aws-sdk-fms 1.31.0 → 1.36.0

data/lib/aws-sdk-fms/client_api.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -25,6 +25,7 @@ module Aws::FMS
     AwsEc2NetworkInterfaceViolation = Shapes::StructureShape.new(name: 'AwsEc2NetworkInterfaceViolation')
     AwsEc2NetworkInterfaceViolations = Shapes::ListShape.new(name: 'AwsEc2NetworkInterfaceViolations')
     AwsVPCSecurityGroupViolation = Shapes::StructureShape.new(name: 'AwsVPCSecurityGroupViolation')
+    BasicInteger = Shapes::IntegerShape.new(name: 'BasicInteger')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
     CIDR = Shapes::StringShape.new(name: 'CIDR')
     ComplianceViolator = Shapes::StructureShape.new(name: 'ComplianceViolator')
@@ -40,6 +41,11 @@ module Aws::FMS
     DependentServiceName = Shapes::StringShape.new(name: 'DependentServiceName')
     DetailedInfo = Shapes::StringShape.new(name: 'DetailedInfo')
     DisassociateAdminAccountRequest = Shapes::StructureShape.new(name: 'DisassociateAdminAccountRequest')
+    DnsDuplicateRuleGroupViolation = Shapes::StructureShape.new(name: 'DnsDuplicateRuleGroupViolation')
+    DnsRuleGroupLimitExceededViolation = Shapes::StructureShape.new(name: 'DnsRuleGroupLimitExceededViolation')
+    DnsRuleGroupPriorities = Shapes::ListShape.new(name: 'DnsRuleGroupPriorities')
+    DnsRuleGroupPriority = Shapes::IntegerShape.new(name: 'DnsRuleGroupPriority')
+    DnsRuleGroupPriorityConflictViolation = Shapes::StructureShape.new(name: 'DnsRuleGroupPriorityConflictViolation')
     ErrorMessage = Shapes::StringShape.new(name: 'ErrorMessage')
     EvaluationResult = Shapes::StructureShape.new(name: 'EvaluationResult')
     EvaluationResults = Shapes::ListShape.new(name: 'EvaluationResults')
@@ -82,6 +88,14 @@ module Aws::FMS
     ListTagsForResourceResponse = Shapes::StructureShape.new(name: 'ListTagsForResourceResponse')
     ManagedServiceData = Shapes::StringShape.new(name: 'ManagedServiceData')
     MemberAccounts = Shapes::ListShape.new(name: 'MemberAccounts')
+    NetworkFirewallAction = Shapes::StringShape.new(name: 'NetworkFirewallAction')
+    NetworkFirewallActionList = Shapes::ListShape.new(name: 'NetworkFirewallActionList')
+    NetworkFirewallMissingExpectedRTViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingExpectedRTViolation')
+    NetworkFirewallMissingFirewallViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingFirewallViolation')
+    NetworkFirewallMissingSubnetViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingSubnetViolation')
+    NetworkFirewallPolicyDescription = Shapes::StructureShape.new(name: 'NetworkFirewallPolicyDescription')
+    NetworkFirewallPolicyModifiedViolation = Shapes::StructureShape.new(name: 'NetworkFirewallPolicyModifiedViolation')
+    NetworkFirewallResourceName = Shapes::StringShape.new(name: 'NetworkFirewallResourceName')
     PaginationMaxResults = Shapes::IntegerShape.new(name: 'PaginationMaxResults')
     PaginationToken = Shapes::StringShape.new(name: 'PaginationToken')
     PartialMatch = Shapes::StructureShape.new(name: 'PartialMatch')
@@ -133,6 +147,11 @@ module Aws::FMS
     SecurityGroupRuleDescription = Shapes::StructureShape.new(name: 'SecurityGroupRuleDescription')
     SecurityServicePolicyData = Shapes::StructureShape.new(name: 'SecurityServicePolicyData')
     SecurityServiceType = Shapes::StringShape.new(name: 'SecurityServiceType')
+    StatefulRuleGroup = Shapes::StructureShape.new(name: 'StatefulRuleGroup')
+    StatefulRuleGroupList = Shapes::ListShape.new(name: 'StatefulRuleGroupList')
+    StatelessRuleGroup = Shapes::StructureShape.new(name: 'StatelessRuleGroup')
+    StatelessRuleGroupList = Shapes::ListShape.new(name: 'StatelessRuleGroupList')
+    StatelessRuleGroupPriority = Shapes::IntegerShape.new(name: 'StatelessRuleGroupPriority')
