Outposts in the Amazon RDS User Guide.
", @@ -4931,7 +4931,7 @@ "DBInstance$EnhancedMonitoringResourceArn": "The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance.
", "DBInstance$MonitoringRoleArn": "The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.
", "DBInstance$DBInstanceArn": "The Amazon Resource Name (ARN) for the DB instance.
", - "DBInstance$Timezone": "The time zone of the DB instance. In most cases, the Timezone element is empty. Timezone content appears only for Microsoft SQL Server DB instances that were created with a time zone specified.
The time zone of the DB instance. In most cases, the Timezone element is empty. Timezone content appears only for RDS for Db2 and RDS for SQL Server DB instances that were created with a time zone specified.
The Amazon Web Services KMS key identifier for encryption of Performance Insights data.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
", "DBInstance$AwsBackupRecoveryPointArn": "The Amazon Resource Name (ARN) of the recovery point in Amazon Web Services Backup.
", "DBInstance$ActivityStreamKmsKeyId": "The Amazon Web Services KMS key identifier used for encrypting messages in the database activity stream. The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
", @@ -5335,7 +5335,7 @@ "ModifyDBClusterSnapshotAttributeMessage$AttributeName": "The name of the DB cluster snapshot attribute to modify.
To manage authorization for other Amazon Web Services accounts to copy or restore a manual DB cluster snapshot, set this value to restore.
To view the list of attributes available to modify, use the DescribeDBClusterSnapshotAttributes API operation.
The identifier of DB instance to modify. This value is stored as a lowercase string.
Constraints:
Must match the identifier of an existing DB instance.
The new compute and memory capacity of the DB instance, for example db.m4.large. Not all DB instance classes are available in all Amazon Web Services Regions, or for all database engines. For the full list of DB instance classes, and availability for your engine, see DB Instance Class in the Amazon RDS User Guide or Aurora DB instance classes in the Amazon Aurora User Guide. For RDS Custom, see DB instance class support for RDS Custom for Oracle and DB instance class support for RDS Custom for SQL Server.
If you modify the DB instance class, an outage occurs during the change. The change is applied during the next maintenance window, unless you specify ApplyImmediately in your request.
Default: Uses existing setting
Constraints:
If you are modifying the DB instance class and upgrading the engine version at the same time, the currently running engine version must be supported on the specified DB instance class. Otherwise, the operation returns an error. In this case, first run the operation to upgrade the engine version, and then run it again to modify the DB instance class.
The new DB subnet group for the DB instance. You can use this parameter to move your DB instance to a different VPC. If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC. For more information, see Working with a DB instance in a VPC in the Amazon RDS User Guide.
Changing the subnet group causes an outage during the change. The change is applied during the next maintenance window, unless you enable ApplyImmediately.
This parameter doesn't apply to RDS Custom DB instances.
Constraints:
If supplied, must match existing DB subnet group.
Example: mydbsubnetgroup
The new DB subnet group for the DB instance. You can use this parameter to move your DB instance to a different VPC. If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC. For more information, see Working with a DB instance in a VPC in the Amazon RDS User Guide.
Changing the subnet group causes an outage during the change. The change is applied during the next maintenance window, unless you enable ApplyImmediately.
This setting doesn't apply to RDS Custom DB instances.
Constraints:
If supplied, must match existing DB subnet group.
Example: mydbsubnetgroup
The new password for the master user.
Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. Between the time of the request and the completion of the request, the MasterUserPassword element exists in the PendingModifiedValues element of the operation response.
Amazon RDS API operations never return the password, so this operation provides a way to regain access to a primary instance user if the password is lost. This includes restoring privileges that might have been accidentally revoked.
This setting doesn't apply to the following DB instances:
Amazon Aurora (The password for the master user is managed by the DB cluster. For more information, see ModifyDBCluster.)
RDS Custom
Default: Uses existing setting
Constraints:
Can't be specified if ManageMasterUserPassword is turned on.
Can include any printable ASCII character except \"/\", \"\"\", or \"@\". For RDS for Oracle, can't include the \"&\" (ampersand) or the \"'\" (single quotes) character.
Length Constraints:
RDS for Db2 - Must contain from 8 to 255 characters.
RDS for MariaDB - Must contain from 8 to 41 characters.
RDS for Microsoft SQL Server - Must contain from 8 to 128 characters.
RDS for MySQL - Must contain from 8 to 41 characters.
RDS for Oracle - Must contain from 8 to 30 characters.
RDS for PostgreSQL - Must contain from 8 to 128 characters.
The name of the DB parameter group to apply to the DB instance.
Changing this setting doesn't result in an outage. The parameter group name itself is changed immediately, but the actual parameter changes are not applied until you reboot the instance without failover. In this case, the DB instance isn't rebooted automatically, and the parameter changes aren't applied during the next maintenance window. However, if you modify dynamic parameters in the newly associated DB parameter group, these changes are applied immediately without a reboot.
This setting doesn't apply to RDS Custom DB instances.
Default: Uses existing setting
Constraints:
Must be in the same DB parameter group family as the DB instance.
The daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod parameter. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. The default is a 30-minute window selected at random from an 8-hour block of time for each Amazon Web Services Region. For more information, see Backup window in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora DB instances. The daily time range for creating automated backups is managed by the DB cluster. For more information, see ModifyDBCluster.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
Remove a tag from a Step Functions resource
", "UpdateMapRun": "Updates an in-progress Map Run's configuration to include changes to the settings that control maximum concurrency and Map Run failure.
", "UpdateStateMachine": "Updates an existing state machine by modifying its definition, roleArn, or loggingConfiguration. Running executions will continue to use the previous definition and roleArn. You must include at least one of definition or roleArn or you will receive a MissingRequiredParameter error.
A qualified state machine ARN refers to a Distributed Map state defined within a state machine. For example, the qualified state machine ARN arn:partition:states:region:account-id:stateMachine:stateMachineName/mapStateLabel refers to a Distributed Map state with a label mapStateLabel in the state machine named stateMachineName.
A qualified state machine ARN can either refer to a Distributed Map state defined within a state machine, a version ARN, or an alias ARN.
The following are some examples of qualified and unqualified state machine ARNs:
The following qualified state machine ARN refers to a Distributed Map state with a label mapStateLabel in a state machine named myStateMachine.
arn:partition:states:region:account-id:stateMachine:myStateMachine/mapStateLabel
If you provide a qualified state machine ARN that refers to a Distributed Map state, the request fails with ValidationException.
The following qualified state machine ARN refers to an alias named PROD.
arn:<partition>:states:<region>:<account-id>:stateMachine:<myStateMachine:PROD>
If you provide a qualified state machine ARN that refers to a version ARN or an alias ARN, the request starts execution for that version or alias.
The following unqualified state machine ARN refers to a state machine named myStateMachine.
arn:<partition>:states:<region>:<account-id>:stateMachine:<myStateMachine>
After you update your state machine, you can set the publish parameter to true in the same action to publish a new version. This way, you can opt-in to strict versioning of your state machine.
Step Functions assigns monotonically increasing integers for state machine versions, starting at version number 1.
All StartExecution calls within a few seconds use the updated definition and roleArn. Executions started immediately after you call UpdateStateMachine may use the previous state machine definition and roleArn.
Updates the configuration of an existing state machine alias by modifying its description or routingConfiguration.
You must specify at least one of the description or routingConfiguration parameters to update a state machine alias.
UpdateStateMachineAlias is an idempotent API. Step Functions bases the idempotency check on the stateMachineAliasArn, description, and routingConfiguration parameters. Requests with the same parameters return an idempotent response.
This operation is eventually consistent. All StartExecution requests made within a few seconds use the latest alias configuration. Executions started immediately after calling UpdateStateMachineAlias may use the previous routing configuration.
Related operations:
" + "UpdateStateMachineAlias": "Updates the configuration of an existing state machine alias by modifying its description or routingConfiguration.
You must specify at least one of the description or routingConfiguration parameters to update a state machine alias.
UpdateStateMachineAlias is an idempotent API. Step Functions bases the idempotency check on the stateMachineAliasArn, description, and routingConfiguration parameters. Requests with the same parameters return an idempotent response.
