aws-sdk-fms 1.45.0 → 1.48.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e950287cab784b4458a946d831d09c56b84d281f5ca0b5138018147954b8cea7
-  data.tar.gz: f5182a7e205bca73f3d205c7cb9cb4699db2aab04c515aeaa50e73c3252eec9d
+  metadata.gz: fe1856b2e7db71ec8c271606d37bf76353ca984e90989e79ff8b135c213ec108
+  data.tar.gz: 276edd6276e83d327b817785a38be6a3fde6899604fbd7530ed5ea99038092e0
 SHA512:
-  metadata.gz: eda78cbfb7faa85d0b541949d43b4f0e70283b62798f7c87b17ecf76743e5f13482483c0f54b9d0c818b37dbd5ca04396d9ea562abcb69d09ab7698b80741a6c
-  data.tar.gz: d20790ddfee9a7b1c3008a4d15839016e757ff59ef441e87458467708116272f0774c1cf567fe89991426a84b5c3766781d69fe72324c8dab6c73971452cbc5f
+  metadata.gz: e9781f9af09f7b87593143da3daae257adc24f9cdb28824f09faa3b0e110ae87fb7965897a7663848e7e841e6e51542078b0bc50d80923d9f89d185fefa5d7de
+  data.tar.gz: 2ef93a5e9c63b64ea4c8051deb6a1548a1dac2995468feb6e63349e556800cfd0c2ef0a4312033e4b5d8db36700a8739215d940188c032f09d61bf76fcb0afdd

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 Unreleased Changes
 ------------------
 
+1.48.0 (2022-02-24)
+------------------
+
+* Feature - AWS Firewall Manager now supports the configuration of AWS Network Firewall policies with either centralized or distributed deployment models. This release also adds support for custom endpoint configuration, where you can choose which Availability Zones to create firewall endpoints in.
+
+1.47.0 (2022-02-03)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.46.0 (2022-01-12)
+------------------
+
+* Feature - Shield Advanced policies for Amazon CloudFront resources now support automatic application layer DDoS mitigation. The max length for SecurityServicePolicyData ManagedServiceData is now 8192 characters, instead of 4096.
+
 1.45.0 (2021-12-21)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.45.0
+1.48.0

data/lib/aws-sdk-fms/client.rb

@@ -27,7 +27,9 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
+require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
 require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
 
@@ -74,7 +76,9 @@ module Aws::FMS
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
+    add_plugin(Aws::Plugins::RecursionDetection)
     add_plugin(Aws::Plugins::SignatureV4)
     add_plugin(Aws::Plugins::Protocols::JsonRpc)
 