     Tag = Shapes::StructureShape.new(name: 'Tag')
     TagKey = Shapes::StringShape.new(name: 'TagKey')
     TagKeyList = Shapes::ListShape.new(name: 'TagKeyList')
@@ -219,6 +238,24 @@ module Aws::FMS
 
     DisassociateAdminAccountRequest.struct_class = Types::DisassociateAdminAccountRequest
 
+    DnsDuplicateRuleGroupViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    DnsDuplicateRuleGroupViolation.add_member(:violation_target_description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "ViolationTargetDescription"))
+    DnsDuplicateRuleGroupViolation.struct_class = Types::DnsDuplicateRuleGroupViolation
+
+    DnsRuleGroupLimitExceededViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    DnsRuleGroupLimitExceededViolation.add_member(:violation_target_description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "ViolationTargetDescription"))
+    DnsRuleGroupLimitExceededViolation.add_member(:number_of_rule_groups_already_associated, Shapes::ShapeRef.new(shape: BasicInteger, location_name: "NumberOfRuleGroupsAlreadyAssociated"))
+    DnsRuleGroupLimitExceededViolation.struct_class = Types::DnsRuleGroupLimitExceededViolation
+
+    DnsRuleGroupPriorities.member = Shapes::ShapeRef.new(shape: DnsRuleGroupPriority)
+
+    DnsRuleGroupPriorityConflictViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    DnsRuleGroupPriorityConflictViolation.add_member(:violation_target_description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "ViolationTargetDescription"))
+    DnsRuleGroupPriorityConflictViolation.add_member(:conflicting_priority, Shapes::ShapeRef.new(shape: DnsRuleGroupPriority, location_name: "ConflictingPriority"))
+    DnsRuleGroupPriorityConflictViolation.add_member(:conflicting_policy_id, Shapes::ShapeRef.new(shape: PolicyId, location_name: "ConflictingPolicyId"))
+    DnsRuleGroupPriorityConflictViolation.add_member(:unavailable_priorities, Shapes::ShapeRef.new(shape: DnsRuleGroupPriorities, location_name: "UnavailablePriorities"))
+    DnsRuleGroupPriorityConflictViolation.struct_class = Types::DnsRuleGroupPriorityConflictViolation
+
     EvaluationResult.add_member(:compliance_status, Shapes::ShapeRef.new(shape: PolicyComplianceStatusType, location_name: "ComplianceStatus"))
     EvaluationResult.add_member(:violator_count, Shapes::ShapeRef.new(shape: ResourceCount, location_name: "ViolatorCount"))
     EvaluationResult.add_member(:evaluation_limit_exceeded, Shapes::ShapeRef.new(shape: Boolean, location_name: "EvaluationLimitExceeded"))
@@ -360,6 +397,39 @@ module Aws::FMS
 
     MemberAccounts.member = Shapes::ShapeRef.new(shape: AWSAccountId)
 
+    NetworkFirewallActionList.member = Shapes::ShapeRef.new(shape: NetworkFirewallAction)
+
+    NetworkFirewallMissingExpectedRTViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    NetworkFirewallMissingExpectedRTViolation.add_member(:vpc, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VPC"))
+    NetworkFirewallMissingExpectedRTViolation.add_member(:availability_zone, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "AvailabilityZone"))
+    NetworkFirewallMissingExpectedRTViolation.add_member(:current_route_table, Shapes::ShapeRef.new(shape: ResourceId, location_name: "CurrentRouteTable"))
+    NetworkFirewallMissingExpectedRTViolation.add_member(:expected_route_table, Shapes::ShapeRef.new(shape: ResourceId, location_name: "ExpectedRouteTable"))
+    NetworkFirewallMissingExpectedRTViolation.struct_class = Types::NetworkFirewallMissingExpectedRTViolation
+
+    NetworkFirewallMissingFirewallViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    NetworkFirewallMissingFirewallViolation.add_member(:vpc, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VPC"))
