aws-sdk-fms 1.51.0 → 1.53.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -320,6 +320,98 @@ module Aws::FMS
320
320
  include Aws::Structure
321
321
  end
322
322
 
323
+ # @note When making an API call, you may pass BatchAssociateResourceRequest
324
+ # data as a hash:
325
+ #
326
+ # {
327
+ # resource_set_identifier: "Identifier", # required
328
+ # items: ["Identifier"], # required
329
+ # }
330
+ #
331
+ # @!attribute [rw] resource_set_identifier
332
+ # A unique identifier for the resource set, used in a TODO to refer to
333
+ # the resource set.
334
+ # @return [String]
335
+ #
336
+ # @!attribute [rw] items
337
+ # The uniform resource identifiers (URIs) of resources that should be
338
+ # associated to the resource set. The URIs must be Amazon Resource
339
+ # Names (ARNs).
340
+ # @return [Array<String>]
341
+ #
342
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/BatchAssociateResourceRequest AWS API Documentation
343
+ #
344
+ class BatchAssociateResourceRequest < Struct.new(
345
+ :resource_set_identifier,
346
+ :items)
347
+ SENSITIVE = []
348
+ include Aws::Structure
349
+ end
350
+
351
+ # @!attribute [rw] resource_set_identifier
352
+ # A unique identifier for the resource set, used in a TODO to refer to
353
+ # the resource set.
354
+ # @return [String]
355
+ #
356
+ # @!attribute [rw] failed_items
357
+ # The resources that failed to associate to the resource set.
358
+ # @return [Array<Types::FailedItem>]
359
+ #
360
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/BatchAssociateResourceResponse AWS API Documentation
361
+ #
362
+ class BatchAssociateResourceResponse < Struct.new(
363
+ :resource_set_identifier,
364
+ :failed_items)
365
+ SENSITIVE = []
366
+ include Aws::Structure
367
+ end
368
+
369
+ # @note When making an API call, you may pass BatchDisassociateResourceRequest
370
+ # data as a hash:
371
+ #
372
+ # {
373
+ # resource_set_identifier: "Identifier", # required
374
+ # items: ["Identifier"], # required
375
+ # }
376
+ #
377
+ # @!attribute [rw] resource_set_identifier
378
+ # A unique identifier for the resource set, used in a TODO to refer to
379
+ # the resource set.
380
+ # @return [String]
381
+ #
382
+ # @!attribute [rw] items
383
+ # The uniform resource identifiers (URI) of resources that should be
384
+ # disassociated from the resource set. The URIs must be Amazon
385
+ # Resource Names (ARNs).
386
+ # @return [Array<String>]
387
+ #
388
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/BatchDisassociateResourceRequest AWS API Documentation
389
+ #
390
+ class BatchDisassociateResourceRequest < Struct.new(
391
+ :resource_set_identifier,
392
+ :items)
393
+ SENSITIVE = []
394
+ include Aws::Structure
395
+ end
396
+
397
+ # @!attribute [rw] resource_set_identifier
398
+ # A unique identifier for the resource set, used in a TODO to refer to
399
+ # the resource set.
400
+ # @return [String]
401
+ #
402
+ # @!attribute [rw] failed_items
403
+ # The resources that failed to disassociate from the resource set.
404
+ # @return [Array<Types::FailedItem>]
405
+ #
406
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/BatchDisassociateResourceResponse AWS API Documentation
407
+ #
408
+ class BatchDisassociateResourceResponse < Struct.new(
409
+ :resource_set_identifier,
410
+ :failed_items)
411
+ SENSITIVE = []
412
+ include Aws::Structure
413
+ end
414
+
323
415
  # Details of the resource that is not protected by the policy.
324
416
  #
325
417
  # @!attribute [rw] resource_id
@@ -460,6 +552,26 @@ module Aws::FMS
460
552
  include Aws::Structure
461
553
  end
462
554
 
555
+ # @note When making an API call, you may pass DeleteResourceSetRequest
556
+ # data as a hash:
557
+ #
558
+ # {
559
+ # identifier: "Base62Id", # required
560
+ # }
561
+ #
562
+ # @!attribute [rw] identifier
563
+ # A unique identifier for the resource set, used in a TODO to refer to
564
+ # the resource set.