This operation is eventually consistent. All StartExecution requests made within a few seconds use the latest alias configuration. Executions started immediately after calling UpdateStateMachineAlias may use the previous routing configuration.
Related operations:
", + "ValidateStateMachineDefinition": "Validates the syntax of a state machine definition.
You can validate that a state machine definition is correct without creating a state machine resource. Step Functions will implicitly perform the same syntax check when you invoke CreateStateMachine and UpdateStateMachine. State machine definitions are specified using a JSON-based, structured language. For more information on Amazon States Language see Amazon States Language (ASL).
Suggested uses for ValidateStateMachineDefinition:
Integrate automated checks into your code review or Continuous Integration (CI) process to validate state machine definitions before starting deployments.
Run the validation from a Git pre-commit hook to check your state machine definitions before committing them to your source repository.
Errors found in the state machine definition will be returned in the response as a list of diagnostic elements, rather than raise an exception.
The Amazon States Language definition of the state machine. See Amazon States Language.
", "DescribeStateMachineOutput$definition": "The Amazon States Language definition of the state machine. See Amazon States Language.
", "TestStateInput$definition": "The Amazon States Language (ASL) definition of the state.
", - "UpdateStateMachineInput$definition": "The Amazon States Language definition of the state machine. See Amazon States Language.
" + "UpdateStateMachineInput$definition": "The Amazon States Language definition of the state machine. See Amazon States Language.
", + "ValidateStateMachineDefinitionInput$definition": "The Amazon States Language definition of the state machine. For more information, see Amazon States Language (ASL).
" } }, "DeleteActivityInput": { @@ -1288,7 +1290,8 @@ "refs": { "CreateStateMachineInput$type": "Determines whether a Standard or Express state machine is created. The default is STANDARD. You cannot update the type of a state machine once it has been created.
The type of the state machine (STANDARD or EXPRESS).
The target type of state machine for this definition. The default is STANDARD.
Identifying code for the diagnostic.
" + } + }, + "ValidateStateMachineDefinitionDiagnostic": { + "base": "Describes an error found during validation. Validation errors found in the definition return in the response as diagnostic elements, rather than raise an exception.
", + "refs": { + "ValidateStateMachineDefinitionDiagnosticList$member": null + } + }, + "ValidateStateMachineDefinitionDiagnosticList": { + "base": null, + "refs": { + "ValidateStateMachineDefinitionOutput$diagnostics": "If the result is OK, this field will be empty. When there are errors, this field will contain an array of Diagnostic objects to help you troubleshoot.
Location of the issue in the state machine, if available.
For errors specific to a field, the location could be in the format: /States/<StateName>/<FieldName>, for example: /States/FailState/ErrorPath.
Message describing the diagnostic condition.
" + } + }, + "ValidateStateMachineDefinitionOutput": { + "base": null, + "refs": { + } + }, + "ValidateStateMachineDefinitionResultCode": { + "base": null, + "refs": { + "ValidateStateMachineDefinitionOutput$result": "The result value will be OK when no syntax errors are found, or FAIL if the workflow definition does not pass verification.
A value of ERROR means that you cannot create or update a state machine with this definition.
The input does not satisfy the constraints specified by an Amazon Web Services service.
", "refs": { diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index eebad58953..aaebfda15c 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -23994,6 +23994,13 @@ }, "email" : { "endpoints" : { + "fips-us-gov-east-1" : { + "credentialScope" : { + "region" : "us-gov-east-1" + }, + "deprecated" : true, + "hostname" : "email-fips.us-gov-east-1.amazonaws.com" + }, "fips-us-gov-west-1" : { "credentialScope" : { "region" : "us-gov-west-1" @@ -24001,6 +24008,12 @@ "deprecated" : true, "hostname" : "email-fips.us-gov-west-1.amazonaws.com" }, + "us-gov-east-1" : { + "variants" : [ { + "hostname" : "email-fips.us-gov-east-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, "us-gov-west-1" : { "variants" : [ { "hostname" : "email-fips.us-gov-west-1.amazonaws.com", @@ -25021,6 +25034,12 @@ "us-gov-west-1" : { } } }, + "license-manager-user-subscriptions" : { + "endpoints" : { + "us-gov-east-1" : { }, + "us-gov-west-1" : { } + } + }, "logs" : { "endpoints" : { "fips-us-gov-east-1" : { diff --git a/service/appsync/api.go b/service/appsync/api.go index 5a8064e379..843cba2e3f 100644 --- a/service/appsync/api.go +++ b/service/appsync/api.go @@ -17387,7 +17387,9 @@ type UpdateGraphqlApiInput struct { ApiId *string `location:"uri" locationName:"apiId" type:"string" required:"true"` // The new authentication type for the GraphqlApi object. - AuthenticationType *string `locationName:"authenticationType" type:"string" enum:"AuthenticationType"` + // + // AuthenticationType is a required field + AuthenticationType *string `locationName:"authenticationType" type:"string" required:"true" enum:"AuthenticationType"` // The enhancedMetricsConfig object. EnhancedMetricsConfig *EnhancedMetricsConfig `locationName:"enhancedMetricsConfig" type:"structure"` @@ -17476,6 +17478,9 @@ func (s *UpdateGraphqlApiInput) Validate() error { if s.ApiId != nil && len(*s.ApiId) < 1 { invalidParams.Add(request.NewErrParamMinLen("ApiId", 1)) } + if s.AuthenticationType == nil { + invalidParams.Add(request.NewErrParamRequired("AuthenticationType")) + } if s.Name == nil { invalidParams.Add(request.NewErrParamRequired("Name")) } diff --git a/service/fms/api.go b/service/fms/api.go index e4ab0de48f..d974c5c22c 100644 --- a/service/fms/api.go +++ b/service/fms/api.go @@ -1220,7 +1220,7 @@ func (c *FMS) GetAdminScopeRequest(input *GetAdminScopeInput) (req *request.Requ // GetAdminScope API operation for Firewall Management Service. // // Returns information about the specified account's administrative scope. The -// admistrative scope defines the resources that an Firewall Manager administrator +// administrative scope defines the resources that an Firewall Manager administrator // can manage. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -1416,22 +1416,8 @@ func (c *FMS) GetComplianceDetailRequest(input *GetComplianceDetailInput) (req * // Details include resources that are in and out of compliance with the specified // policy. // -// - Resources are considered noncompliant for WAF and Shield Advanced policies -// if the specified policy has not been applied to them. -// -// - Resources are considered noncompliant for security group policies if -// they are in scope of the policy, they violate one or more of the policy -// rules, and remediation is disabled or not possible. -// -// - Resources are considered noncompliant for Network Firewall policies -// if a firewall is missing in the VPC, if the firewall endpoint isn't set -// up in an expected Availability Zone and subnet, if a subnet created by -// the Firewall Manager doesn't have the expected route table, and for modifications -// to a firewall policy that violate the Firewall Manager policy's rules. -// -// - Resources are considered noncompliant for DNS Firewall policies if a -// DNS Firewall rule group is missing from the rule group associations for -// the VPC. +// The reasons for resources being considered compliant depend on the Firewall +// Manager policy type. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -4056,6 +4042,9 @@ func (c *FMS) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, out // // Firewall Manager provides the following types of policies: // +// - WAF policy - This policy applies WAF web ACL protections to specified +// accounts and resources. +// // - Shield Advanced policy - This policy applies Shield Advanced protection // to specified accounts and resources. // @@ -4063,6 +4052,11 @@ func (c *FMS) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, out // security groups that are in use throughout your organization in Organizations // and lets you enforce a baseline set of rules across your organization. // +// - Network ACL policy - This type of policy gives you control over the +// network ACLs that are in use throughout your organization in Organizations +// and lets you enforce a baseline set of first and last network ACL rules +// across your organization. +// // - Network Firewall policy - This policy applies Network Firewall protection // to your organization's VPCs. // @@ -4662,7 +4656,7 @@ type AdminAccountSummary struct { DefaultAdmin *bool `type:"boolean"` // The current status of the request to onboard a member account as an Firewall - // Manager administator. + // Manager administrator. // // * ONBOARDING - The account is onboarding to Firewall Manager as an administrator. // @@ -5643,6 +5637,121 @@ func (s *ComplianceViolator) SetViolationReason(v string) *ComplianceViolator { return s } +// Information about the CreateNetworkAcl action in Amazon EC2. This is a remediation +// option in RemediationAction. +type CreateNetworkAclAction struct { + _ struct{} `type:"structure"` + + // Brief description of this remediation action. + Description *string `type:"string"` + + // Indicates whether it is possible for Firewall Manager to perform this remediation + // action. A false value indicates that auto remediation is disabled or Firewall + // Manager is unable to perform the action due to a conflict of some kind. + FMSCanRemediate *bool `type:"boolean"` + + // The VPC that's associated with the remediation action. + Vpc *ActionTarget `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateNetworkAclAction) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateNetworkAclAction) GoString() string { + return s.String() +} + +// SetDescription sets the Description field's value. +func (s *CreateNetworkAclAction) SetDescription(v string) *CreateNetworkAclAction { + s.Description = &v + return s +} + +// SetFMSCanRemediate sets the FMSCanRemediate field's value. +func (s *CreateNetworkAclAction) SetFMSCanRemediate(v bool) *CreateNetworkAclAction { + s.FMSCanRemediate = &v + return s +} + +// SetVpc sets the Vpc field's value. +func (s *CreateNetworkAclAction) SetVpc(v *ActionTarget) *CreateNetworkAclAction { + s.Vpc = v + return s +} + +// Information about the CreateNetworkAclEntries action in Amazon EC2. This +// is a remediation option in RemediationAction. +type CreateNetworkAclEntriesAction struct { + _ struct{} `type:"structure"` + + // Brief description of this remediation action. + Description *string `type:"string"` + + // Indicates whether it is possible for Firewall Manager to perform this remediation + // action. A false value indicates that auto remediation is disabled or Firewall + // Manager is unable to perform the action due to a conflict of some kind. + FMSCanRemediate *bool `type:"boolean"` + + // Lists the entries that the remediation action would create. + NetworkAclEntriesToBeCreated []*EntryDescription `type:"list"` + + // The network ACL that's associated with the remediation action. + NetworkAclId *ActionTarget `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateNetworkAclEntriesAction) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateNetworkAclEntriesAction) GoString() string { + return s.String() +} + +// SetDescription sets the Description field's value. +func (s *CreateNetworkAclEntriesAction) SetDescription(v string) *CreateNetworkAclEntriesAction { + s.Description = &v + return s +} + +// SetFMSCanRemediate sets the FMSCanRemediate field's value. +func (s *CreateNetworkAclEntriesAction) SetFMSCanRemediate(v bool) *CreateNetworkAclEntriesAction { + s.FMSCanRemediate = &v + return s +} + +// SetNetworkAclEntriesToBeCreated sets the NetworkAclEntriesToBeCreated field's value. +func (s *CreateNetworkAclEntriesAction) SetNetworkAclEntriesToBeCreated(v []*EntryDescription) *CreateNetworkAclEntriesAction { + s.NetworkAclEntriesToBeCreated = v + return s +} + +// SetNetworkAclId sets the NetworkAclId field's value. +func (s *CreateNetworkAclEntriesAction) SetNetworkAclId(v *ActionTarget) *CreateNetworkAclEntriesAction { + s.NetworkAclId = v + return s +} + type DeleteAppsListInput struct { _ struct{} `type:"structure"` @@ -5715,6 +5824,68 @@ func (s DeleteAppsListOutput) GoString() string { return s.String() } +// Information about the DeleteNetworkAclEntries action in Amazon EC2. This +// is a remediation option in RemediationAction. +type DeleteNetworkAclEntriesAction struct { + _ struct{} `type:"structure"` + + // Brief description of this remediation action. + Description *string `type:"string"` + + // Indicates whether it is possible for Firewall Manager to perform this remediation + // action. A false value indicates that auto remediation is disabled or Firewall + // Manager is unable to perform the action due to a conflict of some kind. + FMSCanRemediate *bool `type:"boolean"` + + // Lists the entries that the remediation action would delete. + NetworkAclEntriesToBeDeleted []*EntryDescription `type:"list"` + + // The network ACL that's associated with the remediation action. + NetworkAclId *ActionTarget `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s DeleteNetworkAclEntriesAction) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s DeleteNetworkAclEntriesAction) GoString() string { + return s.String() +} + +// SetDescription sets the Description field's value. +func (s *DeleteNetworkAclEntriesAction) SetDescription(v string) *DeleteNetworkAclEntriesAction { + s.Description = &v + return s +} + +// SetFMSCanRemediate sets the FMSCanRemediate field's value. +func (s *DeleteNetworkAclEntriesAction) SetFMSCanRemediate(v bool) *DeleteNetworkAclEntriesAction { + s.FMSCanRemediate = &v + return s +} + +// SetNetworkAclEntriesToBeDeleted sets the NetworkAclEntriesToBeDeleted field's value. +func (s *DeleteNetworkAclEntriesAction) SetNetworkAclEntriesToBeDeleted(v []*EntryDescription) *DeleteNetworkAclEntriesAction { + s.NetworkAclEntriesToBeDeleted = v + return s +} + +// SetNetworkAclId sets the NetworkAclId field's value. +func (s *DeleteNetworkAclEntriesAction) SetNetworkAclId(v *ActionTarget) *DeleteNetworkAclEntriesAction { + s.NetworkAclId = v + return s +} + type DeleteNotificationChannelInput struct { _ struct{} `type:"structure"` } @@ -6826,6 +6997,156 @@ func (s *EC2ReplaceRouteTableAssociationAction) SetRouteTableId(v *ActionTarget) return s } +// Describes a single rule in a network ACL. +type EntryDescription struct { + _ struct{} `type:"structure"` + + // Describes a rule in a network ACL. + // + // Each network ACL has a set of numbered ingress rules and a separate set of + // numbered egress rules. When determining whether a packet should be allowed + // in or out of a subnet associated with the network ACL, Amazon Web Services + // processes the entries in the network ACL according to the rule numbers, in + // ascending order. + // + // When you manage an individual network ACL, you explicitly specify the rule + // numbers. When you specify the network ACL rules in a Firewall Manager policy, + // you provide the rules to run first, in the order that you want them to run, + // and the rules to run last, in the order that you want them to run. Firewall + // Manager assigns the rule numbers for you when you save the network ACL policy + // specification. + EntryDetail *NetworkAclEntry `type:"structure"` + + // The rule number for the entry. ACL entries are processed in ascending order + // by rule number. In a Firewall Manager network ACL policy, Firewall Manager + // assigns rule numbers. + EntryRuleNumber *int64 `type:"integer"` + + // Specifies whether the entry is managed by Firewall Manager or by a user, + // and, for Firewall Manager-managed entries, specifies whether the entry is + // among those that run first in the network ACL or those that run last. + EntryType *string `type:"string" enum:"EntryType"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EntryDescription) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EntryDescription) GoString() string { + return s.String() +} + +// SetEntryDetail sets the EntryDetail field's value. +func (s *EntryDescription) SetEntryDetail(v *NetworkAclEntry) *EntryDescription { + s.EntryDetail = v + return s +} + +// SetEntryRuleNumber sets the EntryRuleNumber field's value. +func (s *EntryDescription) SetEntryRuleNumber(v int64) *EntryDescription { + s.EntryRuleNumber = &v + return s +} + +// SetEntryType sets the EntryType field's value. +func (s *EntryDescription) SetEntryType(v string) *EntryDescription { + s.EntryType = &v + return s +} + +// Detailed information