+    NetworkFirewallMissingFirewallViolation.add_member(:availability_zone, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "AvailabilityZone"))
+    NetworkFirewallMissingFirewallViolation.add_member(:target_violation_reason, Shapes::ShapeRef.new(shape: TargetViolationReason, location_name: "TargetViolationReason"))
+    NetworkFirewallMissingFirewallViolation.struct_class = Types::NetworkFirewallMissingFirewallViolation
+
+    NetworkFirewallMissingSubnetViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    NetworkFirewallMissingSubnetViolation.add_member(:vpc, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VPC"))
+    NetworkFirewallMissingSubnetViolation.add_member(:availability_zone, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "AvailabilityZone"))
+    NetworkFirewallMissingSubnetViolation.add_member(:target_violation_reason, Shapes::ShapeRef.new(shape: TargetViolationReason, location_name: "TargetViolationReason"))
+    NetworkFirewallMissingSubnetViolation.struct_class = Types::NetworkFirewallMissingSubnetViolation
+
+    NetworkFirewallPolicyDescription.add_member(:stateless_rule_groups, Shapes::ShapeRef.new(shape: StatelessRuleGroupList, location_name: "StatelessRuleGroups"))
+    NetworkFirewallPolicyDescription.add_member(:stateless_default_actions, Shapes::ShapeRef.new(shape: NetworkFirewallActionList, location_name: "StatelessDefaultActions"))
+    NetworkFirewallPolicyDescription.add_member(:stateless_fragment_default_actions, Shapes::ShapeRef.new(shape: NetworkFirewallActionList, location_name: "StatelessFragmentDefaultActions"))
+    NetworkFirewallPolicyDescription.add_member(:stateless_custom_actions, Shapes::ShapeRef.new(shape: NetworkFirewallActionList, location_name: "StatelessCustomActions"))
+    NetworkFirewallPolicyDescription.add_member(:stateful_rule_groups, Shapes::ShapeRef.new(shape: StatefulRuleGroupList, location_name: "StatefulRuleGroups"))
+    NetworkFirewallPolicyDescription.struct_class = Types::NetworkFirewallPolicyDescription
+
+    NetworkFirewallPolicyModifiedViolation.add_member(:violation_target, Shapes::ShapeRef.new(shape: ViolationTarget, location_name: "ViolationTarget"))
+    NetworkFirewallPolicyModifiedViolation.add_member(:current_policy_description, Shapes::ShapeRef.new(shape: NetworkFirewallPolicyDescription, location_name: "CurrentPolicyDescription"))
+    NetworkFirewallPolicyModifiedViolation.add_member(:expected_policy_description, Shapes::ShapeRef.new(shape: NetworkFirewallPolicyDescription, location_name: "ExpectedPolicyDescription"))
+    NetworkFirewallPolicyModifiedViolation.struct_class = Types::NetworkFirewallPolicyModifiedViolation
+
     PartialMatch.add_member(:reference, Shapes::ShapeRef.new(shape: ReferenceRule, location_name: "Reference"))
     PartialMatch.add_member(:target_violation_reasons, Shapes::ShapeRef.new(shape: TargetViolationReasons, location_name: "TargetViolationReasons"))
     PartialMatch.struct_class = Types::PartialMatch
@@ -478,6 +548,13 @@ module Aws::FMS
     ResourceViolation.add_member(:aws_vpc_security_group_violation, Shapes::ShapeRef.new(shape: AwsVPCSecurityGroupViolation, location_name: "AwsVPCSecurityGroupViolation"))
     ResourceViolation.add_member(:aws_ec2_network_interface_violation, Shapes::ShapeRef.new(shape: AwsEc2NetworkInterfaceViolation, location_name: "AwsEc2NetworkInterfaceViolation"))
     ResourceViolation.add_member(:aws_ec2_instance_violation, Shapes::ShapeRef.new(shape: AwsEc2InstanceViolation, location_name: "AwsEc2InstanceViolation"))
+    ResourceViolation.add_member(:network_firewall_missing_firewall_violation, Shapes::ShapeRef.new(shape: NetworkFirewallMissingFirewallViolation, location_name: "NetworkFirewallMissingFirewallViolation"))
+    ResourceViolation.add_member(:network_firewall_missing_subnet_violation, Shapes::ShapeRef.new(shape: NetworkFirewallMissingSubnetViolation, location_name: "NetworkFirewallMissingSubnetViolation"))
+    ResourceViolation.add_member(:network_firewall_missing_expected_rt_violation, Shapes::ShapeRef.new(shape: NetworkFirewallMissingExpectedRTViolation, location_name: "NetworkFirewallMissingExpectedRTViolation"))
+    ResourceViolation.add_member(:network_firewall_policy_modified_violation, Shapes::ShapeRef.new(shape: NetworkFirewallPolicyModifiedViolation, location_name: "NetworkFirewallPolicyModifiedViolation"))
+    ResourceViolation.add_member(:dns_rule_group_priority_conflict_violation, Shapes::ShapeRef.new(shape: DnsRuleGroupPriorityConflictViolation, location_name: "DnsRuleGroupPriorityConflictViolation"))
+    ResourceViolation.add_member(:dns_duplicate_rule_group_violation, Shapes::ShapeRef.new(shape: DnsDuplicateRuleGroupViolation, location_name: "DnsDuplicateRuleGroupViolation"))
+    ResourceViolation.add_member(:dns_rule_group_limit_exceeded_violation, Shapes::ShapeRef.new(shape: DnsRuleGroupLimitExceededViolation, location_name: "DnsRuleGroupLimitExceededViolation"))
     ResourceViolation.struct_class = Types::ResourceViolation
 
     ResourceViolations.member = Shapes::ShapeRef.new(shape: ResourceViolation)
@@ -502,6 +579,19 @@ module Aws::FMS
     SecurityServicePolicyData.add_member(:managed_service_data, Shapes::ShapeRef.new(shape: ManagedServiceData, location_name: "ManagedServiceData"))
     SecurityServicePolicyData.struct_class = Types::SecurityServicePolicyData
 
+    StatefulRuleGroup.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: NetworkFirewallResourceName, location_name: "RuleGroupName"))
+    StatefulRuleGroup.add_member(:resource_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "ResourceId"))
+    StatefulRuleGroup.struct_class = Types::StatefulRuleGroup
+
+    StatefulRuleGroupList.member = Shapes::ShapeRef.new(shape: StatefulRuleGroup)
+
+    StatelessRuleGroup.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: NetworkFirewallResourceName, location_name: "RuleGroupName"))
+    StatelessRuleGroup.add_member(:resource_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "ResourceId"))
+    StatelessRuleGroup.add_member(:priority, Shapes::ShapeRef.new(shape: StatelessRuleGroupPriority, location_name: "Priority"))
+    StatelessRuleGroup.struct_class = Types::StatelessRuleGroup
+
+    StatelessRuleGroupList.member = Shapes::ShapeRef.new(shape: StatelessRuleGroup)
+
     Tag.add_member(:key, Shapes::ShapeRef.new(shape: TagKey, required: true, location_name: "Key"))
     Tag.add_member(:value, Shapes::ShapeRef.new(shape: TagValue, required: true, location_name: "Value"))
     Tag.struct_class = Types::Tag
@@ -595,6 +685,8 @@ module Aws::FMS
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidOperationException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidInputException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
       end)
 
       api.add_operation(:delete_protocols_list, Seahorse::Model::Operation.new.tap do |o|

data/lib/aws-sdk-fms/errors.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-fms/resource.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-fms/types.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -267,8 +267,9 @@ module Aws::FMS
     # @!attribute [rw] resource_type
     #   The resource type. This is in the format shown in the [AWS Resource
     #   Types Reference][1]. For example:
-    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` or
-    #   `AWS::CloudFront::Distribution`.
+    #   `AWS::ElasticLoadBalancingV2::LoadBalancer`,
+    #   `AWS::CloudFront::Distribution`, or
+    #   `AWS::NetworkFirewall::FirewallPolicy`.
