aws-sdk-fms 1.46.0 → 1.49.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-fms/client.rb +223 -7
- data/lib/aws-sdk-fms/client_api.rb +187 -0
- data/lib/aws-sdk-fms/types.rb +849 -9
- data/lib/aws-sdk-fms.rb +1 -1
- metadata +4 -4
data/lib/aws-sdk-fms/types.rb
CHANGED
@@ -200,6 +200,54 @@ module Aws::FMS
|
|
200
200
|
include Aws::Structure
|
201
201
|
end
|
202
202
|
|
203
|
+
# @note When making an API call, you may pass AssociateThirdPartyFirewallRequest
|
204
|
+
# data as a hash:
|
205
|
+
#
|
206
|
+
# {
|
207
|
+
# third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
|
208
|
+
# }
|
209
|
+
#
|
210
|
+
# @!attribute [rw] third_party_firewall
|
211
|
+
# The name of the third-party firewall vendor.
|
212
|
+
# @return [String]
|
213
|
+
#
|
214
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AssociateThirdPartyFirewallRequest AWS API Documentation
|
215
|
+
#
|
216
|
+
class AssociateThirdPartyFirewallRequest < Struct.new(
|
217
|
+
:third_party_firewall)
|
218
|
+
SENSITIVE = []
|
219
|
+
include Aws::Structure
|
220
|
+
end
|
221
|
+
|
222
|
+
# @!attribute [rw] third_party_firewall_status
|
223
|
+
# The current status for setting a Firewall Manager policy
|
224
|
+
# administrator's account as an administrator of the third-party
|
225
|
+
# firewall tenant.
|
226
|
+
#
|
227
|
+
# * `ONBOARDING` - The Firewall Manager policy administrator is being
|
228
|
+
# designated as a tenant administrator.
|
229
|
+
#
|
230
|
+
# * `ONBOARD_COMPLETE` - The Firewall Manager policy administrator is
|
231
|
+
# designated as a tenant administrator.
|
232
|
+
#
|
233
|
+
# * `OFFBOARDING` - The Firewall Manager policy administrator is being
|
234
|
+
# removed as a tenant administrator.
|
235
|
+
#
|
236
|
+
# * `OFFBOARD_COMPLETE` - The Firewall Manager policy administrator
|
237
|
+
# has been removed as a tenant administrator.
|
238
|
+
#
|
239
|
+
# * `NOT_EXIST` - The Firewall Manager policy administrator doesn't
|
240
|
+
# exist as a tenant administrator.
|
241
|
+
# @return [String]
|
242
|
+
#
|
243
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AssociateThirdPartyFirewallResponse AWS API Documentation
|
244
|
+
#
|
245
|
+
class AssociateThirdPartyFirewallResponse < Struct.new(
|
246
|
+
:third_party_firewall_status)
|
247
|
+
SENSITIVE = []
|
248
|
+
include Aws::Structure
|
249
|
+
end
|
250
|
+
|
203
251
|
# Violation detail for an EC2 instance resource.
|
204
252
|
#
|
205
253
|
# @!attribute [rw] violation_target
|
@@ -294,12 +342,18 @@ module Aws::FMS
|
|
294
342
|
# [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
|
295
343
|
# @return [String]
|
296
344
|
#
|
345
|
+
# @!attribute [rw] metadata
|
346
|
+
# Metadata about the resource that doesn't comply with the policy
|
347
|
+
# scope.
|
348
|
+
# @return [Hash<String,String>]
|
349
|
+
#
|
297
350
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ComplianceViolator AWS API Documentation
|
298
351
|
#
|
299
352
|
class ComplianceViolator < Struct.new(
|
300
353
|
:resource_id,
|
301
354
|
:violation_reason,
|
302
|
-
:resource_type
|
355
|
+
:resource_type,
|
356
|
+
:metadata)
|
303
357
|
SENSITIVE = []
|
304
358
|
include Aws::Structure
|
305
359
|
end
|
@@ -412,6 +466,38 @@ module Aws::FMS
|
|
412
466
|
#
|
413
467
|
class DisassociateAdminAccountRequest < Aws::EmptyStructure; end
|
414
468
|
|
469
|
+
# @note When making an API call, you may pass DisassociateThirdPartyFirewallRequest
|
470
|
+
# data as a hash:
|
471
|
+
#
|
472
|
+
# {
|
473
|
+
# third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
|
474
|
+
# }
|
475
|
+
#
|
476
|
+
# @!attribute [rw] third_party_firewall
|
477
|
+
# The name of the third-party firewall vendor.
|
478
|
+
# @return [String]
|
479
|
+
#
|
480
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateThirdPartyFirewallRequest AWS API Documentation
|
481
|
+
#
|
482
|
+
class DisassociateThirdPartyFirewallRequest < Struct.new(
|
483
|
+
:third_party_firewall)
|
484
|
+
SENSITIVE = []
|
485
|
+
include Aws::Structure
|
486
|
+
end
|
487
|
+
|
488
|
+
# @!attribute [rw] third_party_firewall_status
|
489
|
+
# The current status for the disassociation of a Firewall Manager
|
490
|
+
# administrators account with a third-party firewall.
|
491
|
+
# @return [String]
|
492
|
+
#
|
493
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateThirdPartyFirewallResponse AWS API Documentation
|
494
|
+
#
|
495
|
+
class DisassociateThirdPartyFirewallResponse < Struct.new(
|
496
|
+
:third_party_firewall_status)
|
497
|
+
SENSITIVE = []