@@ -644,8 +648,10 @@ module Aws::FMS
     #   resp.policy_compliance_detail.member_account #=> String
     #   resp.policy_compliance_detail.violators #=> Array
     #   resp.policy_compliance_detail.violators[0].resource_id #=> String
-    #   resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT", "FMS_CREATED_SECURITY_GROUP_EDITED", "MISSING_FIREWALL", "MISSING_FIREWALL_SUBNET_IN_AZ", "MISSING_EXPECTED_ROUTE_TABLE", "NETWORK_FIREWALL_POLICY_MODIFIED", "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE", "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE", "UNEXPECTED_FIREWALL_ROUTES", "UNEXPECTED_TARGET_GATEWAY_ROUTES", "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY", "INVALID_ROUTE_CONFIGURATION", "MISSING_TARGET_GATEWAY", "INTERNET_TRAFFIC_NOT_INSPECTED", "BLACK_HOLE_ROUTE_DETECTED", "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL"
+    #   resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT", "FMS_CREATED_SECURITY_GROUP_EDITED", "MISSING_FIREWALL", "MISSING_FIREWALL_SUBNET_IN_AZ", "MISSING_EXPECTED_ROUTE_TABLE", "NETWORK_FIREWALL_POLICY_MODIFIED", "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE", "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE", "UNEXPECTED_FIREWALL_ROUTES", "UNEXPECTED_TARGET_GATEWAY_ROUTES", "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY", "INVALID_ROUTE_CONFIGURATION", "MISSING_TARGET_GATEWAY", "INTERNET_TRAFFIC_NOT_INSPECTED", "BLACK_HOLE_ROUTE_DETECTED", "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL", "FIREWALL_SUBNET_IS_OUT_OF_SCOPE", "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT"
     #   resp.policy_compliance_detail.violators[0].resource_type #=> String
+    #   resp.policy_compliance_detail.violators[0].metadata #=> Hash
+    #   resp.policy_compliance_detail.violators[0].metadata["LengthBoundedString"] #=> String
     #   resp.policy_compliance_detail.evaluation_limit_exceeded #=> Boolean
     #   resp.policy_compliance_detail.expired_at #=> Time
     #   resp.policy_compliance_detail.issue_info_map #=> Hash
@@ -705,6 +711,7 @@ module Aws::FMS
     #   resp.policy.policy_update_token #=> String
     #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "WAFV2", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT", "NETWORK_FIREWALL", "DNS_FIREWALL"
     #   resp.policy.security_service_policy_data.managed_service_data #=> String
+    #   resp.policy.security_service_policy_data.policy_option.network_firewall_policy.firewall_deployment_model #=> String, one of "CENTRALIZED"
     #   resp.policy.resource_type #=> String
     #   resp.policy.resource_type_list #=> Array
     #   resp.policy.resource_type_list[0] #=> String
@@ -1140,8 +1147,39 @@ module Aws::FMS
     #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.ec2_create_route_table_action.description #=> String
     #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.ec2_create_route_table_action.vpc_id.resource_id #=> String
     #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.ec2_create_route_table_action.vpc_id.description #=> String
+    #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.fms_policy_update_firewall_creation_config_action.description #=> String
+    #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.fms_policy_update_firewall_creation_config_action.firewall_creation_config #=> String
     #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].order #=> Integer
     #   resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].is_default_action #=> Boolean
+    #   resp.violation_detail.resource_violations[0].firewall_subnet_is_out_of_scope_violation.firewall_subnet_id #=> String
+    #   resp.violation_detail.resource_violations[0].firewall_subnet_is_out_of_scope_violation.vpc_id #=> String
+    #   resp.violation_detail.resource_violations[0].firewall_subnet_is_out_of_scope_violation.subnet_availability_zone #=> String
+    #   resp.violation_detail.resource_violations[0].firewall_subnet_is_out_of_scope_violation.subnet_availability_zone_id #=> String
+    #   resp.violation_detail.resource_violations[0].firewall_subnet_is_out_of_scope_violation.vpc_endpoint_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.subnet_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.vpc_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.route_table_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.violating_routes #=> Array
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.violating_routes[0].destination_type #=> String, one of "IPV4", "IPV6", "PREFIX_LIST"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.violating_routes[0].target_type #=> String, one of "GATEWAY", "CARRIER_GATEWAY", "INSTANCE", "LOCAL_GATEWAY", "NAT_GATEWAY", "NETWORK_INTERFACE", "VPC_ENDPOINT", "VPC_PEERING_CONNECTION", "EGRESS_ONLY_INTERNET_GATEWAY", "TRANSIT_GATEWAY"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.violating_routes[0].destination #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.violating_routes[0].target #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.subnet_availability_zone #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.subnet_availability_zone_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.current_firewall_subnet_route_table #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_routes #=> Array
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_routes[0].destination_type #=> String, one of "IPV4", "IPV6", "PREFIX_LIST"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_routes[0].target_type #=> String, one of "GATEWAY", "CARRIER_GATEWAY", "INSTANCE", "LOCAL_GATEWAY", "NAT_GATEWAY", "NETWORK_INTERFACE", "VPC_ENDPOINT", "VPC_PEERING_CONNECTION", "EGRESS_ONLY_INTERNET_GATEWAY", "TRANSIT_GATEWAY"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_routes[0].destination #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.firewall_subnet_routes[0].target #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_id #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.current_internet_gateway_route_table #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_routes #=> Array
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_routes[0].destination_type #=> String, one of "IPV4", "IPV6", "PREFIX_LIST"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_routes[0].target_type #=> String, one of "GATEWAY", "CARRIER_GATEWAY", "INSTANCE", "LOCAL_GATEWAY", "NAT_GATEWAY", "NETWORK_INTERFACE", "VPC_ENDPOINT", "VPC_PEERING_CONNECTION", "EGRESS_ONLY_INTERNET_GATEWAY", "TRANSIT_GATEWAY"
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_routes[0].destination #=> String
+    #   resp.violation_detail.resource_violations[0].route_has_out_of_scope_endpoint_violation.internet_gateway_routes[0].target #=> String
     #   resp.violation_detail.resource_tags #=> Array
     #   resp.violation_detail.resource_tags[0].key #=> String
     #   resp.violation_detail.resource_tags[0].value #=> String
@@ -1603,7 +1641,7 @@ module Aws::FMS
     # * An Network Firewall policy, which provides firewall rules to filter
     #   network traffic in specified Amazon VPCs.
     #
-    # * A DNS Firewall policy, which provides Route 53 Resolver DNS Firewall
+    # * A DNS Firewall policy, which provides Route 53 Resolver DNS Firewall
     #   rules to filter DNS queries for specified VPCs.
     #
     # Each policy is specific to one of the types. If you want to enforce
@@ -1639,6 +1677,11 @@ module Aws::FMS
     #       security_service_policy_data: { # required
     #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #         managed_service_data: "ManagedServiceData",
+    #         policy_option: {
+    #           network_firewall_policy: {
+    #             firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #           },
+    #         },
     #       },
     #       resource_type: "ResourceType", # required
     #       resource_type_list: ["ResourceType"],
@@ -1673,6 +1716,7 @@ module Aws::FMS
     #   resp.policy.policy_update_token #=> String
     #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "WAFV2", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT", "NETWORK_FIREWALL", "DNS_FIREWALL"
     #   resp.policy.security_service_policy_data.managed_service_data #=> String
+    #   resp.policy.security_service_policy_data.policy_option.network_firewall_policy.firewall_deployment_model #=> String, one of "CENTRALIZED"
     #   resp.policy.resource_type #=> String
     #   resp.policy.resource_type_list #=> Array
     #   resp.policy.resource_type_list[0] #=> String
@@ -1831,7 +1875,7 @@ module Aws::FMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-fms'
-      context[:gem_version] = '1.45.0'
+      context[:gem_version] = '1.48.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-fms/client_api.rb