about an entry violation in a network ACL. The violation +// is against the network ACL specification inside the Firewall Manager network +// ACL policy. This data object is part of InvalidNetworkAclEntriesViolation. +type EntryViolation struct { + _ struct{} `type:"structure"` + + // The evaluation location within the ordered list of entries where the ExpectedEntry + // is currently located. + ActualEvaluationOrder *string `type:"string"` + + // The list of entries that are in conflict with ExpectedEntry. + EntriesWithConflicts []*EntryDescription `type:"list"` + + // The entry that's currently in the ExpectedEvaluationOrder location, in place + // of the expected entry. + EntryAtExpectedEvaluationOrder *EntryDescription `type:"structure"` + + // Descriptions of the violations that Firewall Manager found for these entries. + EntryViolationReasons []*string `type:"list" enum:"EntryViolationReason"` + + // The Firewall Manager-managed network ACL entry that is involved in the entry + // violation. + ExpectedEntry *EntryDescription `type:"structure"` + + // The evaluation location within the ordered list of entries where the ExpectedEntry + // should be, according to the network ACL policy specifications. + ExpectedEvaluationOrder *string `type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EntryViolation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EntryViolation) GoString() string { + return s.String() +} + +// SetActualEvaluationOrder sets the ActualEvaluationOrder field's value. +func (s *EntryViolation) SetActualEvaluationOrder(v string) *EntryViolation { + s.ActualEvaluationOrder = &v + return s +} + +// SetEntriesWithConflicts sets the EntriesWithConflicts field's value. +func (s *EntryViolation) SetEntriesWithConflicts(v []*EntryDescription) *EntryViolation { + s.EntriesWithConflicts = v + return s +} + +// SetEntryAtExpectedEvaluationOrder sets the EntryAtExpectedEvaluationOrder field's value. +func (s *EntryViolation) SetEntryAtExpectedEvaluationOrder(v *EntryDescription) *EntryViolation { + s.EntryAtExpectedEvaluationOrder = v + return s +} + +// SetEntryViolationReasons sets the EntryViolationReasons field's value. +func (s *EntryViolation) SetEntryViolationReasons(v []*string) *EntryViolation { + s.EntryViolationReasons = v + return s +} + +// SetExpectedEntry sets the ExpectedEntry field's value. +func (s *EntryViolation) SetExpectedEntry(v *EntryDescription) *EntryViolation { + s.ExpectedEntry = v + return s +} + +// SetExpectedEvaluationOrder sets the ExpectedEvaluationOrder field's value. +func (s *EntryViolation) SetExpectedEvaluationOrder(v string) *EntryViolation { + s.ExpectedEvaluationOrder = &v + return s +} + // Describes the compliance status for the account. An account is considered // noncompliant if it includes resources that are not protected by the specified // policy or that don't comply with the policy. @@ -7243,7 +7564,7 @@ func (s *GetAdminAccountOutput) SetRoleStatus(v string) *GetAdminAccountOutput { type GetAdminScopeInput struct { _ struct{} `type:"structure"` - // The administator account that you want to get the details for. + // The administrator account that you want to get the details for. // // AdminAccount is a required field AdminAccount *string `min:"1" type:"string" required:"true"` @@ -7296,7 +7617,7 @@ type GetAdminScopeOutput struct { AdminScope *AdminScope `type:"structure"` // The current status of the request to onboard a member account as an Firewall - // Manager administator. + // Manager administrator. // // * ONBOARDING - The account is onboarding to Firewall Manager as an administrator. // @@ -8214,6 +8535,8 @@ type GetViolationDetailsInput struct { // // * Security group content audit // + // * Network ACL + // // * Third-party firewall // // PolicyId is a required field @@ -8469,6 +8792,74 @@ func (s *InvalidInputException) RequestID() string { return s.RespMetadata.RequestID } +// Violation detail for the entries in a network ACL resource. +type InvalidNetworkAclEntriesViolation struct { + _ struct{} `type:"structure"` + + // The network ACL containing the entry violations. + CurrentAssociatedNetworkAcl *string `min:"1" type:"string"` + + // Detailed information about the entry violations in the network ACL. + EntryViolations []*EntryViolation `type:"list"` + + // The subnet that's associated with the network ACL. + Subnet *string `min:"1" type:"string"` + + // The Availability Zone where the network ACL is in use. + SubnetAvailabilityZone *string `type:"string"` + + // The VPC where the violation was found. + Vpc *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s InvalidNetworkAclEntriesViolation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s InvalidNetworkAclEntriesViolation) GoString() string { + return s.String() +} + +// SetCurrentAssociatedNetworkAcl sets the CurrentAssociatedNetworkAcl field's value. +func (s *InvalidNetworkAclEntriesViolation) SetCurrentAssociatedNetworkAcl(v string) *InvalidNetworkAclEntriesViolation { + s.CurrentAssociatedNetworkAcl = &v + return s +} + +// SetEntryViolations sets the EntryViolations field's value. +func (s *InvalidNetworkAclEntriesViolation) SetEntryViolations(v []*EntryViolation) *InvalidNetworkAclEntriesViolation { + s.EntryViolations = v + return s +} + +// SetSubnet sets the Subnet field's value. +func (s *InvalidNetworkAclEntriesViolation) SetSubnet(v string) *InvalidNetworkAclEntriesViolation { + s.Subnet = &v + return s +} + +// SetSubnetAvailabilityZone sets the SubnetAvailabilityZone field's value. +func (s *InvalidNetworkAclEntriesViolation) SetSubnetAvailabilityZone(v string) *InvalidNetworkAclEntriesViolation { + s.SubnetAvailabilityZone = &v + return s +} + +// SetVpc sets the Vpc field's value. +func (s *InvalidNetworkAclEntriesViolation) SetVpc(v string) *InvalidNetworkAclEntriesViolation { + s.Vpc = &v + return s +} + // The operation failed because there was nothing to do or the operation wasn't // possible. For example, you might have submitted an AssociateAdminAccount // request for an account ID that was already set as the Firewall Manager administrator. @@ -10057,22 +10448,20 @@ func (s *ListThirdPartyFirewallFirewallPoliciesOutput) SetThirdPartyFirewallFire return s } -// Violation detail for an internet gateway route with an inactive state in -// the customer subnet route table or Network Firewall subnet route table. -type NetworkFirewallBlackHoleRouteDetectedViolation struct { +// Defines a Firewall Manager network ACL policy. This is used in the PolicyOption +// of a SecurityServicePolicyData for a Policy, when the SecurityServicePolicyData +// type is set to NETWORK_ACL_COMMON. +// +// For information about network ACLs, see Control traffic to subnets using +// network ACLs (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) +// in the Amazon Virtual Private Cloud User Guide. +type NetworkAclCommonPolicy struct { _ struct{} `type:"structure"` - // Information about the route table ID. - RouteTableId *string `min:"1" type:"string"` - - // Information about the route or routes that are in violation. - ViolatingRoutes []*Route `type:"list"` - - // The subnet that has an inactive state. - ViolationTarget *string `type:"string"` - - // Information about the VPC ID. - VpcId *string `min:"1" type:"string"` + // The definition of the first and last rules for the network ACL policy. + // + // NetworkAclEntrySet is a required field + NetworkAclEntrySet *NetworkAclEntrySet `type:"structure" required:"true"` } // String returns the string representation. @@ -10080,7 +10469,7 @@ type NetworkFirewallBlackHoleRouteDetectedViolation struct { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s NetworkFirewallBlackHoleRouteDetectedViolation) String() string { +func (s NetworkAclCommonPolicy) String() string { return awsutil.Prettify(s) } @@ -10089,14 +10478,435 @@ func (s NetworkFirewallBlackHoleRouteDetectedViolation) String() string { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s NetworkFirewallBlackHoleRouteDetectedViolation) GoString() string { +func (s NetworkAclCommonPolicy) GoString() string { return s.String() } -// SetRouteTableId sets the RouteTableId field's value. -func (s *NetworkFirewallBlackHoleRouteDetectedViolation) SetRouteTableId(v string) *NetworkFirewallBlackHoleRouteDetectedViolation { - s.RouteTableId = &v - return s +// Validate inspects the fields of the type to determine if they are valid. +func (s *NetworkAclCommonPolicy) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "NetworkAclCommonPolicy"} + if s.NetworkAclEntrySet == nil { + invalidParams.Add(request.NewErrParamRequired("NetworkAclEntrySet")) + } + if s.NetworkAclEntrySet != nil { + if err := s.NetworkAclEntrySet.Validate(); err != nil { + invalidParams.AddNested("NetworkAclEntrySet", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetNetworkAclEntrySet sets the NetworkAclEntrySet field's value. +func (s *NetworkAclCommonPolicy) SetNetworkAclEntrySet(v *NetworkAclEntrySet) *NetworkAclCommonPolicy { + s.NetworkAclEntrySet = v + return s +} + +// Describes a rule in a network ACL. +// +// Each network ACL has a set of numbered ingress rules and a separate set of +// numbered egress rules. When determining whether a packet should be allowed +// in or out of a subnet associated with the network ACL, Amazon Web Services +// processes the entries in the network ACL according to the rule numbers, in +// ascending order. +// +// When you manage an individual network ACL, you explicitly specify the rule +// numbers. When you specify the network ACL rules in a Firewall Manager policy, +// you provide the rules to run first, in the order that you want them to run, +// and the rules to run last, in the order that you want them to run. Firewall +// Manager assigns the rule numbers for you when you save the network ACL policy +// specification. +type NetworkAclEntry struct { + _ struct{} `type:"structure"` + + // The IPv4 network range to allow or deny, in CIDR notation. + CidrBlock *string `min:"1" type:"string"` + + // Indicates whether the rule is an egress, or outbound, rule (applied to traffic + // leaving the subnet). If it's not an egress rule, then it's an ingress, or + // inbound, rule. + // + // Egress is a required field + Egress *bool `type:"boolean" required:"true"` + + // ICMP protocol: The ICMP type and code. + IcmpTypeCode *NetworkAclIcmpTypeCode `type:"structure"` + + // The IPv6 network range to allow or deny, in CIDR notation. + Ipv6CidrBlock *string `min:"1" type:"string"` + + // TCP or UDP protocols: The range of ports the rule applies to. + PortRange *NetworkAclPortRange `type:"structure"` + + // The protocol number. A value of "-1" means all protocols. + // + // Protocol is a required field + Protocol *string `type:"string" required:"true"` + + // Indicates whether to allow or deny the traffic that matches the rule. + // + // RuleAction is a required field + RuleAction *string `type:"string" required:"true" enum:"NetworkAclRuleAction"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclEntry) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *NetworkAclEntry) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "NetworkAclEntry"} + if s.CidrBlock != nil && len(*s.CidrBlock) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CidrBlock", 1)) + } + if s.Egress == nil { + invalidParams.Add(request.NewErrParamRequired("Egress")) + } + if s.Ipv6CidrBlock != nil && len(*s.Ipv6CidrBlock) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Ipv6CidrBlock", 1)) + } + if s.Protocol == nil { + invalidParams.Add(request.NewErrParamRequired("Protocol")) + } + if s.RuleAction == nil { + invalidParams.Add(request.NewErrParamRequired("RuleAction")) + } + if s.IcmpTypeCode != nil { + if err := s.IcmpTypeCode.Validate(); err != nil { + invalidParams.AddNested("IcmpTypeCode", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCidrBlock sets the CidrBlock field's value. +func (s *NetworkAclEntry) SetCidrBlock(v string) *NetworkAclEntry { + s.CidrBlock = &v + return s +} + +// SetEgress sets the Egress field's value. +func (s *NetworkAclEntry) SetEgress(v bool) *NetworkAclEntry { + s.Egress = &v + return s +} + +// SetIcmpTypeCode sets the IcmpTypeCode field's value. +func (s *NetworkAclEntry) SetIcmpTypeCode(v *NetworkAclIcmpTypeCode) *NetworkAclEntry { + s.IcmpTypeCode = v + return s +} + +// SetIpv6CidrBlock sets the Ipv6CidrBlock field's value. +func (s *NetworkAclEntry) SetIpv6CidrBlock(v string) *NetworkAclEntry { + s.Ipv6CidrBlock = &v + return s +} + +// SetPortRange sets the PortRange field's value. +func (s *NetworkAclEntry) SetPortRange(v *NetworkAclPortRange) *NetworkAclEntry { + s.PortRange = v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *NetworkAclEntry) SetProtocol(v string) *NetworkAclEntry { + s.Protocol = &v + return s +} + +// SetRuleAction sets the RuleAction field's value. +func (s *NetworkAclEntry) SetRuleAction(v string) *NetworkAclEntry { + s.RuleAction = &v + return s +} + +// The configuration of the first and last rules for the network ACL policy, +// and the remediation settings for each. +type NetworkAclEntrySet struct { + _ struct{} `type:"structure"` + + // The rules that you want to run first in the Firewall Manager managed network + // ACLs. + // + // Provide these in the order in which you want them to run. Firewall Manager + // will assign the specific rule numbers for you, in the network ACLs that it + // creates. + FirstEntries []*NetworkAclEntry `type:"list"` + + // Applies only when remediation is enabled for the policy as a whole. Firewall + // Manager uses this setting when it finds policy violations that involve conflicts + // between the custom entries and the policy entries. + // + // If forced remediation is disabled, Firewall Manager marks the network ACL + // as noncompliant and does not try to remediate. For more information about + // the remediation behavior, see Network access control list (ACL) policies + // (https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html) + // in the Firewall Manager Developer Guide. + // + // ForceRemediateForFirstEntries is a required field + ForceRemediateForFirstEntries *bool `type:"boolean" required:"true"` + + // Applies only when remediation is enabled for the policy as a whole. Firewall + // Manager uses this setting when it finds policy violations that involve conflicts + // between the custom entries and the policy entries. + // + // If forced remediation is disabled, Firewall Manager marks the network ACL + // as noncompliant and does not try to remediate. For more information about + // the remediation behavior, see Network access control list (ACL) policies + // (https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html) + // in the Firewall Manager Developer Guide. + // + // ForceRemediateForLastEntries is a required field + ForceRemediateForLastEntries *bool `type:"boolean" required:"true"` + + // The rules that you want to run last in the Firewall Manager managed network + // ACLs. + // + // Provide these in the order in which you want them to run. Firewall Manager + // will assign the specific rule numbers for you, in the network ACLs that it + // creates. + LastEntries []*NetworkAclEntry `type:"list"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclEntrySet) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclEntrySet) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *NetworkAclEntrySet) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "NetworkAclEntrySet"} + if s.ForceRemediateForFirstEntries == nil { + invalidParams.Add(request.NewErrParamRequired("ForceRemediateForFirstEntries")) + } + if s.ForceRemediateForLastEntries == nil { + invalidParams.Add(request.NewErrParamRequired("ForceRemediateForLastEntries")) + } + if s.FirstEntries != nil { + for i, v := range s.FirstEntries { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "FirstEntries", i), err.