|
498
|
+
include Aws::Structure
|
499
|
+
end
|
500
|
+
|
415
501
|
# A DNS Firewall rule group that Firewall Manager tried to associate
|
416
502
|
# with a VPC is already associated with the VPC and can't be associated
|
417
503
|
# again.
|
@@ -810,6 +896,103 @@ module Aws::FMS
|
|
810
896
|
include Aws::Structure
|
811
897
|
end
|
812
898
|
|
899
|
+
# Contains information about the actions that you can take to remediate
|
900
|
+
# scope violations caused by your policy's `FirewallCreationConfig`.
|
901
|
+
# `FirewallCreationConfig` is an optional configuration that you can use
|
902
|
+
# to choose which Availability Zones Firewall Manager creates Network
|
903
|
+
# Firewall endpoints in.
|
904
|
+
#
|
905
|
+
# @!attribute [rw] description
|
906
|
+
# Describes the remedial action.
|
907
|
+
# @return [String]
|
908
|
+
#
|
909
|
+
# @!attribute [rw] firewall_creation_config
|
910
|
+
# A `FirewallCreationConfig` that you can copy into your current
|
911
|
+
# policy's [SecurityServiceData][1] in order to remedy scope
|
912
|
+
# violations.
|
913
|
+
#
|
914
|
+
#
|
915
|
+
#
|
916
|
+
# [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html
|
917
|
+
# @return [String]
|
918
|
+
#
|
919
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction AWS API Documentation
|
920
|
+
#
|
921
|
+
class FMSPolicyUpdateFirewallCreationConfigAction < Struct.new(
|
922
|
+
:description,
|
923
|
+
:firewall_creation_config)
|
924
|
+
SENSITIVE = []
|
925
|
+
include Aws::Structure
|
926
|
+
end
|
927
|
+
|
928
|
+
# Contains details about the firewall subnet that violates the policy
|
929
|
+
# scope.
|
930
|
+
#
|
931
|
+
# @!attribute [rw] firewall_subnet_id
|
932
|
+
# The ID of the firewall subnet that violates the policy scope.
|
933
|
+
# @return [String]
|
934
|
+
#
|
935
|
+
# @!attribute [rw] vpc_id
|
936
|
+
# The VPC ID of the firewall subnet that violates the policy scope.
|
937
|
+
# @return [String]
|
938
|
+
#
|
939
|
+
# @!attribute [rw] subnet_availability_zone
|
940
|
+
# The Availability Zone of the firewall subnet that violates the
|
941
|
+
# policy scope.
|
942
|
+
# @return [String]
|
943
|
+
#
|
944
|
+
# @!attribute [rw] subnet_availability_zone_id
|
945
|
+
# The Availability Zone ID of the firewall subnet that violates the
|
946
|
+
# policy scope.
|
947
|
+
# @return [String]
|
948
|
+
#
|
949
|
+
# @!attribute [rw] vpc_endpoint_id
|
950
|
+
# The VPC endpoint ID of the firewall subnet that violates the policy
|
951
|
+
# scope.
|
952
|
+
# @return [String]
|
953
|
+
#
|
954
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation AWS API Documentation
|
955
|
+
#
|
956
|
+
class FirewallSubnetIsOutOfScopeViolation < Struct.new(
|
957
|
+
:firewall_subnet_id,
|
958
|
+
:vpc_id,
|
959
|
+
:subnet_availability_zone,
|
960
|
+
:subnet_availability_zone_id,
|
961
|
+
:vpc_endpoint_id)
|
962
|
+
SENSITIVE = []
|
963
|
+
include Aws::Structure
|
964
|
+
end
|
965
|
+
|
966
|
+
# The violation details for a firewall subnet's VPC endpoint that's
|
967
|
+
# deleted or missing.
|
968
|
+
#
|
969
|
+
# @!attribute [rw] firewall_subnet_id
|
970
|
+
# The ID of the firewall that this VPC endpoint is associated with.
|
971
|
+
# @return [String]
|
972
|
+
#
|
973
|
+
# @!attribute [rw] vpc_id
|
974
|
+
# The resource ID of the VPC associated with the deleted VPC subnet.
|
975
|
+
# @return [String]
|
976
|
+
#
|
977
|
+
# @!attribute [rw] subnet_availability_zone
|
978
|
+
# The name of the Availability Zone of the deleted VPC subnet.
|
979
|
+
# @return [String]
|
980
|
+
#
|
981
|
+
# @!attribute [rw] subnet_availability_zone_id
|
982
|
+
# The ID of the Availability Zone of the deleted VPC subnet.
|
983
|
+
# @return [String]
|
984
|
+
#
|
985
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FirewallSubnetMissingVPCEndpointViolation AWS API Documentation
|
986
|
+
#
|
987
|
+
class FirewallSubnetMissingVPCEndpointViolation < Struct.new(
|
988
|
+
:firewall_subnet_id,
|
989
|
+
:vpc_id,
|
990
|
+
:subnet_availability_zone,
|
991
|
+
:subnet_availability_zone_id)
|
992
|
+
SENSITIVE = []
|
993
|
+
include Aws::Structure
|
994
|
+
end
|
995
|
+
|
813
996
|
# @api private
|
814
997
|
#
|
815
998
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminAccountRequest AWS API Documentation
|
@@ -1140,6 +1323,73 @@ module Aws::FMS
|
|
1140
1323
|
include Aws::Structure
|
1141
1324
|
end
|
1142
1325
|
|
1326
|
+
# @note When making an API call, you may pass GetThirdPartyFirewallAssociationStatusRequest
|
1327
|
+
# data as a hash:
|
1328
|
+
#
|
1329
|
+
# {
|
1330
|
+
# third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
|
1331
|
+
# }
|
1332
|
+
#
|
1333
|
+
# @!attribute [rw] third_party_firewall
|
1334
|
+
# The name of the third-party firewall vendor.
|
1335
|
+
# @return [String]
|
1336
|
+
#
|
1337
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetThirdPartyFirewallAssociationStatusRequest AWS API Documentation
|
1338
|
+
#
|
1339
|
+
class GetThirdPartyFirewallAssociationStatusRequest < Struct.new(
|
1340
|
+
:third_party_firewall)
|
1341
|
+
SENSITIVE = []