@@ -30,6 +30,7 @@ module Aws::FMS
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
     CIDR = Shapes::StringShape.new(name: 'CIDR')
     ComplianceViolator = Shapes::StructureShape.new(name: 'ComplianceViolator')
+    ComplianceViolatorMetadata = Shapes::MapShape.new(name: 'ComplianceViolatorMetadata')
     ComplianceViolators = Shapes::ListShape.new(name: 'ComplianceViolators')
     CustomerPolicyScopeId = Shapes::StringShape.new(name: 'CustomerPolicyScopeId')
     CustomerPolicyScopeIdList = Shapes::ListShape.new(name: 'CustomerPolicyScopeIdList')
@@ -60,6 +61,9 @@ module Aws::FMS
     EvaluationResults = Shapes::ListShape.new(name: 'EvaluationResults')
     ExpectedRoute = Shapes::StructureShape.new(name: 'ExpectedRoute')
     ExpectedRoutes = Shapes::ListShape.new(name: 'ExpectedRoutes')
+    FMSPolicyUpdateFirewallCreationConfigAction = Shapes::StructureShape.new(name: 'FMSPolicyUpdateFirewallCreationConfigAction')
+    FirewallDeploymentModel = Shapes::StringShape.new(name: 'FirewallDeploymentModel')
+    FirewallSubnetIsOutOfScopeViolation = Shapes::StructureShape.new(name: 'FirewallSubnetIsOutOfScopeViolation')
     GetAdminAccountRequest = Shapes::StructureShape.new(name: 'GetAdminAccountRequest')
     GetAdminAccountResponse = Shapes::StructureShape.new(name: 'GetAdminAccountResponse')
     GetAppsListRequest = Shapes::StructureShape.new(name: 'GetAppsListRequest')
@@ -109,6 +113,7 @@ module Aws::FMS
     NetworkFirewallMissingExpectedRoutesViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingExpectedRoutesViolation')
     NetworkFirewallMissingFirewallViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingFirewallViolation')
     NetworkFirewallMissingSubnetViolation = Shapes::StructureShape.new(name: 'NetworkFirewallMissingSubnetViolation')
+    NetworkFirewallPolicy = Shapes::StructureShape.new(name: 'NetworkFirewallPolicy')
     NetworkFirewallPolicyDescription = Shapes::StructureShape.new(name: 'NetworkFirewallPolicyDescription')
     NetworkFirewallPolicyModifiedViolation = Shapes::StructureShape.new(name: 'NetworkFirewallPolicyModifiedViolation')
     NetworkFirewallResourceName = Shapes::StringShape.new(name: 'NetworkFirewallResourceName')
@@ -125,6 +130,7 @@ module Aws::FMS
     PolicyComplianceStatusList = Shapes::ListShape.new(name: 'PolicyComplianceStatusList')
     PolicyComplianceStatusType = Shapes::StringShape.new(name: 'PolicyComplianceStatusType')
     PolicyId = Shapes::StringShape.new(name: 'PolicyId')
+    PolicyOption = Shapes::StructureShape.new(name: 'PolicyOption')
     PolicySummary = Shapes::StructureShape.new(name: 'PolicySummary')
     PolicySummaryList = Shapes::ListShape.new(name: 'PolicySummaryList')
     PolicyUpdateToken = Shapes::StringShape.new(name: 'PolicyUpdateToken')
@@ -167,6 +173,7 @@ module Aws::FMS
     ResourceViolation = Shapes::StructureShape.new(name: 'ResourceViolation')
     ResourceViolations = Shapes::ListShape.new(name: 'ResourceViolations')
     Route = Shapes::StructureShape.new(name: 'Route')
+    RouteHasOutOfScopeEndpointViolation = Shapes::StructureShape.new(name: 'RouteHasOutOfScopeEndpointViolation')
     Routes = Shapes::ListShape.new(name: 'Routes')
     SecurityGroupRemediationAction = Shapes::StructureShape.new(name: 'SecurityGroupRemediationAction')
     SecurityGroupRemediationActions = Shapes::ListShape.new(name: 'SecurityGroupRemediationActions')
@@ -246,8 +253,12 @@ module Aws::FMS
     ComplianceViolator.add_member(:resource_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "ResourceId"))
     ComplianceViolator.add_member(:violation_reason, Shapes::ShapeRef.new(shape: ViolationReason, location_name: "ViolationReason"))
     ComplianceViolator.add_member(:resource_type, Shapes::ShapeRef.new(shape: ResourceType, location_name: "ResourceType"))
+    ComplianceViolator.add_member(:metadata, Shapes::ShapeRef.new(shape: ComplianceViolatorMetadata, location_name: "Metadata"))
     ComplianceViolator.struct_class = Types::ComplianceViolator
 
+    ComplianceViolatorMetadata.key = Shapes::ShapeRef.new(shape: LengthBoundedString)
+    ComplianceViolatorMetadata.value = Shapes::ShapeRef.new(shape: LengthBoundedString)
+
     ComplianceViolators.member = Shapes::ShapeRef.new(shape: ComplianceViolator)
 
     CustomerPolicyScopeIdList.member = Shapes::ShapeRef.new(shape: CustomerPolicyScopeId)
@@ -348,6 +359,17 @@ module Aws::FMS
 
     ExpectedRoutes.member = Shapes::ShapeRef.new(shape: ExpectedRoute)
 
+    FMSPolicyUpdateFirewallCreationConfigAction.add_member(:description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "Description"))
+    FMSPolicyUpdateFirewallCreationConfigAction.add_member(:firewall_creation_config, Shapes::ShapeRef.new(shape: ManagedServiceData, location_name: "FirewallCreationConfig"))
+    FMSPolicyUpdateFirewallCreationConfigAction.struct_class = Types::FMSPolicyUpdateFirewallCreationConfigAction
+
+    FirewallSubnetIsOutOfScopeViolation.add_member(:firewall_subnet_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallSubnetId"))
+    FirewallSubnetIsOutOfScopeViolation.add_member(:vpc_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VpcId"))
+    FirewallSubnetIsOutOfScopeViolation.add_member(:subnet_availability_zone, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "SubnetAvailabilityZone"))
+    FirewallSubnetIsOutOfScopeViolation.add_member(:subnet_availability_zone_id, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "SubnetAvailabilityZoneId"))
+    FirewallSubnetIsOutOfScopeViolation.add_member(:vpc_endpoint_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VpcEndpointId"))
+    FirewallSubnetIsOutOfScopeViolation.struct_class = Types::FirewallSubnetIsOutOfScopeViolation
+
     GetAdminAccountRequest.struct_class = Types::GetAdminAccountRequest
 