(request.ErrInvalidParams)) + } + } + } + if s.LastEntries != nil { + for i, v := range s.LastEntries { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "LastEntries", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetFirstEntries sets the FirstEntries field's value. +func (s *NetworkAclEntrySet) SetFirstEntries(v []*NetworkAclEntry) *NetworkAclEntrySet { + s.FirstEntries = v + return s +} + +// SetForceRemediateForFirstEntries sets the ForceRemediateForFirstEntries field's value. +func (s *NetworkAclEntrySet) SetForceRemediateForFirstEntries(v bool) *NetworkAclEntrySet { + s.ForceRemediateForFirstEntries = &v + return s +} + +// SetForceRemediateForLastEntries sets the ForceRemediateForLastEntries field's value. +func (s *NetworkAclEntrySet) SetForceRemediateForLastEntries(v bool) *NetworkAclEntrySet { + s.ForceRemediateForLastEntries = &v + return s +} + +// SetLastEntries sets the LastEntries field's value. +func (s *NetworkAclEntrySet) SetLastEntries(v []*NetworkAclEntry) *NetworkAclEntrySet { + s.LastEntries = v + return s +} + +// ICMP protocol: The ICMP type and code. +type NetworkAclIcmpTypeCode struct { + _ struct{} `type:"structure"` + + // ICMP code. + Code *int64 `type:"integer"` + + // ICMP type. + Type *int64 `type:"integer"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclIcmpTypeCode) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclIcmpTypeCode) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *NetworkAclIcmpTypeCode) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "NetworkAclIcmpTypeCode"} + if s.Code != nil && *s.Code < -2.147483648e+09 { + invalidParams.Add(request.NewErrParamMinValue("Code", -2.147483648e+09)) + } + if s.Type != nil && *s.Type < -2.147483648e+09 { + invalidParams.Add(request.NewErrParamMinValue("Type", -2.147483648e+09)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCode sets the Code field's value. +func (s *NetworkAclIcmpTypeCode) SetCode(v int64) *NetworkAclIcmpTypeCode { + s.Code = &v + return s +} + +// SetType sets the Type field's value. +func (s *NetworkAclIcmpTypeCode) SetType(v int64) *NetworkAclIcmpTypeCode { + s.Type = &v + return s +} + +// TCP or UDP protocols: The range of ports the rule applies to. +type NetworkAclPortRange struct { + _ struct{} `type:"structure"` + + // The beginning port number of the range. + From *int64 `type:"integer"` + + // The ending port number of the range. + To *int64 `type:"integer"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclPortRange) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkAclPortRange) GoString() string { + return s.String() +} + +// SetFrom sets the From field's value. +func (s *NetworkAclPortRange) SetFrom(v int64) *NetworkAclPortRange { + s.From = &v + return s +} + +// SetTo sets the To field's value. +func (s *NetworkAclPortRange) SetTo(v int64) *NetworkAclPortRange { + s.To = &v + return s +} + +// Violation detail for an internet gateway route with an inactive state in +// the customer subnet route table or Network Firewall subnet route table. +type NetworkFirewallBlackHoleRouteDetectedViolation struct { + _ struct{} `type:"structure"` + + // Information about the route table ID. + RouteTableId *string `min:"1" type:"string"` + + // Information about the route or routes that are in violation. + ViolatingRoutes []*Route `type:"list"` + + // The subnet that has an inactive state. + ViolationTarget *string `type:"string"` + + // Information about the VPC ID. + VpcId *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkFirewallBlackHoleRouteDetectedViolation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s NetworkFirewallBlackHoleRouteDetectedViolation) GoString() string { + return s.String() +} + +// SetRouteTableId sets the RouteTableId field's value. +func (s *NetworkFirewallBlackHoleRouteDetectedViolation) SetRouteTableId(v string) *NetworkFirewallBlackHoleRouteDetectedViolation { + s.RouteTableId = &v + return s } // SetViolatingRoutes sets the ViolatingRoutes field's value. @@ -11279,15 +12089,17 @@ type Policy struct { // * WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, // and AWS::CloudFront::Distribution. // - // * DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC. - // // * Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, // AWS::EC2::EIP, and AWS::CloudFront::Distribution. // + // * Network ACL - AWS::EC2::Subnet. + // + // * Security group usage audit - AWS::EC2::SecurityGroup. + // // * Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, // and AWS::EC2::Instance. // - // * Security group usage audit - AWS::EC2::SecurityGroup. + // * DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC. // // ResourceType is a required field ResourceType *string `min:"1" type:"string" required:"true"` @@ -11644,11 +12456,14 @@ func (s *PolicyComplianceStatus) SetPolicyOwner(v string) *PolicyComplianceStatu return s } -// Contains the Network Firewall firewall policy options to configure the policy's -// deployment model and third-party firewall policy settings. +// Contains the settings to configure a network ACL policy, a Network Firewall +// firewall policy deployment model, or a third-party firewall policy. type PolicyOption struct { _ struct{} `type:"structure"` + // Defines a Firewall Manager network ACL policy. + NetworkAclCommonPolicy *NetworkAclCommonPolicy `type:"structure"` + // Defines the deployment model to use for the firewall policy. NetworkFirewallPolicy *NetworkFirewallPolicy `type:"structure"` @@ -11674,6 +12489,27 @@ func (s PolicyOption) GoString() string { return s.String() } +// Validate inspects the fields of the type to determine if they are valid. +func (s *PolicyOption) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PolicyOption"} + if s.NetworkAclCommonPolicy != nil { + if err := s.NetworkAclCommonPolicy.Validate(); err != nil { + invalidParams.AddNested("NetworkAclCommonPolicy", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetNetworkAclCommonPolicy sets the NetworkAclCommonPolicy field's value. +func (s *PolicyOption) SetNetworkAclCommonPolicy(v *NetworkAclCommonPolicy) *PolicyOption { + s.NetworkAclCommonPolicy = v + return s +} + // SetNetworkFirewallPolicy sets the NetworkFirewallPolicy field's value. func (s *PolicyOption) SetNetworkFirewallPolicy(v *NetworkFirewallPolicy) *PolicyOption { s.NetworkFirewallPolicy = v @@ -11727,13 +12563,6 @@ type PolicySummary struct { // The type of resource protected by or in scope of the policy. This is in the // format shown in the Amazon Web Services Resource Types Reference (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). - // For WAF and Shield Advanced, examples include AWS::ElasticLoadBalancingV2::LoadBalancer - // and AWS::CloudFront::Distribution. For a security group common policy, valid - // values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a security - // group content audit policy, valid values are AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, - // and AWS::EC2::Instance. For a security group usage audit policy, the value - // is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall - // policy, the value is AWS::EC2::VPC. ResourceType *string `min:"1" type:"string"` // The service that the policy is using to protect the resources. This specifies @@ -12796,6 +13625,15 @@ func (s *RegionScope) SetRegions(v []*string) *RegionScope { type RemediationAction struct { _ struct{} `type:"structure"` + // Information about the CreateNetworkAcl action in Amazon EC2. + CreateNetworkAclAction *CreateNetworkAclAction `type:"structure"` + + // Information about the CreateNetworkAclEntries action in Amazon EC2. + CreateNetworkAclEntriesAction *CreateNetworkAclEntriesAction `type:"structure"` + + // Information about the DeleteNetworkAclEntries action in Amazon EC2. + DeleteNetworkAclEntriesAction *DeleteNetworkAclEntriesAction `type:"structure"` + // A description of a remediation action. Description *string `type:"string"` @@ -12823,6 +13661,9 @@ type RemediationAction struct { // The remedial action to take when updating a firewall configuration. FMSPolicyUpdateFirewallCreationConfigAction *FMSPolicyUpdateFirewallCreationConfigAction `type:"structure"` + + // Information about the ReplaceNetworkAclAssociation action in Amazon EC2. + ReplaceNetworkAclAssociationAction *ReplaceNetworkAclAssociationAction `type:"structure"` } // String returns the string representation. @@ -12843,6 +13684,24 @@ func (s RemediationAction) GoString() string { return s.String() } +// SetCreateNetworkAclAction sets the CreateNetworkAclAction field's value. +func (s *RemediationAction) SetCreateNetworkAclAction(v *CreateNetworkAclAction) *RemediationAction { + s.CreateNetworkAclAction = v + return s +} + +// SetCreateNetworkAclEntriesAction sets the CreateNetworkAclEntriesAction field's value. +func (s *RemediationAction) SetCreateNetworkAclEntriesAction(v *CreateNetworkAclEntriesAction) *RemediationAction { + s.CreateNetworkAclEntriesAction = v + return s +} + +// SetDeleteNetworkAclEntriesAction sets the DeleteNetworkAclEntriesAction field's value. +func (s *RemediationAction) SetDeleteNetworkAclEntriesAction(v *DeleteNetworkAclEntriesAction) *RemediationAction { + s.DeleteNetworkAclEntriesAction = v + return s +} + // SetDescription sets the Description field's value. func (s *RemediationAction) SetDescription(v string) *RemediationAction { s.Description = &v @@ -12897,6 +13756,12 @@ func (s *RemediationAction) SetFMSPolicyUpdateFirewallCreationConfigAction(v *FM return s } +// SetReplaceNetworkAclAssociationAction