|
1342
|
+
include Aws::Structure
|
1343
|
+
end
|
1344
|
+
|
1345
|
+
# @!attribute [rw] third_party_firewall_status
|
1346
|
+
# The current status for setting a Firewall Manager policy
|
1347
|
+
# administrators account as an administrator of the third-party
|
1348
|
+
# firewall tenant.
|
1349
|
+
#
|
1350
|
+
# * `ONBOARDING` - The Firewall Manager policy administrator is being
|
1351
|
+
# designated as a tenant administrator.
|
1352
|
+
#
|
1353
|
+
# * `ONBOARD_COMPLETE` - The Firewall Manager policy administrator is
|
1354
|
+
# designated as a tenant administrator.
|
1355
|
+
#
|
1356
|
+
# * `OFFBOARDING` - The Firewall Manager policy administrator is being
|
1357
|
+
# removed as a tenant administrator.
|
1358
|
+
#
|
1359
|
+
# * `OFFBOARD_COMPLETE` - The Firewall Manager policy administrator
|
1360
|
+
# has been removed as a tenant administrator.
|
1361
|
+
#
|
1362
|
+
# * `NOT_EXIST` - The Firewall Manager policy administrator doesn't
|
1363
|
+
# exist as a tenant administrator.
|
1364
|
+
# @return [String]
|
1365
|
+
#
|
1366
|
+
# @!attribute [rw] marketplace_onboarding_status
|
1367
|
+
# The status for subscribing to the third-party firewall vendor in the
|
1368
|
+
# AWS Marketplace.
|
1369
|
+
#
|
1370
|
+
# * `NO_SUBSCRIPTION` - The Firewall Manager policy administrator
|
1371
|
+
# isn't subscribed to the third-party firewall service in the AWS
|
1372
|
+
# Marketplace.
|
1373
|
+
#
|
1374
|
+
# * `NOT_COMPLETE` - The Firewall Manager policy administrator is in
|
1375
|
+
# the process of subscribing to the third-party firewall service in
|
1376
|
+
# the Amazon Web Services Marketplace, but doesn't yet have an
|
1377
|
+
# active subscription.
|
1378
|
+
#
|
1379
|
+
# * `COMPLETE` - The Firewall Manager policy administrator has an
|
1380
|
+
# active subscription to the third-party firewall service in the
|
1381
|
+
# Amazon Web Services Marketplace.
|
1382
|
+
# @return [String]
|
1383
|
+
#
|
1384
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetThirdPartyFirewallAssociationStatusResponse AWS API Documentation
|
1385
|
+
#
|
1386
|
+
class GetThirdPartyFirewallAssociationStatusResponse < Struct.new(
|
1387
|
+
:third_party_firewall_status,
|
1388
|
+
:marketplace_onboarding_status)
|
1389
|
+
SENSITIVE = []
|
1390
|
+
include Aws::Structure
|
1391
|
+
end
|
1392
|
+
|
1143
1393
|
# @note When making an API call, you may pass GetViolationDetailsRequest
|
1144
1394
|
# data as a hash:
|
1145
1395
|
#
|
@@ -1610,6 +1860,74 @@ module Aws::FMS
|
|
1610
1860
|
include Aws::Structure
|
1611
1861
|
end
|
1612
1862
|
|
1863
|
+
# @note When making an API call, you may pass ListThirdPartyFirewallFirewallPoliciesRequest
|
1864
|
+
# data as a hash:
|
1865
|
+
#
|
1866
|
+
# {
|
1867
|
+
# third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
|
1868
|
+
# next_token: "PaginationToken",
|
1869
|
+
# max_results: 1, # required
|
1870
|
+
# }
|
1871
|
+
#
|
1872
|
+
# @!attribute [rw] third_party_firewall
|
1873
|
+
# The name of the third-party firewall vendor.
|
1874
|
+
# @return [String]
|
1875
|
+
#
|
1876
|
+
# @!attribute [rw] next_token
|
1877
|
+
# If the previous response included a `NextToken` element, the
|
1878
|
+
# specified third-party firewall vendor is associated with more
|
1879
|
+
# third-party firewall policies. To get more third-party firewall
|
1880
|
+
# policies, submit another
|
1881
|
+
# `ListThirdPartyFirewallFirewallPoliciesRequest` request.
|
1882
|
+
#
|
1883
|
+
# For the value of `NextToken`, specify the value of `NextToken` from
|
1884
|
+
# the previous response. If the previous response didn't include a
|
1885
|
+
# `NextToken` element, there are no more third-party firewall policies
|
1886
|
+
# to get.
|
1887
|
+
# @return [String]
|
1888
|
+
#
|
1889
|
+
# @!attribute [rw] max_results
|
1890
|
+
# The maximum number of third-party firewall policies that you want
|
1891
|
+
# Firewall Manager to return. If the specified third-party firewall
|
1892
|
+
# vendor is associated with more than `MaxResults` firewall policies,
|
1893
|
+
# the response includes a `NextToken` element. `NextToken` contains an
|
1894
|
+
# encrypted token that identifies the first third-party firewall
|
1895
|
+
# policies that Firewall Manager will return if you submit another
|
1896
|
+
# request.
|
1897
|
+
# @return [Integer]
|
1898
|
+
#
|
1899
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListThirdPartyFirewallFirewallPoliciesRequest AWS API Documentation
|
1900
|
+
#
|
1901
|
+
class ListThirdPartyFirewallFirewallPoliciesRequest < Struct.new(
|
1902
|
+
:third_party_firewall,
|
1903
|
+
:next_token,
|
1904
|
+
:max_results)
|
1905
|
+
SENSITIVE = []
|
1906
|
+
include Aws::Structure
|
1907
|
+
end
|
1908
|
+
|
1909
|
+
# @!attribute [rw] third_party_firewall_firewall_policies
|
1910
|
+
# A list that contains one `ThirdPartyFirewallFirewallPolicies`
|
1911
|
+
# element for each third-party firewall policies that the specified
|
1912
|
+
# third-party firewall vendor is associated with. Each
|
1913
|
+
# `ThirdPartyFirewallFirewallPolicies` element contains the firewall
|
1914
|
+
# policy name and ID.
|
1915
|
+
# @return [Array<Types::ThirdPartyFirewallFirewallPolicy>]
|
1916
|
+
#
|
1917
|
+
# @!attribute [rw] next_token
|
1918
|
+
# The value that you will use for `NextToken` in the next
|
1919
|
+
# `ListThirdPartyFirewallFirewallPolicies` request.
|
1920
|
+
# @return [String]
|
1921
|
+
#
|
1922
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListThirdPartyFirewallFirewallPoliciesResponse AWS API Documentation
|
1923
|
+
#
|
1924
|
+
class ListThirdPartyFirewallFirewallPoliciesResponse < Struct.new(
|
1925
|
+
:third_party_firewall_firewall_policies,
|
1926
|
+
:next_token)
|
1927
|
+
SENSITIVE = []
|
1928
|
+
include Aws::Structure
|
1929
|
+
end
|
1930
|
+
|
1613
1931
|
# Violation detail for an internet gateway route with an inactive state
|
1614
1932
|
# in the customer subnet route table or Network Firewall subnet route
|
1615
1933
|
# table.
|
@@ -1940,6 +2258,39 @@ module Aws::FMS
|
|
1940
2258
|
include Aws::Structure
|
1941
2259
|
end
|
1942
2260
|
|
2261
|
+
# Configures the firewall policy deployment model of Network Firewall.
|
2262
|
+
# For information about Network Firewall deployment models, see [Network
|
2263
|
+
# Firewall example architectures with routing][1] in the *Network
|
2264
|
+
# Firewall Developer Guide*.
|
2265
|
+
#
|
2266
|
+
#
|
2267
|
+
#
|
2268
|
+
# [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html
|
2269
|
+
#
|
2270
|
+
# @note When making an API call, you may pass NetworkFirewallPolicy
|
2271
|
+
# data as a hash:
|
2272
|
+
#
|
2273
|
+
# {
|
2274
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
2275
|
+
# }
|
2276
|
+
#
|
2277
|
+
# @!attribute [rw] firewall_deployment_model
|
2278
|
+
# Defines the deployment model to use for the firewall policy. To use
|
2279
|
+
# a distributed model, set [PolicyOption][1] to `NULL`.
|
2280
|
+
#
|
2281
|
+
#
|
2282
|
+
#
|
2283
|
+
# [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
|
2284
|
+
# @return [String]
|
2285
|
+
#
|
2286
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallPolicy AWS API Documentation
|
2287
|
+
#
|
2288
|
+
class NetworkFirewallPolicy < Struct.new(
|
2289
|
+
:firewall_deployment_model)
|
2290
|
+
SENSITIVE = []