565
+ # @return [String]
566
+ #
567
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DeleteResourceSetRequest AWS API Documentation
568
+ #
569
+ class DeleteResourceSetRequest < Struct.new(
570
+ :identifier)
571
+ SENSITIVE = []
572
+ include Aws::Structure
573
+ end
574
+
463
575
  # @api private
464
576
  #
465
577
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateAdminAccountRequest AWS API Documentation
@@ -498,6 +610,37 @@ module Aws::FMS
498
610
  include Aws::Structure
499
611
  end
500
612
 
613
+ # A resource in the organization that's available to be associated with
614
+ # a Firewall Manager resource set.
615
+ #
616
+ # @!attribute [rw] uri
617
+ # The universal resource identifier (URI) of the discovered resource.
618
+ # @return [String]
619
+ #
620
+ # @!attribute [rw] account_id
621
+ # The Amazon Web Services account ID associated with the discovered
622
+ # resource.
623
+ # @return [String]
624
+ #
625
+ # @!attribute [rw] type
626
+ # The type of the discovered resource.
627
+ # @return [String]
628
+ #
629
+ # @!attribute [rw] name
630
+ # The name of the discovered resource.
631
+ # @return [String]
632
+ #
633
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DiscoveredResource AWS API Documentation
634
+ #
635
+ class DiscoveredResource < Struct.new(
636
+ :uri,
637
+ :account_id,
638
+ :type,
639
+ :name)
640
+ SENSITIVE = []
641
+ include Aws::Structure
642
+ end
643
+
501
644
  # A DNS Firewall rule group that Firewall Manager tried to associate
502
645
  # with a VPC is already associated with the VPC and can't be associated
503
646
  # again.
@@ -925,6 +1068,26 @@ module Aws::FMS
925
1068
  include Aws::Structure
926
1069
  end
927
1070
 
1071
+ # Details of a resource that failed when trying to update it's
1072
+ # association to a resource set.
1073
+ #
1074
+ # @!attribute [rw] uri
1075
+ # The univeral resource indicator (URI) of the resource that failed.
1076
+ # @return [String]
1077
+ #
1078
+ # @!attribute [rw] reason
1079
+ # The reason the resource's association could not be updated.
1080
+ # @return [String]
1081
+ #
1082
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FailedItem AWS API Documentation
1083
+ #
1084
+ class FailedItem < Struct.new(
1085
+ :uri,
1086
+ :reason)
1087
+ SENSITIVE = []
1088
+ include Aws::Structure
1089
+ end
1090
+
928
1091
  # Contains details about the firewall subnet that violates the policy
929
1092
  # scope.
930
1093
  #
@@ -1323,6 +1486,43 @@ module Aws::FMS
1323
1486
  include Aws::Structure
1324
1487
  end
1325
1488
 
1489
+ # @note When making an API call, you may pass GetResourceSetRequest
1490
+ # data as a hash:
1491
+ #
1492
+ # {
1493
+ # identifier: "Base62Id", # required
1494
+ # }
1495
+ #
1496
+ # @!attribute [rw] identifier
1497
+ # A unique identifier for the resource set, used in a TODO to refer to
1498
+ # the resource set.
1499
+ # @return [String]
1500
+ #
1501
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetResourceSetRequest AWS API Documentation
1502
+ #
1503
+ class GetResourceSetRequest < Struct.new(
1504
+ :identifier)
1505
+ SENSITIVE = []
1506
+ include Aws::Structure
1507
+ end
1508
+
1509
+ # @!attribute [rw] resource_set
1510
+ # Information about the specified resource set.
1511
+ # @return [Types::ResourceSet]
1512
+ #
1513
+ # @!attribute [rw] resource_set_arn
1514
+ # The Amazon Resource Name (ARN) of the resource set.
1515
+ # @return [String]
1516
+ #
1517
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetResourceSetResponse AWS API Documentation
1518
+ #
1519
+ class GetResourceSetResponse < Struct.new(
1520
+ :resource_set,
1521
+ :resource_set_arn)
1522
+ SENSITIVE = []
1523
+ include Aws::Structure
1524
+ end
1525
+
1326
1526
  # @note When making an API call, you may pass GetThirdPartyFirewallAssociationStatusRequest
1327
1527
  # data as a hash:
1328
1528
  #
@@ -1653,6 +1853,73 @@ module Aws::FMS
1653
1853
  include Aws::Structure
1654
1854
  end
1655
1855
 
1856
+ # @note When making an API call, you may pass ListDiscoveredResourcesRequest
1857
+ # data as a hash:
1858
+ #
1859
+ # {
1860
+ # member_account_ids: ["AWSAccountId"], # required
1861
+ # resource_type: "ResourceType", # required
1862
+ # max_results: 1,
1863
+ # next_token: "PaginationToken",
1864
+ # }
1865
+ #
1866
+ # @!attribute [rw] member_account_ids
1867
+ # The Amazon Web Services account IDs to discover resources in. Only
1868
+ # one account is supported per request. The account must be a member
1869
+ # of your organization.