sets the ReplaceNetworkAclAssociationAction field's value. +func (s *RemediationAction) SetReplaceNetworkAclAssociationAction(v *ReplaceNetworkAclAssociationAction) *RemediationAction { + s.ReplaceNetworkAclAssociationAction = v + return s +} + // An ordered list of actions you can take to remediate a violation. type RemediationActionWithOrder struct { _ struct{} `type:"structure"` @@ -12938,6 +13803,68 @@ func (s *RemediationActionWithOrder) SetRemediationAction(v *RemediationAction) return s } +// Information about the ReplaceNetworkAclAssociation action in Amazon EC2. +// This is a remediation option in RemediationAction. +type ReplaceNetworkAclAssociationAction struct { + _ struct{} `type:"structure"` + + // Describes a remediation action target. + AssociationId *ActionTarget `type:"structure"` + + // Brief description of this remediation action. + Description *string `type:"string"` + + // Indicates whether it is possible for Firewall Manager to perform this remediation + // action. A false value indicates that auto remediation is disabled or Firewall + // Manager is unable to perform the action due to a conflict of some kind. + FMSCanRemediate *bool `type:"boolean"` + + // The network ACL that's associated with the remediation action. + NetworkAclId *ActionTarget `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ReplaceNetworkAclAssociationAction) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ReplaceNetworkAclAssociationAction) GoString() string { + return s.String() +} + +// SetAssociationId sets the AssociationId field's value. +func (s *ReplaceNetworkAclAssociationAction) SetAssociationId(v *ActionTarget) *ReplaceNetworkAclAssociationAction { + s.AssociationId = v + return s +} + +// SetDescription sets the Description field's value. +func (s *ReplaceNetworkAclAssociationAction) SetDescription(v string) *ReplaceNetworkAclAssociationAction { + s.Description = &v + return s +} + +// SetFMSCanRemediate sets the FMSCanRemediate field's value. +func (s *ReplaceNetworkAclAssociationAction) SetFMSCanRemediate(v bool) *ReplaceNetworkAclAssociationAction { + s.FMSCanRemediate = &v + return s +} + +// SetNetworkAclId sets the NetworkAclId field's value. +func (s *ReplaceNetworkAclAssociationAction) SetNetworkAclId(v *ActionTarget) *ReplaceNetworkAclAssociationAction { + s.NetworkAclId = v + return s +} + // Details of a resource that is associated to an Firewall Manager resource // set. type Resource struct { @@ -13368,6 +14295,9 @@ type ResourceViolation struct { // was deleted. FirewallSubnetMissingVPCEndpointViolation *FirewallSubnetMissingVPCEndpointViolation `type:"structure"` + // Violation detail for the entries in a network ACL resource. + InvalidNetworkAclEntriesViolation *InvalidNetworkAclEntriesViolation `type:"structure"` + // Violation detail for an internet gateway route with an inactive state in // the customer subnet route table or Network Firewall subnet route table. NetworkFirewallBlackHoleRouteDetectedViolation *NetworkFirewallBlackHoleRouteDetectedViolation `type:"structure"` @@ -13491,6 +14421,12 @@ func (s *ResourceViolation) SetFirewallSubnetMissingVPCEndpointViolation(v *Fire return s } +// SetInvalidNetworkAclEntriesViolation sets the InvalidNetworkAclEntriesViolation field's value. +func (s *ResourceViolation) SetInvalidNetworkAclEntriesViolation(v *InvalidNetworkAclEntriesViolation) *ResourceViolation { + s.InvalidNetworkAclEntriesViolation = v + return s +} + // SetNetworkFirewallBlackHoleRouteDetectedViolation sets the NetworkFirewallBlackHoleRouteDetectedViolation field's value. func (s *ResourceViolation) SetNetworkFirewallBlackHoleRouteDetectedViolation(v *NetworkFirewallBlackHoleRouteDetectedViolation) *ResourceViolation { s.NetworkFirewallBlackHoleRouteDetectedViolation = v @@ -13971,7 +14907,7 @@ type SecurityServicePolicyData struct { // otherwise Firewall Manager won't be able to create the policy. When you // enable revertManualSecurityGroupChanges, Firewall Manager identifies and // reports when the security groups created by this policy become non-compliant. - // Firewall Manager won't distrubute system tags added by Amazon Web Services + // Firewall Manager won't distribute system tags added by Amazon Web Services // services into the replica security groups. System tags begin with the // aws: prefix. // @@ -14102,8 +15038,8 @@ type SecurityServicePolicyData struct { // \"BLOCK\"}}" ManagedServiceData *string `min:"1" type:"string"` - // Contains the Network Firewall firewall policy options to configure a centralized - // deployment model. + // Contains the settings to configure a network ACL policy, a Network Firewall + // firewall policy deployment model, or a third-party firewall policy. PolicyOption *PolicyOption `type:"structure"` // The service that the policy is using to protect the resources. This specifies @@ -14144,6 +15080,11 @@ func (s *SecurityServicePolicyData) Validate() error { if s.Type == nil { invalidParams.Add(request.NewErrParamRequired("Type")) } + if s.PolicyOption != nil { + if err := s.PolicyOption.Validate(); err != nil { + invalidParams.AddNested("PolicyOption", err.(request.ErrInvalidParams)) + } + } if invalidParams.Len() > 0 { return invalidParams @@ -15051,6 +15992,46 @@ func DestinationType_Values() []string { } } +const ( + // EntryTypeFmsManagedFirstEntry is a EntryType enum value + EntryTypeFmsManagedFirstEntry = "FMS_MANAGED_FIRST_ENTRY" + + // EntryTypeFmsManagedLastEntry is a EntryType enum value + EntryTypeFmsManagedLastEntry = "FMS_MANAGED_LAST_ENTRY" + + // EntryTypeCustomEntry is a EntryType enum value + EntryTypeCustomEntry = "CUSTOM_ENTRY" +) + +// EntryType_Values returns all elements of the EntryType enum +func EntryType_Values() []string { + return []string{ + EntryTypeFmsManagedFirstEntry, + EntryTypeFmsManagedLastEntry, + EntryTypeCustomEntry, + } +} + +const ( + // EntryViolationReasonMissingExpectedEntry is a EntryViolationReason enum value + EntryViolationReasonMissingExpectedEntry = "MISSING_EXPECTED_ENTRY" + + // EntryViolationReasonIncorrectEntryOrder is a EntryViolationReason enum value + EntryViolationReasonIncorrectEntryOrder = "INCORRECT_ENTRY_ORDER" + + // EntryViolationReasonEntryConflict is a EntryViolationReason enum value + EntryViolationReasonEntryConflict = "ENTRY_CONFLICT" +) + +// EntryViolationReason_Values returns all elements of the EntryViolationReason enum +func EntryViolationReason_Values() []string { + return []string{ + EntryViolationReasonMissingExpectedEntry, + EntryViolationReasonIncorrectEntryOrder, + EntryViolationReasonEntryConflict, + } +} + const ( // FailedItemReasonNotValidArn is a FailedItemReason enum value FailedItemReasonNotValidArn = "NOT_VALID_ARN" @@ -15119,6 +16100,22 @@ func MarketplaceSubscriptionOnboardingStatus_Values() []string { } } +const ( + // NetworkAclRuleActionAllow is a NetworkAclRuleAction enum value + NetworkAclRuleActionAllow = "allow" + + // NetworkAclRuleActionDeny is a NetworkAclRuleAction enum value + NetworkAclRuleActionDeny = "deny" +) + +// NetworkAclRuleAction_Values returns all elements of the NetworkAclRuleAction enum +func NetworkAclRuleAction_Values() []string { + return []string{ + NetworkAclRuleActionAllow, + NetworkAclRuleActionDeny, + } +} + const ( // NetworkFirewallOverrideActionDropToAlert is a NetworkFirewallOverrideAction enum value NetworkFirewallOverrideActionDropToAlert = "DROP_TO_ALERT" @@ -15249,6 +16246,9 @@ const ( // SecurityServiceTypeImportNetworkFirewall is a SecurityServiceType enum value SecurityServiceTypeImportNetworkFirewall = "IMPORT_NETWORK_FIREWALL" + + // SecurityServiceTypeNetworkAclCommon is a SecurityServiceType enum value + SecurityServiceTypeNetworkAclCommon = "NETWORK_ACL_COMMON" ) // SecurityServiceType_Values returns all elements of the SecurityServiceType enum @@ -15264,6 +16264,7 @@ func SecurityServiceType_Values() []string { SecurityServiceTypeDnsFirewall, SecurityServiceTypeThirdPartyFirewall, SecurityServiceTypeImportNetworkFirewall, + SecurityServiceTypeNetworkAclCommon, } } @@ -15443,6 +16444,9 @@ const ( // ViolationReasonFirewallSubnetMissingVpceEndpoint is a ViolationReason enum value ViolationReasonFirewallSubnetMissingVpceEndpoint = "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" + + // ViolationReasonInvalidNetworkAclEntry is a ViolationReason enum value + ViolationReasonInvalidNetworkAclEntry = "INVALID_NETWORK_ACL_ENTRY" ) // ViolationReason_Values returns all elements of the ViolationReason