     GetAdminAccountResponse.add_member(:admin_account, Shapes::ShapeRef.new(shape: AWSAccountId, location_name: "AdminAccount"))
@@ -551,6 +573,9 @@ module Aws::FMS
     NetworkFirewallMissingSubnetViolation.add_member(:target_violation_reason, Shapes::ShapeRef.new(shape: TargetViolationReason, location_name: "TargetViolationReason"))
     NetworkFirewallMissingSubnetViolation.struct_class = Types::NetworkFirewallMissingSubnetViolation
 
+    NetworkFirewallPolicy.add_member(:firewall_deployment_model, Shapes::ShapeRef.new(shape: FirewallDeploymentModel, location_name: "FirewallDeploymentModel"))
+    NetworkFirewallPolicy.struct_class = Types::NetworkFirewallPolicy
+
     NetworkFirewallPolicyDescription.add_member(:stateless_rule_groups, Shapes::ShapeRef.new(shape: StatelessRuleGroupList, location_name: "StatelessRuleGroups"))
     NetworkFirewallPolicyDescription.add_member(:stateless_default_actions, Shapes::ShapeRef.new(shape: NetworkFirewallActionList, location_name: "StatelessDefaultActions"))
     NetworkFirewallPolicyDescription.add_member(:stateless_fragment_default_actions, Shapes::ShapeRef.new(shape: NetworkFirewallActionList, location_name: "StatelessFragmentDefaultActions"))
@@ -618,6 +643,9 @@ module Aws::FMS
 
     PolicyComplianceStatusList.member = Shapes::ShapeRef.new(shape: PolicyComplianceStatus)
 
+    PolicyOption.add_member(:network_firewall_policy, Shapes::ShapeRef.new(shape: NetworkFirewallPolicy, location_name: "NetworkFirewallPolicy"))
+    PolicyOption.struct_class = Types::PolicyOption
+
     PolicySummary.add_member(:policy_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "PolicyArn"))
     PolicySummary.add_member(:policy_id, Shapes::ShapeRef.new(shape: PolicyId, location_name: "PolicyId"))
     PolicySummary.add_member(:policy_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "PolicyName"))
@@ -701,6 +729,7 @@ module Aws::FMS
     RemediationAction.add_member(:ec2_replace_route_table_association_action, Shapes::ShapeRef.new(shape: EC2ReplaceRouteTableAssociationAction, location_name: "EC2ReplaceRouteTableAssociationAction"))
     RemediationAction.add_member(:ec2_associate_route_table_action, Shapes::ShapeRef.new(shape: EC2AssociateRouteTableAction, location_name: "EC2AssociateRouteTableAction"))
     RemediationAction.add_member(:ec2_create_route_table_action, Shapes::ShapeRef.new(shape: EC2CreateRouteTableAction, location_name: "EC2CreateRouteTableAction"))
+    RemediationAction.add_member(:fms_policy_update_firewall_creation_config_action, Shapes::ShapeRef.new(shape: FMSPolicyUpdateFirewallCreationConfigAction, location_name: "FMSPolicyUpdateFirewallCreationConfigAction"))
     RemediationAction.struct_class = Types::RemediationAction
 
     RemediationActionWithOrder.add_member(:remediation_action, Shapes::ShapeRef.new(shape: RemediationAction, location_name: "RemediationAction"))
@@ -737,6 +766,8 @@ module Aws::FMS
     ResourceViolation.add_member(:dns_duplicate_rule_group_violation, Shapes::ShapeRef.new(shape: DnsDuplicateRuleGroupViolation, location_name: "DnsDuplicateRuleGroupViolation"))
     ResourceViolation.add_member(:dns_rule_group_limit_exceeded_violation, Shapes::ShapeRef.new(shape: DnsRuleGroupLimitExceededViolation, location_name: "DnsRuleGroupLimitExceededViolation"))
     ResourceViolation.add_member(:possible_remediation_actions, Shapes::ShapeRef.new(shape: PossibleRemediationActions, location_name: "PossibleRemediationActions"))
+    ResourceViolation.add_member(:firewall_subnet_is_out_of_scope_violation, Shapes::ShapeRef.new(shape: FirewallSubnetIsOutOfScopeViolation, location_name: "FirewallSubnetIsOutOfScopeViolation"))
+    ResourceViolation.add_member(:route_has_out_of_scope_endpoint_violation, Shapes::ShapeRef.new(shape: RouteHasOutOfScopeEndpointViolation, location_name: "RouteHasOutOfScopeEndpointViolation"))
     ResourceViolation.struct_class = Types::ResourceViolation
 
     ResourceViolations.member = Shapes::ShapeRef.new(shape: ResourceViolation)
@@ -747,6 +778,20 @@ module Aws::FMS
     Route.add_member(:target, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "Target"))
     Route.struct_class = Types::Route
 
+    RouteHasOutOfScopeEndpointViolation.add_member(:subnet_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "SubnetId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:vpc_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "VpcId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:route_table_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "RouteTableId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:violating_routes, Shapes::ShapeRef.new(shape: Routes, location_name: "ViolatingRoutes"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:subnet_availability_zone, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "SubnetAvailabilityZone"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:subnet_availability_zone_id, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "SubnetAvailabilityZoneId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:current_firewall_subnet_route_table, Shapes::ShapeRef.new(shape: ResourceId, location_name: "CurrentFirewallSubnetRouteTable"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:firewall_subnet_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallSubnetId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:firewall_subnet_routes, Shapes::ShapeRef.new(shape: Routes, location_name: "FirewallSubnetRoutes"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:internet_gateway_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "InternetGatewayId"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:current_internet_gateway_route_table, Shapes::ShapeRef.new(shape: ResourceId, location_name: "CurrentInternetGatewayRouteTable"))
+    RouteHasOutOfScopeEndpointViolation.add_member(:internet_gateway_routes, Shapes::ShapeRef.new(shape: Routes, location_name: "InternetGatewayRoutes"))
+    RouteHasOutOfScopeEndpointViolation.struct_class = Types::RouteHasOutOfScopeEndpointViolation
+
     Routes.member = Shapes::ShapeRef.new(shape: Route)
 