1870
+ # @return [Array<String>]
1871
+ #
1872
+ # @!attribute [rw] resource_type
1873
+ # The type of resources to discover.
1874
+ # @return [String]
1875
+ #
1876
+ # @!attribute [rw] max_results
1877
+ # The maximum number of objects that you want Firewall Manager to
1878
+ # return for this request. If more objects are available, in the
1879
+ # response, Firewall Manager provides a `NextToken` value that you can
1880
+ # use in a subsequent call to get the next batch of objects.
1881
+ # @return [Integer]
1882
+ #
1883
+ # @!attribute [rw] next_token
1884
+ # When you request a list of objects with a `MaxResults` setting, if
1885
+ # the number of objects that are still available for retrieval exceeds
1886
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1887
+ # value in the response. To retrieve the next batch of objects, use
1888
+ # the token returned from the prior request in your next request.
1889
+ # @return [String]
1890
+ #
1891
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResourcesRequest AWS API Documentation
1892
+ #
1893
+ class ListDiscoveredResourcesRequest < Struct.new(
1894
+ :member_account_ids,
1895
+ :resource_type,
1896
+ :max_results,
1897
+ :next_token)
1898
+ SENSITIVE = []
1899
+ include Aws::Structure
1900
+ end
1901
+
1902
+ # @!attribute [rw] items
1903
+ # Details of the resources that were discovered.
1904
+ # @return [Array<Types::DiscoveredResource>]
1905
+ #
1906
+ # @!attribute [rw] next_token
1907
+ # When you request a list of objects with a `MaxResults` setting, if
1908
+ # the number of objects that are still available for retrieval exceeds
1909
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1910
+ # value in the response. To retrieve the next batch of objects, use
1911
+ # the token returned from the prior request in your next request.
1912
+ # @return [String]
1913
+ #
1914
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResourcesResponse AWS API Documentation
1915
+ #
1916
+ class ListDiscoveredResourcesResponse < Struct.new(
1917
+ :items,
1918
+ :next_token)
1919
+ SENSITIVE = []
1920
+ include Aws::Structure
1921
+ end
1922
+
1656
1923
  # @note When making an API call, you may pass ListMemberAccountsRequest
1657
1924
  # data as a hash:
1658
1925
  #
@@ -1827,6 +2094,120 @@ module Aws::FMS
1827
2094
  include Aws::Structure
1828
2095
  end
1829
2096
 
2097
+ # @note When making an API call, you may pass ListResourceSetResourcesRequest
2098
+ # data as a hash:
2099
+ #
2100
+ # {
2101
+ # identifier: "ResourceId", # required
2102
+ # max_results: 1,
2103
+ # next_token: "PaginationToken",
2104
+ # }
2105
+ #
2106
+ # @!attribute [rw] identifier
2107
+ # A unique identifier for the resource set, used in a TODO to refer to
2108
+ # the resource set.
2109
+ # @return [String]
2110
+ #
2111
+ # @!attribute [rw] max_results
2112
+ # The maximum number of objects that you want Firewall Manager to
2113
+ # return for this request. If more objects are available, in the
2114
+ # response, Firewall Manager provides a `NextToken` value that you can
2115
+ # use in a subsequent call to get the next batch of objects.
2116
+ # @return [Integer]
2117
+ #
2118
+ # @!attribute [rw] next_token
2119
+ # When you request a list of objects with a `MaxResults` setting, if
2120
+ # the number of objects that are still available for retrieval exceeds
2121
+ # the maximum you requested, Firewall Manager returns a `NextToken`
2122
+ # value in the response. To retrieve the next batch of objects, use
2123
+ # the token returned from the prior request in your next request.
2124
+ # @return [String]
2125
+ #
2126
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListResourceSetResourcesRequest AWS API Documentation
2127
+ #
2128
+ class ListResourceSetResourcesRequest < Struct.new(
2129
+ :identifier,
2130
+ :max_results,
2131
+ :next_token)
2132
+ SENSITIVE = []
2133
+ include Aws::Structure
2134
+ end
2135
+
2136
+ # @!attribute [rw] items
2137
+ # An array of the associated resources' uniform resource identifiers
2138
+ # (URI).