|
2291
|
+
include Aws::Structure
|
2292
|
+
end
|
2293
|
+
|
1943
2294
|
# The definition of the Network Firewall firewall policy.
|
1944
2295
|
#
|
1945
2296
|
# @!attribute [rw] stateless_rule_groups
|
@@ -2102,8 +2453,16 @@ module Aws::FMS
|
|
2102
2453
|
# policy_name: "ResourceName", # required
|
2103
2454
|
# policy_update_token: "PolicyUpdateToken",
|
2104
2455
|
# security_service_policy_data: { # required
|
2105
|
-
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
|
2456
|
+
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
|
2106
2457
|
# managed_service_data: "ManagedServiceData",
|
2458
|
+
# policy_option: {
|
2459
|
+
# network_firewall_policy: {
|
2460
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
2461
|
+
# },
|
2462
|
+
# third_party_firewall_policy: {
|
2463
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
2464
|
+
# },
|
2465
|
+
# },
|
2107
2466
|
# },
|
2108
2467
|
# resource_type: "ResourceType", # required
|
2109
2468
|
# resource_type_list: ["ResourceType"],
|
@@ -2389,6 +2748,38 @@ module Aws::FMS
|
|
2389
2748
|
include Aws::Structure
|
2390
2749
|
end
|
2391
2750
|
|
2751
|
+
# Contains the Network Firewall firewall policy options to configure a
|
2752
|
+
# centralized deployment model.
|
2753
|
+
#
|
2754
|
+
# @note When making an API call, you may pass PolicyOption
|
2755
|
+
# data as a hash:
|
2756
|
+
#
|
2757
|
+
# {
|
2758
|
+
# network_firewall_policy: {
|
2759
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
2760
|
+
# },
|
2761
|
+
# third_party_firewall_policy: {
|
2762
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
2763
|
+
# },
|
2764
|
+
# }
|
2765
|
+
#
|
2766
|
+
# @!attribute [rw] network_firewall_policy
|
2767
|
+
# Defines the deployment model to use for the firewall policy.
|
2768
|
+
# @return [Types::NetworkFirewallPolicy]
|
2769
|
+
#
|
2770
|
+
# @!attribute [rw] third_party_firewall_policy
|
2771
|
+
# Defines the policy options for a third-party firewall policy.
|
2772
|
+
# @return [Types::ThirdPartyFirewallPolicy]
|
2773
|
+
#
|
2774
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicyOption AWS API Documentation
|
2775
|
+
#
|
2776
|
+
class PolicyOption < Struct.new(
|
2777
|
+
:network_firewall_policy,
|
2778
|
+
:third_party_firewall_policy)
|
2779
|
+
SENSITIVE = []
|
2780
|
+
include Aws::Structure
|
2781
|
+
end
|
2782
|
+
|
2392
2783
|
# Details of the Firewall Manager policy.
|
2393
2784
|
#
|
2394
2785
|
# @!attribute [rw] policy_arn
|
@@ -2703,8 +3094,16 @@ module Aws::FMS
|
|
2703
3094
|
# policy_name: "ResourceName", # required
|
2704
3095
|
# policy_update_token: "PolicyUpdateToken",
|
2705
3096
|
# security_service_policy_data: { # required
|
2706
|
-
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
|
3097
|
+
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
|
2707
3098
|
# managed_service_data: "ManagedServiceData",
|
3099
|
+
# policy_option: {
|
3100
|
+
# network_firewall_policy: {
|
3101
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
3102
|
+
# },
|
3103
|
+
# third_party_firewall_policy: {
|
3104
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
3105
|
+
# },
|
3106
|
+
# },
|
2708
3107
|
# },
|
2709
3108
|
# resource_type: "ResourceType", # required
|
2710
3109
|
# resource_type_list: ["ResourceType"],
|
@@ -2860,6 +3259,10 @@ module Aws::FMS
|
|
2860
3259
|
# Information about the CreateRouteTable action in the Amazon EC2 API.
|
2861
3260
|
# @return [Types::EC2CreateRouteTableAction]
|
2862
3261
|
#
|
3262
|
+
# @!attribute [rw] fms_policy_update_firewall_creation_config_action
|
3263
|
+
# The remedial action to take when updating a firewall configuration.
|
3264
|
+
# @return [Types::FMSPolicyUpdateFirewallCreationConfigAction]
|
3265
|
+
#
|
2863
3266
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RemediationAction AWS API Documentation
|
2864
3267
|
#
|
2865
3268
|
class RemediationAction < Struct.new(
|
@@ -2870,7 +3273,8 @@ module Aws::FMS
|
|
2870
3273
|
:ec2_copy_route_table_action,
|
2871
3274
|
:ec2_replace_route_table_association_action,
|
2872
3275
|
:ec2_associate_route_table_action,
|
2873
|
-
:ec2_create_route_table_action
|
3276
|
+
:ec2_create_route_table_action,
|
3277
|
+
:fms_policy_update_firewall_creation_config_action)
|
2874
3278
|
SENSITIVE = []