     SecurityGroupRemediationAction.add_member(:remediation_action_type, Shapes::ShapeRef.new(shape: RemediationActionType, location_name: "RemediationActionType"))
@@ -767,6 +812,7 @@ module Aws::FMS
 
     SecurityServicePolicyData.add_member(:type, Shapes::ShapeRef.new(shape: SecurityServiceType, required: true, location_name: "Type"))
     SecurityServicePolicyData.add_member(:managed_service_data, Shapes::ShapeRef.new(shape: ManagedServiceData, location_name: "ManagedServiceData"))
+    SecurityServicePolicyData.add_member(:policy_option, Shapes::ShapeRef.new(shape: PolicyOption, location_name: "PolicyOption"))
     SecurityServicePolicyData.struct_class = Types::SecurityServicePolicyData
 
     StatefulRuleGroup.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: NetworkFirewallResourceName, location_name: "RuleGroupName"))

data/lib/aws-sdk-fms/types.rb

@@ -294,12 +294,18 @@ module Aws::FMS
     #   [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
     #   @return [String]
     #
+    # @!attribute [rw] metadata
+    #   Metadata about the resource that doesn't comply with the policy
+    #   scope.
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ComplianceViolator AWS API Documentation
     #
     class ComplianceViolator < Struct.new(
       :resource_id,
       :violation_reason,
-      :resource_type)
+      :resource_type,
+      :metadata)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -810,6 +816,73 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains information about the actions that you can take to remediate
+    # scope violations caused by your policy's `FirewallCreationConfig`.
+    # `FirewallCreationConfig` is an optional configuration that you can use
+    # to choose which Availability Zones Firewall Manager creates Network
+    # Firewall endpoints in.
+    #
+    # @!attribute [rw] description
+    #   Describes the remedial action.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_creation_config
+    #   A `FirewallCreationConfig` that you can copy into your current
+    #   policy's [SecurityServiceData][1] in order to remedy scope
+    #   violations.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction AWS API Documentation
+    #
+    class FMSPolicyUpdateFirewallCreationConfigAction < Struct.new(
+      :description,
+      :firewall_creation_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains details about the firewall subnet that violates the policy
+    # scope.
+    #
+    # @!attribute [rw] firewall_subnet_id
+    #   The ID of the firewall subnet that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The VPC ID of the firewall subnet that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone
+    #   The Availability Zone of the firewall subnet that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone_id
+    #   The Availability Zone ID of the firewall subnet that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_endpoint_id
+    #   The VPC endpoint ID of the firewall subnet that violates the policy
+    #   scope.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation AWS API Documentation
+    #
+    class FirewallSubnetIsOutOfScopeViolation < Struct.new(
+      :firewall_subnet_id,
+      :vpc_id,
+      :subnet_availability_zone,
+      :subnet_availability_zone_id,
+      :vpc_endpoint_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @api private
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminAccountRequest AWS API Documentation
@@ -1940,6 +2013,39 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Configures the firewall policy deployment model of Network Firewall.
+    # For information about Network Firewall deployment models, see [Network
+    # Firewall example architectures with routing][1] in the *Network
+    # Firewall Developer Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html
+    #
+    # @note When making an API call, you may pass NetworkFirewallPolicy
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #       }
+    #
+    # @!attribute [rw] firewall_deployment_model
+    #   Defines the deployment model to use for the firewall policy. To use
+    #   a distributed model, set [PolicyOption][1] to `NULL`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallPolicy AWS API Documentation
+    #
+    class NetworkFirewallPolicy < Struct.new(
+      :firewall_deployment_model)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The definition of the Network Firewall firewall policy.
     #
     # @!attribute [rw] stateless_rule_groups
@@ -2104,6 +2210,11 @@ module Aws::FMS
     #         security_service_policy_data: { # required
     #           type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #           managed_service_data: "ManagedServiceData",
+    #           policy_option: {
+    #             network_firewall_policy: {
+    #               firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #             },
+    #           },
     #         },
     #         resource_type: "ResourceType", # required
     #         resource_type_list: ["ResourceType"],
@@ -2152,8 +2263,9 @@ module Aws::FMS
     #   specify a resource type of `ResourceTypeList` and then specify the
     #   resource types in a `ResourceTypeList`.
     #
-    #   For WAF and Shield Advanced, example resource types include
-    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` and
+    #   For WAF and Shield Advanced, resource types include
+    #   `AWS::ElasticLoadBalancingV2::LoadBalancer`,
+    #   `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::EC2::EIP`, and
     #   `AWS::CloudFront::Distribution`. For a security group common policy,
     #   valid values are `AWS::EC2::NetworkInterface` and
     #   `AWS::EC2::Instance`. For a security group content audit policy,
@@ -2183,6 +2295,9 @@ module Aws::FMS
     #   `ResourceTag` array are not in scope of the policy. If set to
     #   `False`, and the `ResourceTag` array is not null, only resources
     #   with the specified tags are in scope of the policy.
+    #
+    #   This option isn't available for the centralized deployment model
+    #   when creating policies to configure Network Firewall.
     #   @return [Boolean]
     #
     # @!attribute [rw] remediation_enabled
@@ -2191,10 +2306,16 @@ module Aws::FMS
     #   @return [Boolean]
     #
     # @!attribute [rw] delete_unused_fm_managed_resources
-    #   Indicates whether Firewall Manager should delete Firewall Manager
-    #   managed resources, such as web ACLs and security groups, when they
-    #   are not in use by the Firewall Manager policy. By default, Firewall
-    #   Manager doesn't delete unused Firewall Manager managed resources.
+    #   Indicates whether Firewall Manager should automatically remove