2139
+ # @return [Array<Types::Resource>]
2140
+ #
2141
+ # @!attribute [rw] next_token
2142
+ # When you request a list of objects with a `MaxResults` setting, if
2143
+ # the number of objects that are still available for retrieval exceeds
2144
+ # the maximum you requested, Firewall Manager returns a `NextToken`
2145
+ # value in the response. To retrieve the next batch of objects, use
2146
+ # the token returned from the prior request in your next request.
2147
+ # @return [String]
2148
+ #
2149
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListResourceSetResourcesResponse AWS API Documentation
2150
+ #
2151
+ class ListResourceSetResourcesResponse < Struct.new(
2152
+ :items,
2153
+ :next_token)
2154
+ SENSITIVE = []
2155
+ include Aws::Structure
2156
+ end
2157
+
2158
+ # @note When making an API call, you may pass ListResourceSetsRequest
2159
+ # data as a hash:
2160
+ #
2161
+ # {
2162
+ # next_token: "PaginationToken",
2163
+ # max_results: 1,
2164
+ # }
2165
+ #
2166
+ # @!attribute [rw] next_token
2167
+ # When you request a list of objects with a `MaxResults` setting, if
2168
+ # the number of objects that are still available for retrieval exceeds
2169
+ # the maximum you requested, Firewall Manager returns a `NextToken`
2170
+ # value in the response. To retrieve the next batch of objects, use
2171
+ # the token returned from the prior request in your next request.
2172
+ # @return [String]
2173
+ #
2174
+ # @!attribute [rw] max_results
2175
+ # The maximum number of objects that you want Firewall Manager to
2176
+ # return for this request. If more objects are available, in the
2177
+ # response, Firewall Manager provides a `NextToken` value that you can
2178
+ # use in a subsequent call to get the next batch of objects.
2179
+ # @return [Integer]
2180
+ #
2181
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListResourceSetsRequest AWS API Documentation
2182
+ #
2183
+ class ListResourceSetsRequest < Struct.new(
2184
+ :next_token,
2185
+ :max_results)
2186
+ SENSITIVE = []
2187
+ include Aws::Structure
2188
+ end
2189
+
2190
+ # @!attribute [rw] resource_sets
2191
+ # An array of `ResourceSetSummary` objects.
2192
+ # @return [Array<Types::ResourceSetSummary>]
2193
+ #
2194
+ # @!attribute [rw] next_token
2195
+ # When you request a list of objects with a `MaxResults` setting, if
2196
+ # the number of objects that are still available for retrieval exceeds
2197
+ # the maximum you requested, Firewall Manager returns a `NextToken`
2198
+ # value in the response. To retrieve the next batch of objects, use
2199
+ # the token returned from the prior request in your next request.
2200
+ # @return [String]
2201
+ #
2202
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListResourceSetsResponse AWS API Documentation
2203
+ #
2204
+ class ListResourceSetsResponse < Struct.new(
2205
+ :resource_sets,
2206
+ :next_token)
2207
+ SENSITIVE = []
2208
+ include Aws::Structure
2209
+ end
2210
+
1830
2211
  # @note When making an API call, you may pass ListTagsForResourceRequest
1831
2212
  # data as a hash:
1832
2213
  #
@@ -2382,6 +2763,22 @@ module Aws::FMS
2382
2763
  include Aws::Structure
2383
2764
  end
2384
2765
 
2766
+ # The setting that allows the policy owner to change the behavior of the
2767
+ # rule group within a policy.
2768
+ #
2769
+ # @!attribute [rw] action
2770
+ # The action that changes the rule group from `DROP` to `ALERT`. This
2771
+ # only applies to managed rule groups.