|
2875
3279
|
include Aws::Structure
|
2876
3280
|
end
|
@@ -3037,6 +3441,37 @@ module Aws::FMS
|
|
3037
3441
|
# actions.
|
3038
3442
|
# @return [Types::PossibleRemediationActions]
|
3039
3443
|
#
|
3444
|
+
# @!attribute [rw] firewall_subnet_is_out_of_scope_violation
|
3445
|
+
# Contains details about the firewall subnet that violates the policy
|
3446
|
+
# scope.
|
3447
|
+
# @return [Types::FirewallSubnetIsOutOfScopeViolation]
|
3448
|
+
#
|
3449
|
+
# @!attribute [rw] route_has_out_of_scope_endpoint_violation
|
3450
|
+
# Contains details about the route endpoint that violates the policy
|
3451
|
+
# scope.
|
3452
|
+
# @return [Types::RouteHasOutOfScopeEndpointViolation]
|
3453
|
+
#
|
3454
|
+
# @!attribute [rw] third_party_firewall_missing_firewall_violation
|
3455
|
+
# The violation details for a third-party firewall that's been
|
3456
|
+
# deleted.
|
3457
|
+
# @return [Types::ThirdPartyFirewallMissingFirewallViolation]
|
3458
|
+
#
|
3459
|
+
# @!attribute [rw] third_party_firewall_missing_subnet_violation
|
3460
|
+
# The violation details for a third-party firewall's subnet that's
|
3461
|
+
# been deleted.
|
3462
|
+
# @return [Types::ThirdPartyFirewallMissingSubnetViolation]
|
3463
|
+
#
|
3464
|
+
# @!attribute [rw] third_party_firewall_missing_expected_route_table_violation
|
3465
|
+
# The violation details for a third-party firewall that has the
|
3466
|
+
# Firewall Manager managed route table that was associated with the
|
3467
|
+
# third-party firewall has been deleted.
|
3468
|
+
# @return [Types::ThirdPartyFirewallMissingExpectedRouteTableViolation]
|
3469
|
+
#
|
3470
|
+
# @!attribute [rw] firewall_subnet_missing_vpc_endpoint_violation
|
3471
|
+
# The violation details for a third-party firewall's VPC endpoint
|
3472
|
+
# subnet that was deleted.
|
3473
|
+
# @return [Types::FirewallSubnetMissingVPCEndpointViolation]
|
3474
|
+
#
|
3040
3475
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceViolation AWS API Documentation
|
3041
3476
|
#
|
3042
3477
|
class ResourceViolation < Struct.new(
|
@@ -3056,7 +3491,13 @@ module Aws::FMS
|
|
3056
3491
|
:dns_rule_group_priority_conflict_violation,
|
3057
3492
|
:dns_duplicate_rule_group_violation,
|
3058
3493
|
:dns_rule_group_limit_exceeded_violation,
|
3059
|
-
:possible_remediation_actions
|
3494
|
+
:possible_remediation_actions,
|
3495
|
+
:firewall_subnet_is_out_of_scope_violation,
|
3496
|
+
:route_has_out_of_scope_endpoint_violation,
|
3497
|
+
:third_party_firewall_missing_firewall_violation,
|
3498
|
+
:third_party_firewall_missing_subnet_violation,
|
3499
|
+
:third_party_firewall_missing_expected_route_table_violation,
|
3500
|
+
:firewall_subnet_missing_vpc_endpoint_violation)
|
3060
3501
|
SENSITIVE = []
|
3061
3502
|
include Aws::Structure
|
3062
3503
|
end
|
@@ -3090,6 +3531,77 @@ module Aws::FMS
|
|
3090
3531
|
include Aws::Structure
|
3091
3532
|
end
|
3092
3533
|
|
3534
|
+
# Contains details about the route endpoint that violates the policy
|
3535
|
+
# scope.
|
3536
|
+
#
|
3537
|
+
# @!attribute [rw] subnet_id
|
3538
|
+
# The ID of the subnet associated with the route that violates the
|
3539
|
+
# policy scope.
|
3540
|
+
# @return [String]
|
3541
|
+
#
|
3542
|
+
# @!attribute [rw] vpc_id
|
3543
|
+
# The VPC ID of the route that violates the policy scope.
|
3544
|
+
# @return [String]
|
3545
|
+
#
|
3546
|
+
# @!attribute [rw] route_table_id
|
3547
|
+
# The ID of the route table.
|
3548
|
+
# @return [String]
|
3549
|
+
#
|
3550
|
+
# @!attribute [rw] violating_routes
|
3551
|
+
# The list of routes that violate the route table.
|
3552
|
+
# @return [Array<Types::Route>]
|
3553
|
+
#
|
3554
|
+
# @!attribute [rw] subnet_availability_zone
|
3555
|
+
# The subnet's Availability Zone.
|
3556
|
+
# @return [String]
|
3557
|
+
#
|
3558
|
+
# @!attribute [rw] subnet_availability_zone_id
|
3559
|
+
# The ID of the subnet's Availability Zone.
|
3560
|
+
# @return [String]
|
3561
|
+
#
|
3562
|
+
# @!attribute [rw] current_firewall_subnet_route_table
|
3563
|
+
# The route table associated with the current firewall subnet.
|
3564
|
+
# @return [String]
|
3565
|
+
#
|
3566
|
+
# @!attribute [rw] firewall_subnet_id
|
3567
|
+
# The ID of the firewall subnet.
|
3568
|
+
# @return [String]
|
3569
|
+
#
|
3570
|
+
# @!attribute [rw] firewall_subnet_routes
|
3571
|
+
# The list of firewall subnet routes.
|
3572
|
+
# @return [Array<Types::Route>]
|
3573
|
+
#
|
3574
|
+
# @!attribute [rw] internet_gateway_id
|
3575
|
+
# The ID of the Internet Gateway.
|
3576
|
+
# @return [String]
|
3577
|
+
#
|
3578
|
+
# @!attribute [rw] current_internet_gateway_route_table
|
3579
|
+
# The current route table associated with the Internet Gateway.
|
3580
|
+
# @return [String]
|
3581
|
+
#
|
3582
|
+
# @!attribute [rw] internet_gateway_routes
|
3583
|
+
# The routes in the route table associated with the Internet Gateway.
|
3584
|
+
# @return [Array<Types::Route>]
|
3585
|
+
#
|
3586
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation AWS API Documentation
|
3587
|
+
#
|
3588
|
+
class RouteHasOutOfScopeEndpointViolation < Struct.new(
|
3589
|
+
:subnet_id,
|
3590
|
+
:vpc_id,
|
3591
|
+
:route_table_id,
|
3592
|
+
:violating_routes,
|
3593
|
+
:subnet_availability_zone,
|
3594
|
+
:subnet_availability_zone_id,
|
3595
|
+
:current_firewall_subnet_route_table,
|
3596
|
+
:firewall_subnet_id,
|
3597
|
+
:firewall_subnet_routes,
|
3598
|
+
:internet_gateway_id,
|
3599
|
+
:current_internet_gateway_route_table,
|
3600
|
+
:internet_gateway_routes)
|
3601
|
+
SENSITIVE = []
|
3602
|
+
include Aws::Structure
|
3603
|
+
end
|
3604
|
+
|
3093
3605
|
# Remediation option for the rule specified in the `ViolationTarget`.
|
3094
3606
|
#
|
3095
3607
|
# @!attribute [rw] remediation_action_type
|
@@ -3169,8 +3681,16 @@ module Aws::FMS
|
|
3169
3681
|
# data as a hash:
|
3170
3682
|
#
|
3171
3683
|
# {
|
3172
|
-
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
|
3684
|
+
# type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
|
3173
3685
|
# managed_service_data: "ManagedServiceData",
|
3686
|
+
# policy_option: {
|
3687
|
+
# network_firewall_policy: {
|
3688
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
3689
|
+
# },
|
3690
|
+
# third_party_firewall_policy: {
|
3691
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
3692
|
+
# },
|
3693
|
+
# },
|
3174
3694
|
# }
|
3175
3695
|
#
|
3176
3696
|
# @!attribute [rw] type
|
@@ -3197,11 +3717,162 @@ module Aws::FMS
|
|
3197
3717
|
#
|
3198
3718
|
# </note>
|
3199
3719
|
#
|
3200
|
-
# * Example: `
|
3720
|
+
# * Example: `DNS_FIREWALL`
|
3721
|
+
#
|
3722
|
+
# `"\{"type":"DNS_FIREWALL","preProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-1","priority":10\}],"postProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-2","priority":9911\}]\}"`