     #
     #
     #
@@ -393,6 +394,96 @@ module Aws::FMS
     #
     class DisassociateAdminAccountRequest < Aws::EmptyStructure; end
 
+    # A DNS Firewall rule group that Firewall Manager tried to associate
+    # with a VPC is already associated with the VPC and can't be associated
+    # again.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] violation_target_description
+    #   A description of the violation that specifies the rule group and
+    #   VPC.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DnsDuplicateRuleGroupViolation AWS API Documentation
+    #
+    class DnsDuplicateRuleGroupViolation < Struct.new(
+      :violation_target,
+      :violation_target_description)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The VPC that Firewall Manager was applying a DNS Fireall policy to
+    # reached the limit for associated DNS Firewall rule groups. Firewall
+    # Manager tried to associate another rule group with the VPC and failed
+    # due to the limit.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] violation_target_description
+    #   A description of the violation that specifies the rule group and
+    #   VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] number_of_rule_groups_already_associated
+    #   The number of rule groups currently associated with the VPC.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DnsRuleGroupLimitExceededViolation AWS API Documentation
+    #
+    class DnsRuleGroupLimitExceededViolation < Struct.new(
+      :violation_target,
+      :violation_target_description,
+      :number_of_rule_groups_already_associated)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A rule group that Firewall Manager tried to associate with a VPC has
+    # the same priority as a rule group that's already associated.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] violation_target_description
+    #   A description of the violation that specifies the VPC and the rule
+    #   group that's already associated with it.
+    #   @return [String]
+    #
+    # @!attribute [rw] conflicting_priority
+    #   The priority setting of the two conflicting rule groups.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] conflicting_policy_id
+    #   The ID of the Firewall Manager DNS Firewall policy that was already
+    #   applied to the VPC. This policy contains the rule group that's
+    #   already associated with the VPC.
+    #   @return [String]
+    #
+    # @!attribute [rw] unavailable_priorities
+    #   The priorities of rule groups that are already associated with the
+    #   VPC. To retry your operation, choose priority settings that aren't
+    #   in this list for the rule groups in your new DNS Firewall policy.
+    #   @return [Array<Integer>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DnsRuleGroupPriorityConflictViolation AWS API Documentation
+    #
+    class DnsRuleGroupPriorityConflictViolation < Struct.new(
+      :violation_target,
+      :violation_target_description,
+      :conflicting_priority,
+      :conflicting_policy_id,
+      :unavailable_priorities)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Describes the compliance status for the account. An account is
     # considered noncompliant if it includes resources that are not
     # protected by the specified policy or that don't comply with the
@@ -785,8 +876,9 @@ module Aws::FMS
     # @!attribute [rw] resource_type
     #   The resource type. This is in the format shown in the [AWS Resource
     #   Types Reference][1]. Supported resource types are:
-    #   `AWS::EC2::Instance`, `AWS::EC2::NetworkInterface`, or
-    #   `AWS::EC2::SecurityGroup`.
+    #   `AWS::EC2::Instance`, `AWS::EC2::NetworkInterface`,
+    #   `AWS::EC2::SecurityGroup`, `AWS::NetworkFirewall::FirewallPolicy`,
+    #   and `AWS::EC2::Subnet`.
     #
     #
     #
@@ -1231,6 +1323,173 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Violation details for AWS Network Firewall for a subnet that's not
+    # associated to the expected Firewall Manager managed route table.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the AWS Network Firewall or VPC resource that's in
+    #   violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_route_table
+    #   The resource ID of the current route table that's associated with
+    #   the subnet, if one is available.
+    #   @return [String]
+    #
+    # @!attribute [rw] expected_route_table
+    #   The resource ID of the route table that should be associated with
+    #   the subnet.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallMissingExpectedRTViolation AWS API Documentation
+    #
+    class NetworkFirewallMissingExpectedRTViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :current_route_table,
+      :expected_route_table)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Violation details for AWS Network Firewall for a subnet that doesn't
+    # have a Firewall Manager managed firewall in its VPC.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the AWS Network Firewall or VPC resource that's in
+    #   violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_violation_reason
+    #   The reason the resource has this violation, if one is available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallMissingFirewallViolation AWS API Documentation
+    #
+    class NetworkFirewallMissingFirewallViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :target_violation_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Violation details for AWS Network Firewall for an Availability Zone
+    # that's missing the expected Firewall Manager managed subnet.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the AWS Network Firewall or VPC resource that's in
+    #   violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of a violating subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_violation_reason
+    #   The reason the resource has this violation, if one is available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallMissingSubnetViolation AWS API Documentation
+    #
+    class NetworkFirewallMissingSubnetViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :target_violation_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The definition of the AWS Network Firewall firewall policy.
+    #
+    # @!attribute [rw] stateless_rule_groups
+    #   The stateless rule groups that are used in the Network Firewall
+    #   firewall policy.
+    #   @return [Array<Types::StatelessRuleGroup>]
+    #
+    # @!attribute [rw] stateless_default_actions
+    #   The actions to take on packets that don't match any of the
+    #   stateless rule groups.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] stateless_fragment_default_actions
+    #   The actions to take on packet fragments that don't match any of the
+    #   stateless rule groups.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] stateless_custom_actions
+    #   Names of custom actions that are available for use in the stateless
+    #   default actions settings.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] stateful_rule_groups
+    #   The stateful rule groups that are used in the Network Firewall
+    #   firewall policy.
+    #   @return [Array<Types::StatefulRuleGroup>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallPolicyDescription AWS API Documentation
+    #
+    class NetworkFirewallPolicyDescription < Struct.new(
+      :stateless_rule_groups,
+      :stateless_default_actions,
+      :stateless_fragment_default_actions,
+      :stateless_custom_actions,
+      :stateful_rule_groups)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Violation details for AWS Network Firewall for a firewall policy that
+    # has a different NetworkFirewallPolicyDescription than is required by
+    # the Firewall Manager policy.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the AWS Network Firewall or VPC resource that's in
+    #   violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_policy_description
+    #   The policy that's currently in use in the individual account.
+    #   @return [Types::NetworkFirewallPolicyDescription]
+    #
+    # @!attribute [rw] expected_policy_description
+    #   The policy that should be in use in the individual account in order
+    #   to be compliant.
+    #   @return [Types::NetworkFirewallPolicyDescription]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallPolicyModifiedViolation AWS API Documentation
+    #
+    class NetworkFirewallPolicyModifiedViolation < Struct.new(
+      :violation_target,
+      :current_policy_description,
+      :expected_policy_description)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The reference rule that partially matches the `ViolationTarget` rule
     # and violation reason.
     #
@@ -1262,7 +1521,7 @@ module Aws::FMS
     #         policy_name: "ResourceName", # required
     #         policy_update_token: "PolicyUpdateToken",
     #         security_service_policy_data: { # required
-    #           type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
+    #           type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #           managed_service_data: "ManagedServiceData",
     #         },
     #         resource_type: "ResourceType", # required
@@ -1315,7 +1574,8 @@ module Aws::FMS
     #   valid values are `AWS::EC2::SecurityGroup`,
     #   `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`. For a
     #   security group usage audit policy, the value is
-    #   `AWS::EC2::SecurityGroup`.
+    #   `AWS::EC2::SecurityGroup`. For an AWS Network Firewall policy, the
+    #   value is `AWS::EC2::VPC`.
     #
     #
     #
@@ -1550,7 +1810,8 @@ module Aws::FMS
     #   valid values are `AWS::EC2::SecurityGroup`,
     #   `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`. For a
     #   security group usage audit policy, the value is
-    #   `AWS::EC2::SecurityGroup`.
+    #   `AWS::EC2::SecurityGroup`. For an AWS Network Firewall policy, the
+    #   value is `AWS::EC2::VPC`.
     #
     #
     #
@@ -1780,7 +2041,7 @@ module Aws::FMS
     #           policy_name: "ResourceName", # required
     #           policy_update_token: "PolicyUpdateToken",
     #           security_service_policy_data: { # required
-    #             type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
+    #             type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #             managed_service_data: "ManagedServiceData",
     #           },
     #           resource_type: "ResourceType", # required
@@ -1966,12 +2227,63 @@ module Aws::FMS
     #   Violation details for an EC2 instance.
     #   @return [Types::AwsEc2InstanceViolation]
     #
+    # @!attribute [rw] network_firewall_missing_firewall_violation
+    #   Violation detail for an Network Firewall policy that indicates that
+    #   a subnet has no Firewall Manager managed firewall in its VPC.
+    #   @return [Types::NetworkFirewallMissingFirewallViolation]
+    #
+    # @!attribute [rw] network_firewall_missing_subnet_violation
+    #   Violation detail for an Network Firewall policy that indicates that
+    #   an Availability Zone is missing the expected Firewall Manager
+    #   managed subnet.
+    #   @return [Types::NetworkFirewallMissingSubnetViolation]
+    #
+    # @!attribute [rw] network_firewall_missing_expected_rt_violation
+    #   Violation detail for an Network Firewall policy that indicates that
+    #   a subnet is not associated with the expected Firewall Manager
+    #   managed route table.
+    #   @return [Types::NetworkFirewallMissingExpectedRTViolation]
+    #
+    # @!attribute [rw] network_firewall_policy_modified_violation
+    #   Violation detail for an Network Firewall policy that indicates that
+    #   a firewall policy in an individual account has been modified in a
+    #   way that makes it noncompliant. For example, the individual account
+    #   owner might have deleted a rule group, changed the priority of a
+    #   stateless rule group, or changed a policy default action.
+    #   @return [Types::NetworkFirewallPolicyModifiedViolation]
+    #
+    # @!attribute [rw] dns_rule_group_priority_conflict_violation
+    #   Violation detail for a DNS Firewall policy that indicates that a
+    #   rule group that Firewall Manager tried to associate with a VPC has
+    #   the same priority as a rule group that's already associated.
+    #   @return [Types::DnsRuleGroupPriorityConflictViolation]
+    #
+    # @!attribute [rw] dns_duplicate_rule_group_violation
+    #   Violation detail for a DNS Firewall policy that indicates that a
+    #   rule group that Firewall Manager tried to associate with a VPC is
+    #   already associated with the VPC and can't be associated again.
+    #   @return [Types::DnsDuplicateRuleGroupViolation]
+    #
+    # @!attribute [rw] dns_rule_group_limit_exceeded_violation
+    #   Violation details for a DNS Firewall policy that indicates that the
+    #   VPC reached the limit for associated DNS Firewall rule groups.
+    #   Firewall Manager tried to associate another rule group with the VPC
+    #   and failed.
+    #   @return [Types::DnsRuleGroupLimitExceededViolation]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceViolation AWS API Documentation
     #
     class ResourceViolation < Struct.new(
       :aws_vpc_security_group_violation,
       :aws_ec2_network_interface_violation,
-      :aws_ec2_instance_violation)
+      :aws_ec2_instance_violation,
+      :network_firewall_missing_firewall_violation,
+      :network_firewall_missing_subnet_violation,
+      :network_firewall_missing_expected_rt_violation,
+      :network_firewall_policy_modified_violation,
+      :dns_rule_group_priority_conflict_violation,
+      :dns_duplicate_rule_group_violation,
+      :dns_rule_group_limit_exceeded_violation)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2055,7 +2367,7 @@ module Aws::FMS
     #   data as a hash:
     #
     #       {
-    #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
+    #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #         managed_service_data: "ManagedServiceData",
     #       }
     #
@@ -2074,29 +2386,36 @@ module Aws::FMS
     #   JSON format. For service type `SHIELD_ADVANCED`, this is an empty
     #   string.
     #
+    #   * Example: `NETWORK_FIREWALL`
+    #
+    #     `"\{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2","priority":10\}],"networkFirewallStatelessDefaultActions":["aws:pass","custom1"],"networkFirewallStatelessFragmentDefaultActions":["custom2","aws:pass"],"networkFirewallStatelessCustomActions":[\{"actionName":"custom1","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension1"\}]\}\}\},\{"actionName":"custom2","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension2"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateful-rulegroup/rulegroup1"\}],"networkFirewallOrchestrationConfig":\{"singleFirewallEndpointPerVPC":true,"allowedIPV4CidrList":["10.24.34.0/28"]\}
+    #     \}"`
+    #
     #   * Example: `WAFV2`
     #
-    #     `"ManagedServiceData":
-    #     "\{"type":"WAFV2","defaultAction":\{"type":"ALLOW"\},"preProcessRuleGroups":[\{"managedRuleGroupIdentifier":null,"ruleGroupArn":"rulegrouparn","overrideAction":\{"type":"COUNT"\},"excludeRules":[\{"name":"EntityName"\}],"ruleGroupType":"RuleGroup"\}],"postProcessRuleGroups":[\{"managedRuleGroupIdentifier":\{"managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet","vendorName":"AWS"\},"ruleGroupArn":"rulegrouparn","overrideAction":\{"type":"NONE"\},"excludeRules":[],"ruleGroupType":"ManagedRuleGroup"\}],"overrideCustomerWebACLAssociation":false\}"`
+    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
+    #
+    #     In the `loggingConfiguration`, you can specify one
+    #     `logDestinationConfigs`, you can optionally provide up to 20
+    #     `redactedFields`, and the `RedactedFieldType` must be one of
+    #     `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
     #
     #   * Example: `WAF Classic`
     #
-    #     `"ManagedServiceData": "\{"type": "WAF", "ruleGroups":
-    #     [\{"id": "12345678-1bcd-9012-efga-0987654321ab",
+    #     `"\{"type": "WAF", "ruleGroups":
+    #     [\{"id":"12345678-1bcd-9012-efga-0987654321ab",
     #     "overrideAction" : \{"type": "COUNT"\}\}],
-    #     "defaultAction": \{"type": "BLOCK"\}\}`
+    #     "defaultAction": \{"type": "BLOCK"\}\}"`
     #
     #   * Example: `SECURITY_GROUPS_COMMON`
     #
-    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_COMMON","ManagedServiceData":"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
+    #     `"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
     #     "applyToAllEC2InstanceENIs":false,"securityGroups":[\{"id":"
-    #     sg-000e55995d61a06bd"\}]\}"\},"RemediationEnabled":false,"ResourceType":"AWS::EC2::NetworkInterface"\}`
+    #     sg-000e55995d61a06bd"\}]\}"`
     #
     #   * Example: `SECURITY_GROUPS_CONTENT_AUDIT`
     #
-    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_CONTENT_AUDIT","ManagedServiceData":"\{"type":"SECURITY_GROUPS_CONTENT_AUDIT","securityGroups":[\{"id":"
-    #     sg-000e55995d61a06bd
-    #     "\}],"securityGroupAction":\{"type":"ALLOW"\}\}"\},"RemediationEnabled":false,"ResourceType":"AWS::EC2::NetworkInterface"\}`
+    #     `"\{"type":"SECURITY_GROUPS_CONTENT_AUDIT","securityGroups":[\{"id":"sg-000e55995d61a06bd"\}],"securityGroupAction":\{"type":"ALLOW"\}\}"`
     #
     #     The security group action for content audit can be `ALLOW` or
     #     `DENY`. For `ALLOW`, all in-scope security group rules must be
@@ -2107,8 +2426,7 @@ module Aws::FMS
     #
     #   * Example: `SECURITY_GROUPS_USAGE_AUDIT`
     #
-    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_USAGE_AUDIT","ManagedServiceData":"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"\},"RemediationEnabled":false,"Resou
-    #     rceType":"AWS::EC2::SecurityGroup"\}`
+    #     `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/SecurityServicePolicyData AWS API Documentation
@@ -2120,6 +2438,53 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # AWS Network Firewall stateful rule group, used in a
+    # NetworkFirewallPolicyDescription.
+    #
+    # @!attribute [rw] rule_group_name
+    #   The name of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The resource ID of the rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/StatefulRuleGroup AWS API Documentation
+    #
+    class StatefulRuleGroup < Struct.new(
+      :rule_group_name,
+      :resource_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # AWS Network Firewall stateless rule group, used in a
+    # NetworkFirewallPolicyDescription.
+    #
+    # @!attribute [rw] rule_group_name
+    #   The name of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The resource ID of the rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   The priority of the rule group. AWS Network Firewall evaluates the
+    #   stateless rule groups in a firewall policy starting from the lowest
+    #   priority setting.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/StatelessRuleGroup AWS API Documentation
+    #
+    class StatelessRuleGroup < Struct.new(
+      :rule_group_name,
+      :resource_id,
+      :priority)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A collection of key:value pairs associated with an AWS resource. The
     # key:value pair can be anything you define. Typically, the tag key
     # represents a category (such as "environment") and the tag value