2772
+ # @return [String]
2773
+ #
2774
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallStatefulRuleGroupOverride AWS API Documentation
2775
+ #
2776
+ class NetworkFirewallStatefulRuleGroupOverride < Struct.new(
2777
+ :action)
2778
+ SENSITIVE = []
2779
+ include Aws::Structure
2780
+ end
2781
+
2385
2782
  # Violation detail for an unexpected route that's present in a route
2386
2783
  # table.
2387
2784
  #
@@ -2478,7 +2875,7 @@ module Aws::FMS
2478
2875
  # policy_name: "ResourceName", # required
2479
2876
  # policy_update_token: "PolicyUpdateToken",
2480
2877
  # security_service_policy_data: { # required
2481
- # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
2878
+ # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL, IMPORT_NETWORK_FIREWALL
2482
2879
  # managed_service_data: "ManagedServiceData",
2483
2880
  # policy_option: {
2484
2881
  # network_firewall_policy: {
@@ -2506,6 +2903,8 @@ module Aws::FMS
2506
2903
  # exclude_map: {
2507
2904
  # "ACCOUNT" => ["CustomerPolicyScopeId"],
2508
2905
  # },
2906
+ # resource_set_ids: ["Base62Id"],
2907
+ # policy_description: "ResourceDescription",
2509
2908
  # }
2510
2909
  #
2511
2910
  # @!attribute [rw] policy_id
@@ -2650,6 +3049,14 @@ module Aws::FMS
2650
3049
  # “ouid112”]\}`.
2651
3050
  # @return [Hash<String,Array<String>>]
2652
3051
  #
3052
+ # @!attribute [rw] resource_set_ids
3053
+ # The unique identifiers of the resource sets used by the policy.
3054
+ # @return [Array<String>]
3055
+ #
3056
+ # @!attribute [rw] policy_description
3057
+ # The definition of the Network Firewall firewall policy.
3058
+ # @return [String]
3059
+ #
2653
3060
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/Policy AWS API Documentation
2654
3061
  #
2655
3062
  class Policy < Struct.new(
@@ -2664,7 +3071,9 @@ module Aws::FMS
2664
3071
  :remediation_enabled,
2665
3072
  :delete_unused_fm_managed_resources,
2666
3073
  :include_map,
2667
- :exclude_map)
3074
+ :exclude_map,
3075
+ :resource_set_ids,
3076
+ :policy_description)
2668
3077
  SENSITIVE = []
2669
3078
  include Aws::Structure
2670
3079
  end
@@ -3119,7 +3528,7 @@ module Aws::FMS
3119
3528
  # policy_name: "ResourceName", # required
3120
3529
  # policy_update_token: "PolicyUpdateToken",
3121
3530
  # security_service_policy_data: { # required
3122
- # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
3531
+ # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL, IMPORT_NETWORK_FIREWALL
3123
3532
  # managed_service_data: "ManagedServiceData",
3124
3533
  # policy_option: {
3125
3534
  # network_firewall_policy: {
@@ -3147,6 +3556,8 @@ module Aws::FMS
3147
3556
  # exclude_map: {
3148
3557
  # "ACCOUNT" => ["CustomerPolicyScopeId"],
3149
3558
  # },
3559
+ # resource_set_ids: ["Base62Id"],
3560
+ # policy_description: "ResourceDescription",
3150
3561
  # },
3151
3562
  # tag_list: [
3152
3563
  # {
@@ -3247,6 +3658,65 @@ module Aws::FMS
3247
3658
  include Aws::Structure
3248
3659
  end
3249
3660
 
3661
+ # @note When making an API call, you may pass PutResourceSetRequest
3662
+ # data as a hash:
3663
+ #
3664
+ # {
3665
+ # resource_set: { # required
3666
+ # id: "Base62Id",
3667
+ # name: "Name", # required
3668
+ # description: "Description",
3669
+ # update_token: "UpdateToken",
3670
+ # resource_type_list: ["ResourceType"], # required
3671
+ # last_update_time: Time.now,
3672
+ # },
3673
+ # tag_list: [
3674
+ # {
3675
+ # key: "TagKey", # required
3676
+ # value: "TagValue", # required
3677
+ # },
3678
+ # ],
3679
+ # }
3680
+ #
3681
+ # @!attribute [rw] resource_set
3682
+ # Details about the resource set to be created or updated.&gt;
3683
+ # @return [Types::ResourceSet]
3684
+ #
3685
+ # @!attribute [rw] tag_list
3686
+ # Retrieves the tags associated with the specified resource set. Tags
3687
+ # are key:value pairs that you can use to categorize and manage your
3688
+ # resources, for purposes like billing. For example, you might set the
3689
+ # tag key to "customer" and the value to the customer name or ID.
3690
+ # You can specify one or more tags to add to each Amazon Web Services
3691
+ # resource, up to 50 tags for a resource.