+    #   protections from resources that leave the policy scope and clean up
+    #   resources that Firewall Manager is managing for accounts when those
+    #   accounts leave policy scope. For example, Firewall Manager will
+    #   disassociate a Firewall Manager managed web ACL from a protected
+    #   customer resource when the customer resource leaves policy scope.
+    #
+    #   By default, Firewall Manager doesn't remove protections or delete
+    #   Firewall Manager managed resources.
+    #
     #   This option is not available for Shield Advanced or WAF Classic
     #   policies.
     #   @return [Boolean]
@@ -2227,6 +2348,9 @@ module Aws::FMS
     #     a comma. For example, the following is a valid map: `\{“ACCOUNT” :
     #     [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”,
     #     “ouid112”]\}`.
+    #
+    #   This option isn't available for the centralized deployment model
+    #   when creating policies to configure Network Firewall.
     #   @return [Hash<String,Array<String>>]
     #
     # @!attribute [rw] exclude_map
@@ -2257,6 +2381,9 @@ module Aws::FMS
     #     a comma. For example, the following is a valid map: `\{“ACCOUNT” :
     #     [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”,
     #     “ouid112”]\}`.
+    #
+    #   This option isn't available for the centralized deployment model
+    #   when creating policies to configure Network Firewall.
     #   @return [Hash<String,Array<String>>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/Policy AWS API Documentation
@@ -2382,6 +2509,30 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains the Network Firewall firewall policy options to configure a
+    # centralized deployment model.
+    #
+    # @note When making an API call, you may pass PolicyOption
+    #   data as a hash:
+    #
+    #       {
+    #         network_firewall_policy: {
+    #           firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #         },
+    #       }
+    #
+    # @!attribute [rw] network_firewall_policy
+    #   Defines the deployment model to use for the firewall policy.
+    #   @return [Types::NetworkFirewallPolicy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicyOption AWS API Documentation
+    #
+    class PolicyOption < Struct.new(
+      :network_firewall_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Details of the Firewall Manager policy.
     #
     # @!attribute [rw] policy_arn
@@ -2427,10 +2578,16 @@ module Aws::FMS
     #   @return [Boolean]
     #
     # @!attribute [rw] delete_unused_fm_managed_resources
-    #   Indicates whether Firewall Manager should delete Firewall Manager
-    #   managed resources, such as web ACLs and security groups, when they
-    #   are not in use by the Firewall Manager policy. By default, Firewall
-    #   Manager doesn't delete unused Firewall Manager managed resources.
+    #   Indicates whether Firewall Manager should automatically remove
+    #   protections from resources that leave the policy scope and clean up
+    #   resources that Firewall Manager is managing for accounts when those
+    #   accounts leave policy scope. For example, Firewall Manager will
+    #   disassociate a Firewall Manager managed web ACL from a protected
+    #   customer resource when the customer resource leaves policy scope.
+    #
+    #   By default, Firewall Manager doesn't remove protections or delete
+    #   Firewall Manager managed resources.
+    #
     #   This option is not available for Shield Advanced or WAF Classic
     #   policies.
     #   @return [Boolean]
@@ -2692,6 +2849,11 @@ module Aws::FMS
     #           security_service_policy_data: { # required
     #             type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #             managed_service_data: "ManagedServiceData",
+    #             policy_option: {
+    #               network_firewall_policy: {
+    #                 firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #               },
+    #             },
     #           },
     #           resource_type: "ResourceType", # required
     #           resource_type_list: ["ResourceType"],
@@ -2847,6 +3009,10 @@ module Aws::FMS
     #   Information about the CreateRouteTable action in the Amazon EC2 API.
     #   @return [Types::EC2CreateRouteTableAction]
     #
+    # @!attribute [rw] fms_policy_update_firewall_creation_config_action
+    #   The remedial action to take when updating a firewall configuration.
+    #   @return [Types::FMSPolicyUpdateFirewallCreationConfigAction]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RemediationAction AWS API Documentation
     #
     class RemediationAction < Struct.new(
@@ -2857,7 +3023,8 @@ module Aws::FMS
       :ec2_copy_route_table_action,
       :ec2_replace_route_table_association_action,
       :ec2_associate_route_table_action,
-      :ec2_create_route_table_action)
+      :ec2_create_route_table_action,
+      :fms_policy_update_firewall_creation_config_action)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3024,6 +3191,16 @@ module Aws::FMS
     #   actions.
     #   @return [Types::PossibleRemediationActions]
     #
+    # @!attribute [rw] firewall_subnet_is_out_of_scope_violation
+    #   Contains details about the firewall subnet that violates the policy
+    #   scope.
+    #   @return [Types::FirewallSubnetIsOutOfScopeViolation]
+    #
+    # @!attribute [rw] route_has_out_of_scope_endpoint_violation
+    #   Contains details about the route endpoint that violates the policy
+    #   scope.
+    #   @return [Types::RouteHasOutOfScopeEndpointViolation]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceViolation AWS API Documentation
     #
     class ResourceViolation < Struct.new(
@@ -3043,7 +3220,9 @@ module Aws::FMS
       :dns_rule_group_priority_conflict_violation,
       :dns_duplicate_rule_group_violation,
       :dns_rule_group_limit_exceeded_violation,
-      :possible_remediation_actions)
+      :possible_remediation_actions,
+      :firewall_subnet_is_out_of_scope_violation,
+      :route_has_out_of_scope_endpoint_violation)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3077,6 +3256,77 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains details about the route endpoint that violates the policy
+    # scope.
+    #
+    # @!attribute [rw] subnet_id
+    #   The ID of the subnet associated with the route that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The VPC ID of the route that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] route_table_id
+    #   The ID of the route table.
+    #   @return [String]
+    #
+    # @!attribute [rw] violating_routes
+    #   The list of routes that violate the route table.