|
3723
|
+
#
|
3724
|
+
# <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
|
3725
|
+
# Valid values for `postProcessRuleGroups` are between 9901 and
|
3726
|
+
# 10000.
|
3727
|
+
#
|
3728
|
+
# </note>
|
3729
|
+
#
|
3730
|
+
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
3731
|
+
# automatic Availability Zone configuration. With automatic
|
3732
|
+
# Availbility Zone configuration, Firewall Manager chooses which
|
3733
|
+
# Availability Zones to create the endpoints in.
|
3734
|
+
#
|
3735
|
+
# `"\{ "type": "NETWORK_FIREWALL",
|
3736
|
+
# "networkFirewallStatelessRuleGroupReferences": [ \{
|
3737
|
+
# "resourceARN":
|
3738
|
+
# "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
|
3739
|
+
# "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
|
3740
|
+
# [ "aws:forward_to_sfe", "customActionName" ],
|
3741
|
+
# "networkFirewallStatelessFragmentDefaultActions": [
|
3742
|
+
# "aws:forward_to_sfe", "customActionName" ],
|
3743
|
+
# "networkFirewallStatelessCustomActions": [ \{ "actionName":
|
3744
|
+
# "customActionName", "actionDefinition": \{
|
3745
|
+
# "publishMetricAction": \{ "dimensions": [ \{ "value":
|
3746
|
+
# "metricdimensionvalue" \} ] \} \} \} ],
|
3747
|
+
# "networkFirewallStatefulRuleGroupReferences": [ \{
|
3748
|
+
# "resourceARN":
|
3749
|
+
# "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
|
3750
|
+
# \} ], "networkFirewallOrchestrationConfig": \{
|
3751
|
+
# "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
|
3752
|
+
# [ "10.0.0.0/28", "192.168.0.0/28" ],
|
3753
|
+
# "routeManagementAction": "OFF" \},
|
3754
|
+
# "networkFirewallLoggingConfiguration": \{
|
3755
|
+
# "logDestinationConfigs": [ \{ "logDestinationType": "S3",
|
3756
|
+
# "logType": "ALERT", "logDestination": \{ "bucketName":
|
3757
|
+
# "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
|
3758
|
+
# "logType": "FLOW", "logDestination": \{ "bucketName":
|
3759
|
+
# "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
|
3760
|
+
# \}"`
|
3201
3761
|
#
|
3202
|
-
#
|
3762
|
+
# To use the distributed deployment model, you must set
|
3763
|
+
# [PolicyOption][1] to `NULL`.
|
3764
|
+
#
|
3765
|
+
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
3766
|
+
# automatic Availability Zone configuration, and route management.
|
3767
|
+
#
|
3768
|
+
# `"\{ "type": "NETWORK_FIREWALL",
|
3769
|
+
# "networkFirewallStatelessRuleGroupReferences": [ \{
|
3770
|
+
# "resourceARN":
|
3771
|
+
# "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
|
3772
|
+
# "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
|
3773
|
+
# [ "aws:forward_to_sfe", "customActionName" ],
|
3774
|
+
# "networkFirewallStatelessFragmentDefaultActions": [
|
3775
|
+
# "aws:forward_to_sfe", "customActionName" ],
|
3776
|
+
# "networkFirewallStatelessCustomActions": [ \{ "actionName":
|
3777
|
+
# "customActionName", "actionDefinition": \{
|
3778
|
+
# "publishMetricAction": \{ "dimensions": [ \{ "value":
|
3779
|
+
# "metricdimensionvalue" \} ] \} \} \} ],
|
3780
|
+
# "networkFirewallStatefulRuleGroupReferences": [ \{
|
3781
|
+
# "resourceARN":
|
3782
|
+
# "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
|
3783
|
+
# \} ], "networkFirewallOrchestrationConfig": \{
|
3784
|
+
# "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
|
3785
|
+
# [ "10.0.0.0/28", "192.168.0.0/28" ],
|
3786
|
+
# "routeManagementAction": "MONITOR",
|
3787
|
+
# "routeManagementTargetTypes": [ "InternetGateway" ] \},
|
3788
|
+
# "networkFirewallLoggingConfiguration": \{
|
3789
|
+
# "logDestinationConfigs": [ \{ "logDestinationType": "S3",
|
3790
|
+
# "logType": "ALERT", "logDestination": \{ "bucketName":
|
3791
|
+
# "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
|
3792
|
+
# "logType": "FLOW", "logDestination": \{ "bucketName":
|
3793
|
+
# "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
|
3203
3794
|
# \}"`
|
3204
3795
|
#
|
3796
|
+
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
3797
|
+
# custom Availability Zone configuration. With custom Availability
|
3798
|
+
# Zone configuration, you define which specific Availability Zones
|
3799
|
+
# to create endpoints in by configuring `firewallCreationConfig`.
|
3800
|
+
#
|
3801
|
+
# `"\{
|
3802
|
+
# "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
|
3803
|
+
# "networkFirewallStatelessDefaultActions":[
|
3804
|
+
# "aws:forward_to_sfe", "customActionName" ],
|
3805
|
+
# "networkFirewallStatelessFragmentDefaultActions":[
|
3806
|
+
# "aws:forward_to_sfe", "fragmentcustomactionname" ],
|
3807
|
+
# "networkFirewallStatelessCustomActions":[ \{
|
3808
|
+
# "actionName":"customActionName", "actionDefinition":\{
|
3809
|
+
# "publishMetricAction":\{ "dimensions":[ \{
|
3810
|
+
# "value":"metricdimensionvalue" \} ] \} \} \}, \{
|
3811
|
+
# "actionName":"fragmentcustomactionname",
|
3812
|
+
# "actionDefinition":\{ "publishMetricAction":\{
|
3813
|
+
# "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
|
3814
|
+
# ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
|
3815
|
+
# "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
|
3816
|
+
# \} ], "networkFirewallOrchestrationConfig":\{
|
3817
|
+
# "firewallCreationConfig":\{ "endpointLocation":\{
|
3818
|
+
# "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
|
3819
|
+
# "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
|
3820
|
+
# "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
|
3821
|
+
# "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
|
3822
|
+
# "10.0.0.0/28" ] \} ] \} \},
|
3823