3692
+ # @return [Array<Types::Tag>]
3693
+ #
3694
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutResourceSetRequest AWS API Documentation
3695
+ #
3696
+ class PutResourceSetRequest < Struct.new(
3697
+ :resource_set,
3698
+ :tag_list)
3699
+ SENSITIVE = []
3700
+ include Aws::Structure
3701
+ end
3702
+
3703
+ # @!attribute [rw] resource_set
3704
+ # Details about the resource set.
3705
+ # @return [Types::ResourceSet]
3706
+ #
3707
+ # @!attribute [rw] resource_set_arn
3708
+ # The Amazon Resource Name (ARN) of the resource set.
3709
+ # @return [String]
3710
+ #
3711
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutResourceSetResponse AWS API Documentation
3712
+ #
3713
+ class PutResourceSetResponse < Struct.new(
3714
+ :resource_set,
3715
+ :resource_set_arn)
3716
+ SENSITIVE = []
3717
+ include Aws::Structure
3718
+ end
3719
+
3250
3720
  # Information about an individual action you can take to remediate a
3251
3721
  # violation.
3252
3722
  #
@@ -3323,6 +3793,27 @@ module Aws::FMS
3323
3793
  include Aws::Structure
3324
3794
  end
3325
3795
 
3796
+ # Details of a resource that is associated to an Firewall Manager
3797
+ # resource set.
3798
+ #
3799
+ # @!attribute [rw] uri
3800
+ # The resource's universal resource indicator (URI).
3801
+ # @return [String]
3802
+ #
3803
+ # @!attribute [rw] account_id
3804
+ # The Amazon Web Services account ID that the associated resource
3805
+ # belongs to.
3806
+ # @return [String]
3807
+ #
3808
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/Resource AWS API Documentation
3809
+ #
3810
+ class Resource < Struct.new(
3811
+ :uri,
3812
+ :account_id)
3813
+ SENSITIVE = []
3814
+ include Aws::Structure
3815
+ end
3816
+
3326
3817
  # The specified resource was not found.
3327
3818
  #
3328
3819
  # @!attribute [rw] message
@@ -3336,6 +3827,112 @@ module Aws::FMS
3336
3827
  include Aws::Structure
3337
3828
  end
3338
3829
 
3830
+ # A set of resources to include in a policy.
3831
+ #
3832
+ # @note When making an API call, you may pass ResourceSet
3833
+ # data as a hash:
3834
+ #
3835
+ # {
3836
+ # id: "Base62Id",
3837
+ # name: "Name", # required
3838
+ # description: "Description",
3839
+ # update_token: "UpdateToken",
3840
+ # resource_type_list: ["ResourceType"], # required
3841
+ # last_update_time: Time.now,
3842
+ # }
3843
+ #
3844
+ # @!attribute [rw] id
3845
+ # A unique identifier for the resource set. This ID is returned in the
3846
+ # responses to create and list commands. You provide it to operations
3847
+ # like update and delete.
3848
+ # @return [String]
3849
+ #
3850
+ # @!attribute [rw] name
3851
+ # The descriptive name of the resource set. You can't change the name
3852
+ # of a resource set after you create it.
3853
+ # @return [String]
3854
+ #
3855
+ # @!attribute [rw] description
3856
+ # A description of the resource set.
3857
+ # @return [String]
3858
+ #
3859
+ # @!attribute [rw] update_token
3860
+ # An optional token that you can use for optimistic locking. Firewall
3861
+ # Manager returns a token to your requests that access the resource
3862
+ # set. The token marks the state of the resource set resource at the
3863
+ # time of the request. Update tokens are not allowed when creating a
3864
+ # resource set. After creation, each subsequent update call to the
3865
+ # resource set requires the update token.
3866
+ #
3867
+ # To make an unconditional change to the resource set, omit the token
3868
+ # in your update request. Without the token, Firewall Manager performs
3869
+ # your updates regardless of whether the resource set has changed
3870
+ # since you last retrieved it.
3871
+ #
3872
+ # To make a conditional change to the resource set, provide the token
3873
+ # in your update request. Firewall Manager uses the token to ensure
3874
+ # that the resource set hasn't changed since you last retrieved it.
3875
+ # If it has changed, the operation fails with an
3876
+ # `InvalidTokenException`. If this happens, retrieve the resource set
3877
+ # again to get a current copy of it with a new token. Reapply your
3878
+ # changes as needed, then try the operation again using the new token.