+    #   @return [Array<Types::Route>]
+    #
+    # @!attribute [rw] subnet_availability_zone
+    #   The subnet's Availability Zone.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone_id
+    #   The ID of the subnet's Availability Zone.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_firewall_subnet_route_table
+    #   The route table associated with the current firewall subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_subnet_id
+    #   The ID of the firewall subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_subnet_routes
+    #   The list of firewall subnet routes.
+    #   @return [Array<Types::Route>]
+    #
+    # @!attribute [rw] internet_gateway_id
+    #   The ID of the Internet Gateway.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_internet_gateway_route_table
+    #   The current route table associated with the Internet Gateway.
+    #   @return [String]
+    #
+    # @!attribute [rw] internet_gateway_routes
+    #   The routes in the route table associated with the Internet Gateway.
+    #   @return [Array<Types::Route>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation AWS API Documentation
+    #
+    class RouteHasOutOfScopeEndpointViolation < Struct.new(
+      :subnet_id,
+      :vpc_id,
+      :route_table_id,
+      :violating_routes,
+      :subnet_availability_zone,
+      :subnet_availability_zone_id,
+      :current_firewall_subnet_route_table,
+      :firewall_subnet_id,
+      :firewall_subnet_routes,
+      :internet_gateway_id,
+      :current_internet_gateway_route_table,
+      :internet_gateway_routes)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Remediation option for the rule specified in the `ViolationTarget`.
     #
     # @!attribute [rw] remediation_action_type
@@ -3158,6 +3408,11 @@ module Aws::FMS
     #       {
     #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
     #         managed_service_data: "ManagedServiceData",
+    #         policy_option: {
+    #           network_firewall_policy: {
+    #             firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED
+    #           },
+    #         },
     #       }
     #
     # @!attribute [rw] type
@@ -3172,8 +3427,7 @@ module Aws::FMS
     #
     # @!attribute [rw] managed_service_data
     #   Details about the service that are specific to the service type, in
-    #   JSON format. For service type `SHIELD_ADVANCED`, this is an empty
-    #   string.
+    #   JSON format.
     #
     #   * Example: `DNS_FIREWALL`
     #
@@ -3185,11 +3439,177 @@ module Aws::FMS
     #
     #      </note>
     #
-    #   * Example: `NETWORK_FIREWALL`
+    #   * Example: `NETWORK_FIREWALL` - Centralized deployment model.
+    #
+    #     `"\{"type":"NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[\{"actionName":"customActionName","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"metricdimensionvalue"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"\}],"networkFirewallLoggingConfiguration":\{"logDestinationConfigs":[\{"logDestinationType":"S3","logType":"ALERT","logDestination":\{"bucketName":"s3-bucket-name"\}\},\{"logDestinationType":"S3","logType":"FLOW","logDestination":\{"bucketName":"s3-bucket-name"\}\}],"overrideExistingConfig":true\}\},"firewallDeploymentModel":\{"centralizedFirewallDeploymentModel":\{"centralizedFirewallOrchestrationConfig":\{"inspectionVpcIds":[\{"resourceId":"vpc-1234","accountId":"123456789011"\}],"firewallCreationConfig":\{"endpointLocation":\{"availabilityZoneConfigList":[\{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]\}]\}\},"allowedIPV4CidrList":[]\}\}\}\}"`
+    #
+    #     To use the centralized deployment model, you must set
+    #     [PolicyOption][1] to `CENTRALIZED`.
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     automatic Availability Zone configuration. With automatic
+    #     Availbility Zone configuration, Firewall Manager chooses which
+    #     Availability Zones to create the endpoints in.
+    #
+    #     `"\{ "type": "NETWORK_FIREWALL",
+    #     "networkFirewallStatelessRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
+    #     "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
+    #     [ "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions": [
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessCustomActions": [ \{ "actionName":
+    #     "customActionName", "actionDefinition": \{
+    #     "publishMetricAction": \{ "dimensions": [ \{ "value":
+    #     "metricdimensionvalue" \} ] \} \} \} ],
+    #     "networkFirewallStatefulRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig": \{
+    #     "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
+    #     [ "10.0.0.0/28", "192.168.0.0/28" ],
+    #     "routeManagementAction": "OFF" \},
+    #     "networkFirewallLoggingConfiguration": \{
+    #     "logDestinationConfigs": [ \{ "logDestinationType": "S3",
+    #     "logType": "ALERT", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
+    #     "logType": "FLOW", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
+    #     \}"`
     #
-    #     `"\{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2","priority":10\}],"networkFirewallStatelessDefaultActions":["aws:pass","custom1"],"networkFirewallStatelessFragmentDefaultActions":["custom2","aws:pass"],"networkFirewallStatelessCustomActions":[\{"actionName":"custom1","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension1"\}]\}\}\},\{"actionName":"custom2","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension2"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateful-rulegroup/rulegroup1"\}],"networkFirewallOrchestrationConfig":\{"singleFirewallEndpointPerVPC":true,"allowedIPV4CidrList":["10.24.34.0/28"]\}
+    #     To use the distributed deployment model, you must set
+    #     [PolicyOption][1] to `NULL`.
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     automatic Availability Zone configuration, and route management.
+    #
+    #     `"\{ "type": "NETWORK_FIREWALL",
+    #     "networkFirewallStatelessRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
+    #     "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
+    #     [ "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions": [
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessCustomActions": [ \{ "actionName":
+    #     "customActionName", "actionDefinition": \{
+    #     "publishMetricAction": \{ "dimensions": [ \{ "value":
+    #     "metricdimensionvalue" \} ] \} \} \} ],
+    #     "networkFirewallStatefulRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig": \{
+    #     "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
+    #     [ "10.0.0.0/28", "192.168.0.0/28" ],
+    #     "routeManagementAction": "MONITOR",