enum @@ -15476,5 +16480,6 @@ func ViolationReason_Values() []string { ViolationReasonResourceMissingDnsFirewall, ViolationReasonRouteHasOutOfScopeEndpoint, ViolationReasonFirewallSubnetMissingVpceEndpoint, + ViolationReasonInvalidNetworkAclEntry, } } diff --git a/service/ivs/api.go b/service/ivs/api.go index 538742c222..bf49453159 100644 --- a/service/ivs/api.go +++ b/service/ivs/api.go @@ -3540,7 +3540,7 @@ func (s *AudioConfiguration) SetTargetBitrate(v int64) *AudioConfiguration { type BatchError struct { _ struct{} `type:"structure"` - // Channel ARN. + // ARN of an IVS resource; e.g., channel. Arn *string `locationName:"arn" min:"1" type:"string"` // Error code. diff --git a/service/ivsrealtime/api.go b/service/ivsrealtime/api.go index 6110f50941..14270c9b56 100644 --- a/service/ivsrealtime/api.go +++ b/service/ivsrealtime/api.go @@ -2728,6 +2728,8 @@ func (c *IVSRealTime) UpdateStageRequest(input *UpdateStageInput) (req *request. // // - ServiceQuotaExceededException // +// - ConflictException +// // - PendingVerification // // See also, https://docs.aws.amazon.com/goto/WebAPI/ivs-realtime-2020-07-14/UpdateStage diff --git a/service/rds/api.go b/service/rds/api.go index 10b608b6bc..632afa38f2 100644 --- a/service/rds/api.go +++ b/service/rds/api.go @@ -24479,7 +24479,8 @@ type CreateDBInstanceInput struct { TdeCredentialPassword *string `type:"string"` // The time zone of the DB instance. The time zone parameter is currently supported - // only by Microsoft SQL Server (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone). + // only by RDS for Db2 (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone) + // and RDS for SQL Server (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.TimeZone). Timezone *string `type:"string"` // A list of Amazon EC2 VPC security groups to associate with this DB instance. @@ -30804,8 +30805,8 @@ type DBInstance struct { TdeCredentialArn *string `type:"string"` // The time zone of the DB instance. In most cases, the Timezone element is - // empty. Timezone content appears only for Microsoft SQL Server DB instances - // that were created with a time zone specified. + // empty. Timezone content appears only for RDS for Db2 and RDS for SQL Server + // DB instances that were created with a time zone specified. Timezone *string `type:"string"` // The list of Amazon EC2 VPC security groups that the DB instance belongs to. @@ -48322,7 +48323,7 @@ type ModifyDBInstanceInput struct { // Changing the subnet group causes an outage during the change. The change // is applied during the next maintenance window, unless you enable ApplyImmediately. // - // This parameter doesn't apply to RDS Custom DB instances. + // This setting doesn't apply to RDS Custom DB instances. // // Constraints: // @@ -48338,6 +48339,11 @@ type ModifyDBInstanceInput struct { // can't be deleted when deletion protection is enabled. By default, deletion // protection isn't enabled. For more information, see Deleting a DB Instance // (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html). + // + // This setting doesn't apply to Amazon Aurora DB instances. You can enable + // or disable deletion protection for the DB cluster. For more information, + // see ModifyDBCluster. DB instances in a DB cluster can be deleted even when + // deletion protection is enabled for the DB cluster. DeletionProtection *bool `type:"boolean"` // Specifies whether to remove the DB instance from the Active Directory domain. diff --git a/service/sfn/api.go b/service/sfn/api.go index ff17c215c1..673a046bb9 100644 --- a/service/sfn/api.go +++ b/service/sfn/api.go @@ -2746,6 +2746,10 @@ func (c *SFN) RedriveExecutionRequest(input *RedriveExecutionInput) (req *reques // - InvalidArn // The provided Amazon Resource Name (ARN) is not valid. // +// - ValidationException +// The input does not satisfy the constraints specified by an Amazon Web Services +// service. +// // See also, https://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/RedriveExecution func (c *SFN) RedriveExecution(input *RedriveExecutionInput) (*RedriveExecutionOutput, error) { req, out := c.RedriveExecutionRequest(input) @@ -4054,6 +4058,104 @@ func (c *SFN) UpdateStateMachineAliasWithContext(ctx aws.Context, input *UpdateS return out, req.Send() } +const opValidateStateMachineDefinition = "ValidateStateMachineDefinition" + +// ValidateStateMachineDefinitionRequest generates a "aws/request.Request" representing the +// client's request for the ValidateStateMachineDefinition operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ValidateStateMachineDefinition for more information on using the ValidateStateMachineDefinition +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the ValidateStateMachineDefinitionRequest method. +// req, resp := client.ValidateStateMachineDefinitionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/ValidateStateMachineDefinition +func (c *SFN) ValidateStateMachineDefinitionRequest(input *ValidateStateMachineDefinitionInput) (req *request.Request, output *ValidateStateMachineDefinitionOutput) { + op := &request.Operation{ + Name: opValidateStateMachineDefinition, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ValidateStateMachineDefinitionInput{} + } + + output = &ValidateStateMachineDefinitionOutput{} + req = c.newRequest(op, input, output) + return +} + +// ValidateStateMachineDefinition API operation for AWS Step Functions. +// +// Validates the syntax of a state machine definition. +// +// You can validate that a state machine definition is correct without creating +// a state machine resource. Step Functions will implicitly perform the same +// syntax check when you invoke CreateStateMachine and UpdateStateMachine. State +// machine definitions are specified using a JSON-based, structured language. +// For more information on Amazon States Language see Amazon States Language +// (https://docs.aws.amazon.com/step-functions/latest/dg/concepts-amazon-states-language.html) +// (ASL). +// +// Suggested uses for ValidateStateMachineDefinition: +// +// - Integrate automated checks into your code review or Continuous Integration +// (CI) process to validate state machine definitions before starting deployments. +// +// - Run the validation from a Git pre-commit hook to check your state machine +// definitions before committing them to your source repository. +// +// Errors found in the state machine definition will be returned in the response +// as a list of diagnostic elements, rather than raise an exception. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Step Functions's +// API operation ValidateStateMachineDefinition for usage and error information. +// +// Returned Error Types: +// - ValidationException +// The input does not satisfy the constraints specified by an Amazon Web Services +// service. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/ValidateStateMachineDefinition +func (c *SFN) ValidateStateMachineDefinition(input *ValidateStateMachineDefinitionInput) (*ValidateStateMachineDefinitionOutput, error) { + req, out := c.ValidateStateMachineDefinitionRequest(input) + return out, req.Send() +} + +// ValidateStateMachineDefinitionWithContext is the same as ValidateStateMachineDefinition with the addition of +// the ability to pass a context and additional request options. +// +// See ValidateStateMachineDefinition for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SFN) ValidateStateMachineDefinitionWithContext(ctx aws.Context, input *ValidateStateMachineDefinitionInput, opts ...request.Option) (*ValidateStateMachineDefinitionOutput, error) { + req, out := c.ValidateStateMachineDefinitionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + // The specified activity does not exist. type ActivityDoesNotExist struct { _ struct{} `type:"structure"` @@ -14531,6 +14633,187 @@ func (s *UpdateStateMachineOutput) SetUpdateDate(v time.Time) *UpdateStateMachin return s } +// Describes an error found during validation. Validation errors found in the +// definition return in the response as diagnostic elements, rather than raise +// an exception. +type ValidateStateMachineDefinitionDiagnostic struct { + _ struct{} `type:"structure"` + + // Identifying code for the diagnostic. + // + // Code is a required field + Code *string `locationName:"code" type:"string" required:"true"` + + // Location of the issue in the state machine, if available. + // + // For errors specific to a field, the location could be in the format: /States/