3879
+ # @return [String]
3880
+ #
3881
+ # @!attribute [rw] resource_type_list
3882
+ # Determines the resources that can be associated to the resource set.
3883
+ # Depending on your setting for max results and the number of resource
3884
+ # sets, a single call might not return the full list.
3885
+ # @return [Array<String>]
3886
+ #
3887
+ # @!attribute [rw] last_update_time
3888
+ # The last time that the resource set was changed.
3889
+ # @return [Time]
3890
+ #
3891
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSet AWS API Documentation
3892
+ #
3893
+ class ResourceSet < Struct.new(
3894
+ :id,
3895
+ :name,
3896
+ :description,
3897
+ :update_token,
3898
+ :resource_type_list,
3899
+ :last_update_time)
3900
+ SENSITIVE = []
3901
+ include Aws::Structure
3902
+ end
3903
+
3904
+ # Summarizes the resource sets used in a policy.
3905
+ #
3906
+ # @!attribute [rw] id
3907
+ # A unique identifier for the resource set. This ID is returned in the
3908
+ # responses to create and list commands. You provide it to operations
3909
+ # like update and delete.
3910
+ # @return [String]
3911
+ #
3912
+ # @!attribute [rw] name
3913
+ # The descriptive name of the resource set. You can't change the name
3914
+ # of a resource set after you create it.
3915
+ # @return [String]
3916
+ #
3917
+ # @!attribute [rw] description
3918
+ # A description of the resource set.
3919
+ # @return [String]
3920
+ #
3921
+ # @!attribute [rw] last_update_time
3922
+ # The last time that the resource set was changed.
3923
+ # @return [Time]
3924
+ #
3925
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSetSummary AWS API Documentation
3926
+ #
3927
+ class ResourceSetSummary < Struct.new(
3928
+ :id,
3929
+ :name,
3930
+ :description,
3931
+ :last_update_time)
3932
+ SENSITIVE = []
3933
+ include Aws::Structure
3934
+ end
3935
+
3339
3936
  # The resource tags that Firewall Manager uses to determine if a
3340
3937
  # particular resource should be included or excluded from the Firewall
3341
3938
  # Manager policy. Tags enable you to categorize your Amazon Web Services
@@ -3706,7 +4303,7 @@ module Aws::FMS
3706
4303
  # data as a hash:
3707
4304
  #
3708
4305
  # {
3709
- # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
4306
+ # type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL, IMPORT_NETWORK_FIREWALL
3710
4307
  # managed_service_data: "ManagedServiceData",
3711
4308
  # policy_option: {
3712
4309
  # network_firewall_policy: {
@@ -3815,56 +4412,6 @@ module Aws::FMS
3815
4412
  # "availabilityZoneName":"$\{AvailabilityZone\}" \} ] \} \},
3816
4413
  # "allowedIPV4CidrList":[ ] \} \} \} \}"`
3817
4414
  #
3818
- # * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
3819
- # distributions
3820
- #
3821
- # `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
3822
- # \{"automaticResponseStatus":"ENABLED|IGNORED|DISABLED",
3823
- # "automaticResponseAction":"BLOCK|COUNT"\},
3824
- # "overrideCustomerWebaclClassic":true|false\}"`
3825
- #
3826
- # For example:
3827
- # `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
3828
- # \{"automaticResponseStatus":"ENABLED",
3829
- # "automaticResponseAction":"COUNT"\}\}"`
3830
- #
3831
- # The default value for `automaticResponseStatus` is `IGNORED`. The
3832
- # value for `automaticResponseAction` is only required when
3833
- # `automaticResponseStatus` is set to `ENABLED`. The default value
3834
- # for `overrideCustomerWebaclClassic` is `false`.
3835
- #
3836
- # For other resource types that you can protect with a Shield
3837
- # Advanced policy, this `ManagedServiceData` configuration is an
3838
- # empty string.
3839
- #
3840
- # * Example: `WAFV2`
3841
- #
3842
- # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
3843
- #
3844
- # In the `loggingConfiguration`, you can specify one
3845
- # `logDestinationConfigs`, you can optionally provide up to 20
3846
- # `redactedFields`, and the `RedactedFieldType` must be one of
3847
- # `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
3848
- #
3849
- # * Example: `WAF Classic`
3850
- #
3851
- # `"\{"type": "WAF", "ruleGroups":
3852
- # [\{"id":"12345678-1bcd-9012-efga-0987654321ab",
3853
- # "overrideAction" : \{"type": "COUNT"\}\}],
3854
- # "defaultAction": \{"type": "BLOCK"\}\}"`
3855
- #
3856
- # * Example: `WAFV2` - Firewall Manager support for WAF managed rule
3857
- # group versioning
3858
- #
3859
- # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":true,"version":"Version_2.0","vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesCommonRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
3860
- #
3861
- # To use a specific version of a WAF managed rule group in your
3862
- # Firewall Manager policy, you must set `versionEnabled` to `true`,
3863
- # and set `version` to the version you'd like to use. If you don't
3864
- # set `versionEnabled` to `true`, or if you omit `versionEnabled`,
3865
- # then Firewall Manager uses the default version of the WAF managed
3866
- # rule group.
3867
- #
3868
4415
  # * Example: `SECURITY_GROUPS_COMMON`
3869
4416
  #
3870
4417
  # `"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
@@ -3911,6 +4458,56 @@ module Aws::FMS
3911
4458
  #
3912
4459
  # `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
3913
4460
  #
4461
+ # * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
4462
+ # distributions
4463
+ #
4464
+ # `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
4465
+ # \{"automaticResponseStatus":"ENABLED|IGNORED|DISABLED",
4466
+ # "automaticResponseAction":"BLOCK|COUNT"\},
4467
+ # "overrideCustomerWebaclClassic":true|false\}"`
4468
+ #
4469
+ # For example:
4470
+ # `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
4471
+ # \{"automaticResponseStatus":"ENABLED",
4472
+ # "automaticResponseAction":"COUNT"\}\}"`
4473
+ #
4474
+ # The default value for `automaticResponseStatus` is `IGNORED`. The
4475
+ # value for `automaticResponseAction` is only required when
4476
+ # `automaticResponseStatus` is set to `ENABLED`. The default value
4477
+ # for `overrideCustomerWebaclClassic` is `false`.
4478
+ #
4479
+ # For other resource types that you can protect with a Shield
4480
+ # Advanced policy, this `ManagedServiceData` configuration is an
4481
+ # empty string.
4482
+ #
4483
+ # * Example: `WAFV2`
4484
+ #
4485
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
4486
+ #
4487
+ # In the `loggingConfiguration`, you can specify one
4488
+ # `logDestinationConfigs`, you can optionally provide up to 20
4489
+ # `redactedFields`, and the `RedactedFieldType` must be one of
4490
+ # `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
4491
+ #
4492
+ # * Example: `WAFV2` - Firewall Manager support for WAF managed rule
4493
+ # group versioning
4494
+ #
4495
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":true,"version":"Version_2.0","vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesCommonRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
4496
+ #
4497
+ # To use a specific version of a WAF managed rule group in your
4498
+ # Firewall Manager policy, you must set `versionEnabled` to `true`,
4499
+ # and set `version` to the version you'd like to use. If you don't
4500
+ # set `versionEnabled` to `true`, or if you omit `versionEnabled`,
4501
+ # then Firewall Manager uses the default version of the WAF managed
4502
+ # rule group.
4503
+ #
4504
+ # * Example: `WAF Classic`
4505
+ #
4506
+ # `"\{"type": "WAF", "ruleGroups":
4507
+ # [\{"id":"12345678-1bcd-9012-efga-0987654321ab",
4508
+ # "overrideAction" : \{"type": "COUNT"\}\}],
4509
+ # "defaultAction": \{"type": "BLOCK"\}\}"`
4510
+ #
3914
4511
  #
3915
4512
  #
3916
4513
  # [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
@@ -3983,12 +4580,18 @@ module Aws::FMS
3983
4580
  # on.
3984
4581
  # @return [Integer]
3985
4582
  #
4583
+ # @!attribute [rw] override
4584
+ # The action that allows the policy owner to override the behavior of
4585
+ # the rule group within a policy.
4586
+ # @return [Types::NetworkFirewallStatefulRuleGroupOverride]
4587
+ #
3986
4588
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/StatefulRuleGroup AWS API Documentation
3987
4589
  #
3988
4590
  class StatefulRuleGroup < Struct.new(
3989
4591
  :rule_group_name,
3990
4592
  :resource_id,
3991
- :priority)
4593
+ :priority,
4594
+ :override)
3992
4595
  SENSITIVE = []
3993
4596
  include Aws::Structure
3994
4597
  end