|
+
# "singleFirewallEndpointPerVPC":false,
|
3824
|
+
# "allowedIPV4CidrList":null, "routeManagementAction":"OFF",
|
3825
|
+
# "networkFirewallLoggingConfiguration":\{
|
3826
|
+
# "logDestinationConfigs":[ \{ "logDestinationType":"S3",
|
3827
|
+
# "logType":"ALERT", "logDestination":\{
|
3828
|
+
# "bucketName":"s3-bucket-name" \} \}, \{
|
3829
|
+
# "logDestinationType":"S3", "logType":"FLOW",
|
3830
|
+
# "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
|
3831
|
+
# "overrideExistingConfig":boolean \} \}"`
|
3832
|
+
#
|
3833
|
+
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
3834
|
+
# custom Availability Zone configuration, and route management.
|
3835
|
+
#
|
3836
|
+
# `"\{
|
3837
|
+
# "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
|
3838
|
+
# "networkFirewallStatelessDefaultActions":[
|
3839
|
+
# "aws:forward_to_sfe", "customActionName" ],
|
3840
|
+
# "networkFirewallStatelessFragmentDefaultActions":[
|
3841
|
+
# "aws:forward_to_sfe", "fragmentcustomactionname" ],
|
3842
|
+
# "networkFirewallStatelessCustomActions":[ \{
|
3843
|
+
# "actionName":"customActionName", "actionDefinition":\{
|
3844
|
+
# "publishMetricAction":\{ "dimensions":[ \{
|
3845
|
+
# "value":"metricdimensionvalue" \} ] \} \} \}, \{
|
3846
|
+
# "actionName":"fragmentcustomactionname",
|
3847
|
+
# "actionDefinition":\{ "publishMetricAction":\{
|
3848
|
+
# "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
|
3849
|
+
# ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
|
3850
|
+
# "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
|
3851
|
+
# \} ], "networkFirewallOrchestrationConfig":\{
|
3852
|
+
# "firewallCreationConfig":\{ "endpointLocation":\{
|
3853
|
+
# "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
|
3854
|
+
# "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
|
3855
|
+
# "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
|
3856
|
+
# "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
|
3857
|
+
# "10.0.0.0/28" ] \} ] \} \},
|
3858
|
+
# "singleFirewallEndpointPerVPC":false,
|
3859
|
+
# "allowedIPV4CidrList":null,
|
3860
|
+
# "routeManagementAction":"MONITOR",
|
3861
|
+
# "routeManagementTargetTypes":[ "InternetGateway" ],
|
3862
|
+
# "routeManagementConfig":\{
|
3863
|
+
# "allowCrossAZTrafficIfNoEndpoint":true \} \},
|
3864
|
+
# "networkFirewallLoggingConfiguration":\{
|
3865
|
+
# "logDestinationConfigs":[ \{ "logDestinationType":"S3",
|
3866
|
+
# "logType":"ALERT", "logDestination":\{
|
3867
|
+
# "bucketName":"s3-bucket-name" \} \}, \{
|
3868
|
+
# "logDestinationType":"S3", "logType":"FLOW",
|
3869
|
+
# "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
|
3870
|
+
# "overrideExistingConfig":boolean \} \}"`
|
3871
|
+
#
|
3872
|
+
# * Example: `PARTNER_FIREWALL` for Firewall Manager
|
3873
|
+
#
|
3874
|
+
# `"\{"type":"THIRD_PARTY_FIREWALL","thirdPartyrFirewall":"PALO_ALTO_NETWORKS_CLOUD_NGFW","thirdPartyFirewallConfig":\{"thirdPartyFirewallPolicyList":["global-123456789012-1"],"networkFirewallLoggingConfiguration":null\},"firewallDeploymentModel":\{"distributedFirewallDeploymentModel":\{"distributedFirewallOrchestrationConfig":\{"firewallCreationConfig":\{"endpointLocation":\{"availabilityZoneConfigList":[\{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.1.0/28"]\}]\}\},"allowedIPV4CidrList":null\},"distributedRouteManagementConfig":null\},"centralizedFirewallDeploymentModel":null\}\}""`
|
3875
|
+
#
|
3205
3876
|
# * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
|
3206
3877
|
# distributions
|
3207
3878
|
#
|
@@ -3240,6 +3911,18 @@ module Aws::FMS
|
|
3240
3911
|
# "overrideAction" : \{"type": "COUNT"\}\}],
|
3241
3912
|
# "defaultAction": \{"type": "BLOCK"\}\}"`
|
3242
3913
|
#
|
3914
|
+
# * Example: `WAFV2` - Firewall Manager support for WAF managed rule
|
3915
|
+
# group versioning
|
3916
|
+
#
|
3917
|
+
# `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":true,"version":"Version_2.0","vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesCommonRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
|
3918
|
+
#
|
3919
|
+
# To use a specific version of a WAF managed rule group in your
|
3920
|
+
# Firewall Manager policy, you must set `versionEnabled` to `true`,
|
3921
|
+
# and set `version` to the version you'd like to use. If you don't
|
3922
|
+
# set `versionEnabled` to `true`, or if you omit `versionEnabled`,
|
3923
|
+
# then Firewall Manager uses the default version of the WAF managed
|
3924
|
+
# rule group.
|
3925
|
+
#
|
3243
3926
|
# * Example: `SECURITY_GROUPS_COMMON`
|
3244
3927
|
#
|
3245
3928
|
# `"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
|
@@ -3267,13 +3950,23 @@ module Aws::FMS
|
|
3267
3950
|
# * Example: `SECURITY_GROUPS_USAGE_AUDIT`
|
3268
3951
|
#
|
3269
3952
|
# `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
|
3953
|
+
#
|
3954
|
+
#
|
3955
|
+
#
|
3956
|
+
# [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
|
3270
3957
|
# @return [String]
|
3271
3958
|
#
|
3959
|
+
# @!attribute [rw] policy_option
|
3960
|
+
# Contains the Network Firewall firewall policy options to configure a
|
3961
|
+
# centralized deployment model.
|
3962
|
+
# @return [Types::PolicyOption]
|
3963
|
+
#
|
3272
3964
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/SecurityServicePolicyData AWS API Documentation
|
3273
3965
|
#
|
3274
3966
|
class SecurityServicePolicyData < Struct.new(
|
3275
3967
|
:type,
|
3276
|
-
:managed_service_data
|
3968
|
+
:managed_service_data,
|
3969
|
+
:policy_option)
|
3277
3970
|
SENSITIVE = []
|
3278
3971
|
include Aws::Structure
|
3279
3972
|
end
|
@@ -3397,6 +4090,153 @@ module Aws::FMS
|
|
3397
4090
|
#
|
3398
4091
|
class TagResourceResponse < Aws::EmptyStructure; end
|
3399
4092
|
|
4093
|
+
# Configures the firewall policy deployment model for a third-party
|
4094
|
+
# firewall. The deployment model can either be distributed or
|
4095
|
+
# centralized.
|
4096
|
+
#
|
4097
|
+
# @!attribute [rw] firewall_policy_id
|
4098
|
+
# The ID of the specified firewall policy.
|
4099
|
+
# @return [String]
|
4100
|
+
#
|
4101
|
+
# @!attribute [rw] firewall_policy_name
|
4102
|
+
# The name of the specified firewall policy.
|
4103
|
+
# @return [String]
|
4104
|
+
#
|
4105
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallFirewallPolicy AWS API Documentation
|
4106
|
+
#
|
4107
|
+
class ThirdPartyFirewallFirewallPolicy < Struct.new(
|
4108
|
+
:firewall_policy_id,
|
4109
|
+
:firewall_policy_name)
|
4110
|
+
SENSITIVE = []
|
4111
|
+
include Aws::Structure
|
4112
|
+
end
|
4113
|
+
|
4114
|
+
# The violation details for a third-party firewall that's not
|
4115
|
+
# associated with an Firewall Manager managed route table.
|
4116
|
+
#
|
4117
|
+
# @!attribute [rw] violation_target
|
4118
|
+
# The ID of the third-party firewall or VPC resource that's causing
|
4119
|
+
# the violation.
|
4120
|
+
# @return [String]
|
4121
|
+
#
|
4122
|
+
# @!attribute [rw] vpc
|
4123
|
+
# The resource ID of the VPC associated with a fireawll subnet that's
|
4124
|
+
# causing the violation.
|
4125
|
+
# @return [String]
|
4126
|
+
#
|
4127
|
+
# @!attribute [rw] availability_zone
|
4128
|
+
# The Availability Zone of the firewall subnet that's causing the
|
4129
|
+
# violation.
|
4130
|
+
# @return [String]
|
4131
|
+
#
|
4132
|
+
# @!attribute [rw] current_route_table
|
4133
|
+
# The resource ID of the current route table that's associated with
|
4134
|
+
# the subnet, if one is available.
|
4135
|
+
# @return [String]
|
4136
|
+
#
|
4137
|
+
# @!attribute [rw] expected_route_table
|
4138
|
+
# The resource ID of the route table that should be associated with
|
4139
|
+
# the subnet.
|
4140
|
+
# @return [String]
|
4141
|
+
#
|
4142
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingExpectedRouteTableViolation AWS API Documentation
|
4143
|
+
#
|
4144
|
+
class ThirdPartyFirewallMissingExpectedRouteTableViolation < Struct.new(
|
4145
|
+
:violation_target,
|
4146
|
+
:vpc,
|
4147
|
+
:availability_zone,
|
4148
|
+
:current_route_table,
|
4149
|
+
:expected_route_table)
|
4150
|
+
SENSITIVE = []
|
4151
|
+
include Aws::Structure
|
4152
|
+
end
|
4153
|
+
|
4154
|
+
# The violation details about a third-party firewall's subnet that
|
4155
|
+
# doesn't have a Firewall Manager managed firewall in its VPC.
|
4156
|
+
#
|
4157
|
+
# @!attribute [rw] violation_target
|
4158
|
+
# The ID of the third-party firewall that's causing the violation.
|
4159
|
+
# @return [String]
|
4160
|
+
#
|
4161
|
+
# @!attribute [rw] vpc
|
4162
|
+
# The resource ID of the VPC associated with a third-party firewall.
|
4163
|
+
# @return [String]
|
4164
|
+
#
|
4165
|
+
# @!attribute [rw] availability_zone
|
4166
|
+
# The Availability Zone of the third-party firewall that's causing
|
4167
|
+
# the violation.
|
4168
|
+
# @return [String]
|
4169
|
+
#
|
4170
|
+
# @!attribute [rw] target_violation_reason
|
4171
|
+
# The reason the resource is causing this violation, if a reason is
|
4172
|
+
# available.
|
4173
|
+
# @return [String]
|
4174
|
+
#
|
4175
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingFirewallViolation AWS API Documentation
|
4176
|
+
#
|
4177
|
+
class ThirdPartyFirewallMissingFirewallViolation < Struct.new(
|
4178
|
+
:violation_target,
|
4179
|
+
:vpc,
|
4180
|
+
:availability_zone,
|
4181
|
+
:target_violation_reason)
|
4182
|
+
SENSITIVE = []
|
4183
|
+
include Aws::Structure
|
4184
|
+
end
|
4185
|
+
|
4186
|
+
# The violation details for a third-party firewall for an Availability
|
4187
|
+
# Zone that's missing the Firewall Manager managed subnet.
|
4188
|
+
#
|
4189
|
+
# @!attribute [rw] violation_target
|
4190
|
+
# The ID of the third-party firewall or VPC resource that's causing
|
4191
|
+
# the violation.
|
4192
|
+
# @return [String]
|
4193
|
+
#
|
4194
|
+
# @!attribute [rw] vpc
|
4195
|
+
# The resource ID of the VPC associated with a subnet that's causing
|
4196
|
+
# the violation.
|
4197
|
+
# @return [String]
|
4198
|
+
#
|
4199
|
+
# @!attribute [rw] availability_zone
|
4200
|
+
# The Availability Zone of a subnet that's causing the violation.
|
4201
|
+
# @return [String]
|
4202
|
+
#
|
4203
|
+
# @!attribute [rw] target_violation_reason
|
4204
|
+
# The reason the resource is causing the violation, if a reason is
|
4205
|
+
# available.
|
4206
|
+
# @return [String]
|
4207
|
+
#
|
4208
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingSubnetViolation AWS API Documentation
|
4209
|
+
#
|
4210
|
+
class ThirdPartyFirewallMissingSubnetViolation < Struct.new(
|
4211
|
+
:violation_target,
|
4212
|
+
:vpc,
|
4213
|
+
:availability_zone,
|
4214
|
+
:target_violation_reason)
|
4215
|
+
SENSITIVE = []
|
4216
|
+
include Aws::Structure
|
4217
|
+
end
|
4218
|
+
|
4219
|
+
# Configures the policy for the third-party firewall.
|
4220
|
+
#
|
4221
|
+
# @note When making an API call, you may pass ThirdPartyFirewallPolicy
|
4222
|
+
# data as a hash:
|
4223
|
+
#
|
4224
|
+
# {
|
4225
|
+
# firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
|
4226
|
+
# }
|
4227
|
+
#
|
4228
|
+
# @!attribute [rw] firewall_deployment_model
|
4229
|
+
# Defines the deployment model to use for the third-party firewall.
|
4230
|
+
# @return [String]
|
4231
|
+
#
|
4232
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallPolicy AWS API Documentation
|
4233
|
+
#
|
4234
|
+
class ThirdPartyFirewallPolicy < Struct.new(
|
4235
|
+
:firewall_deployment_model)
|
4236
|
+
SENSITIVE = []
|
4237
|
+
include Aws::Structure
|
4238
|
+
end
|
4239
|
+
|
3400
4240
|
# @note When making an API call, you may pass UntagResourceRequest
|
3401
4241
|
# data as a hash:
|
3402
4242
|
#
|