+    #     "routeManagementTargetTypes": [ "InternetGateway" ] \},
+    #     "networkFirewallLoggingConfiguration": \{
+    #     "logDestinationConfigs": [ \{ "logDestinationType": "S3",
+    #     "logType": "ALERT", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
+    #     "logType": "FLOW", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
     #     \}"`
     #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     custom Availability Zone configuration. With custom Availability
+    #     Zone configuration, you define which specific Availability Zones
+    #     to create endpoints in by configuring `firewallCreationConfig`.
+    #
+    #     `"\{
+    #     "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
+    #     "networkFirewallStatelessDefaultActions":[
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions":[
+    #     "aws:forward_to_sfe", "fragmentcustomactionname" ],
+    #     "networkFirewallStatelessCustomActions":[ \{
+    #     "actionName":"customActionName", "actionDefinition":\{
+    #     "publishMetricAction":\{ "dimensions":[ \{
+    #     "value":"metricdimensionvalue" \} ] \} \} \}, \{
+    #     "actionName":"fragmentcustomactionname",
+    #     "actionDefinition":\{ "publishMetricAction":\{
+    #     "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
+    #     ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
+    #     "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig":\{
+    #     "firewallCreationConfig":\{ "endpointLocation":\{
+    #     "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \} ] \} \},
+    #     "singleFirewallEndpointPerVPC":false,
+    #     "allowedIPV4CidrList":null, "routeManagementAction":"OFF",
+    #     "networkFirewallLoggingConfiguration":\{
+    #     "logDestinationConfigs":[ \{ "logDestinationType":"S3",
+    #     "logType":"ALERT", "logDestination":\{
+    #     "bucketName":"s3-bucket-name" \} \}, \{
+    #     "logDestinationType":"S3", "logType":"FLOW",
+    #     "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
+    #     "overrideExistingConfig":boolean \} \}"`
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     custom Availability Zone configuration, and route management.
+    #
+    #     `"\{
+    #     "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
+    #     "networkFirewallStatelessDefaultActions":[
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions":[
+    #     "aws:forward_to_sfe", "fragmentcustomactionname" ],
+    #     "networkFirewallStatelessCustomActions":[ \{
+    #     "actionName":"customActionName", "actionDefinition":\{
+    #     "publishMetricAction":\{ "dimensions":[ \{
+    #     "value":"metricdimensionvalue" \} ] \} \} \}, \{
+    #     "actionName":"fragmentcustomactionname",
+    #     "actionDefinition":\{ "publishMetricAction":\{
+    #     "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
+    #     ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
+    #     "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig":\{
+    #     "firewallCreationConfig":\{ "endpointLocation":\{
+    #     "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \} ] \} \},
+    #     "singleFirewallEndpointPerVPC":false,
+    #     "allowedIPV4CidrList":null,
+    #     "routeManagementAction":"MONITOR",
+    #     "routeManagementTargetTypes":[ "InternetGateway" ],
+    #     "routeManagementConfig":\{
+    #     "allowCrossAZTrafficIfNoEndpoint":true \} \},
+    #     "networkFirewallLoggingConfiguration":\{
+    #     "logDestinationConfigs":[ \{ "logDestinationType":"S3",
+    #     "logType":"ALERT", "logDestination":\{
+    #     "bucketName":"s3-bucket-name" \} \}, \{
+    #     "logDestinationType":"S3", "logType":"FLOW",
+    #     "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
+    #     "overrideExistingConfig":boolean \} \}"`
+    #
+    #   * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
+    #     distributions
+    #
+    #     `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
+    #     \{"automaticResponseStatus":"ENABLED|IGNORED|DISABLED",
+    #     "automaticResponseAction":"BLOCK|COUNT"\},
+    #     "overrideCustomerWebaclClassic":true|false\}"`
+    #
+    #     For example:
+    #     `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
+    #     \{"automaticResponseStatus":"ENABLED",
+    #     "automaticResponseAction":"COUNT"\}\}"`
+    #
+    #     The default value for `automaticResponseStatus` is `IGNORED`. The
+    #     value for `automaticResponseAction` is only required when
+    #     `automaticResponseStatus` is set to `ENABLED`. The default value
+    #     for `overrideCustomerWebaclClassic` is `false`.
+    #
+    #     For other resource types that you can protect with a Shield
+    #     Advanced policy, this `ManagedServiceData` configuration is an
+    #     empty string.
+    #
     #   * Example: `WAFV2`
     #
     #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
@@ -3233,13 +3653,23 @@ module Aws::FMS
     #   * Example: `SECURITY_GROUPS_USAGE_AUDIT`
     #
     #     `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
     #   @return [String]
     #
+    # @!attribute [rw] policy_option
+    #   Contains the Network Firewall firewall policy options to configure a
+    #   centralized deployment model.
+    #   @return [Types::PolicyOption]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/SecurityServicePolicyData AWS API Documentation
     #
     class SecurityServicePolicyData < Struct.new(
       :type,
-      :managed_service_data)
+      :managed_service_data,
+      :policy_option)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3421,6 +3851,9 @@ module Aws::FMS
     #
     # @!attribute [rw] resource_tags
     #   The `ResourceTag` objects associated with the resource.
+    #
+    #   This option isn't available for the centralized deployment model
+    #   when creating policies to configure Network Firewall.
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] resource_description

data/lib/aws-sdk-fms.rb

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-fms/customizations'
 # @!group service
 module Aws::FMS
 
-  GEM_VERSION = '1.45.0'
+  GEM_VERSION = '1.48.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-fms
 version: !ruby/object:Gem::Version
-  version: 1.45.0
+  version: 1.48.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-21 00:00:00.000000000 Z
+date: 2022-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -19,7 +19,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.125.0
+        version: 3.127.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.125.0
+        version: 3.127.0
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement