aws-sdk-fms 1.55.0 → 1.56.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -10,6 +10,52 @@
10
10
  module Aws::FMS
11
11
  module Types
12
12
 
13
+ # Configures the accounts within the administrator's Organizations
14
+ # organization that the specified Firewall Manager administrator can
15
+ # apply policies to.
16
+ #
17
+ # @!attribute [rw] accounts
18
+ # The list of accounts within the organization that the specified
19
+ # Firewall Manager administrator either can or cannot apply policies
20
+ # to, based on the value of `ExcludeSpecifiedAccounts`. If
21
+ # `ExcludeSpecifiedAccounts` is set to `true`, then the Firewall
22
+ # Manager administrator can apply policies to all members of the
23
+ # organization except for the accounts in this list. If
24
+ # `ExcludeSpecifiedAccounts` is set to `false`, then the Firewall
25
+ # Manager administrator can only apply policies to the accounts in
26
+ # this list.
27
+ # @return [Array<String>]
28
+ #
29
+ # @!attribute [rw] all_accounts_enabled
30
+ # A boolean value that indicates if the administrator can apply
31
+ # policies to all accounts within an organization. If true, the
32
+ # administrator can apply policies to all accounts within the
33
+ # organization. You can either enable management of all accounts
34
+ # through this operation, or you can specify a list of accounts to
35
+ # manage in `AccountScope$Accounts`. You cannot specify both.
36
+ # @return [Boolean]
37
+ #
38
+ # @!attribute [rw] exclude_specified_accounts
39
+ # A boolean value that excludes the accounts in
40
+ # `AccountScope$Accounts` from the administrator's scope. If true,
41
+ # the Firewall Manager administrator can apply policies to all members
42
+ # of the organization except for the accounts listed in
43
+ # `AccountScope$Accounts`. You can either specify a list of accounts
44
+ # to exclude by `AccountScope$Accounts`, or you can enable management
45
+ # of all accounts by `AccountScope$AllAccountsEnabled`. You cannot
46
+ # specify both.
47
+ # @return [Boolean]
48
+ #
49
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AccountScope AWS API Documentation
50
+ #
51
+ class AccountScope < Struct.new(
52
+ :accounts,
53
+ :all_accounts_enabled,
54
+ :exclude_specified_accounts)
55
+ SENSITIVE = []
56
+ include Aws::Structure
57
+ end
58
+
13
59
  # Describes a remediation action target.
14
60
  #
15
61
  # @!attribute [rw] resource_id
@@ -29,6 +75,103 @@ module Aws::FMS
29
75
  include Aws::Structure
30
76
  end
31
77
 
78
+ # Contains high level information about the Firewall Manager
79
+ # administrator account.
80
+ #
81
+ # @!attribute [rw] admin_account
82
+ # The Amazon Web Services account ID of the Firewall Manager
83
+ # administrator's account.
84
+ # @return [String]
85
+ #
86
+ # @!attribute [rw] default_admin
87
+ # A boolean value that indicates if the administrator is the default
88
+ # administrator. If true, then this is the default administrator
89
+ # account. The default administrator can manage third-party firewalls
90
+ # and has full administrative scope. There is only one default
91
+ # administrator account per organization. For information about
92
+ # Firewall Manager default administrator accounts, see [Managing
93
+ # Firewall Manager administrators][1] in the *Firewall Manager
94
+ # Developer Guide*.
95
+ #
96
+ #
97
+ #
98
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html
99
+ # @return [Boolean]
100
+ #
101
+ # @!attribute [rw] status
102
+ # The current status of the request to onboard a member account as an
103
+ # Firewall Manager administator.
104
+ #
105
+ # * `ONBOARDING` - The account is onboarding to Firewall Manager as an
106
+ # administrator.
107
+ #
108
+ # * `ONBOARDING_COMPLETE` - Firewall Manager The account is onboarded
109
+ # to Firewall Manager as an administrator, and can perform actions
110
+ # on the resources defined in their AdminScope.
111
+ #
112
+ # * `OFFBOARDING` - The account is being removed as an Firewall
113
+ # Manager administrator.
114
+ #
115
+ # * `OFFBOARDING_COMPLETE` - The account has been removed as an
116
+ # Firewall Manager administrator.
117
+ # @return [String]
118
+ #
119
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AdminAccountSummary AWS API Documentation
120
+ #
121
+ class AdminAccountSummary < Struct.new(
122
+ :admin_account,
123
+ :default_admin,
124
+ :status)
125
+ SENSITIVE = []
126
+ include Aws::Structure
127
+ end
128
+
129
+ # Defines the resources that the Firewall Manager administrator can
130
+ # manage. For more information about administrative scope, see [Managing
131
+ # Firewall Manager administrators][1] in the *Firewall Manager Developer
132
+ # Guide*.
133
+ #
134
+ #
135
+ #
136
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html
137
+ #
138
+ # @!attribute [rw] account_scope
139
+ # Defines the accounts that the specified Firewall Manager
140
+ # administrator can apply policies to.
141
+ # @return [Types::AccountScope]
142
+ #
143
+ # @!attribute [rw] organizational_unit_scope
144
+ # Defines the Organizations organizational units that the specified
145
+ # Firewall Manager administrator can apply policies to. For more
146
+ # information about OUs in Organizations, see [Managing organizational
147
+ # units (OUs) ][1] in the *Organizations User Guide*.
148
+ #
149
+ #
150
+ #
151
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
152
+ # @return [Types::OrganizationalUnitScope]
153
+ #
154
+ # @!attribute [rw] region_scope
155
+ # Defines the Amazon Web Services Regions that the specified Firewall
156
+ # Manager administrator can perform actions in.
157
+ # @return [Types::RegionScope]
158
+ #
159
+ # @!attribute [rw] policy_type_scope
160
+ # Defines the Firewall Manager policy types that the specified
161
+ # Firewall Manager administrator can create and manage.
162
+ # @return [Types::PolicyTypeScope]
163
+ #
164
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AdminScope AWS API Documentation
165
+ #
166
+ class AdminScope < Struct.new(
167
+ :account_scope,
168
+ :organizational_unit_scope,
169
+ :region_scope,
170
+ :policy_type_scope)
171
+ SENSITIVE = []
172
+ include Aws::Structure
173
+ end
174
+
32
175
  # An individual Firewall Manager application.
33
176
  #
34
177
  # @!attribute [rw] app_name
@@ -139,10 +282,11 @@ module Aws::FMS
139
282
 
140
283
  # @!attribute [rw] admin_account
141
284
  # The Amazon Web Services account ID to associate with Firewall
142
- # Manager as the Firewall Manager administrator account. This must be
143
- # an Organizations member account. For more information about
144
- # Organizations, see [Managing the Amazon Web Services Accounts in
145
- # Your Organization][1].
285
+ # Manager as the Firewall Manager default administrator account. This
286
+ # account must be a member account of the organization in
287
+ # Organizations whose resources you want to protect. For more
288
+ # information about Organizations, see [Managing the Amazon Web
289
+ # Services Accounts in Your Organization][1].
146
290
  #
147
291
  #
148
292
  #
@@ -271,8 +415,8 @@ module Aws::FMS
271
415
  end
272
416
 
273
417
  # @!attribute [rw] resource_set_identifier
274
- # A unique identifier for the resource set, used in a TODO to refer to
275
- # the resource set.
418
+ # A unique identifier for the resource set, used in a request to refer
419
+ # to the resource set.
276
420
  # @return [String]
277
421
  #
278
422
  # @!attribute [rw] items
@@ -291,8 +435,8 @@ module Aws::FMS
291
435
  end
292
436
 
293
437
  # @!attribute [rw] resource_set_identifier
294
- # A unique identifier for the resource set, used in a TODO to refer to
295
- # the resource set.
438
+ # A unique identifier for the resource set, used in a request to refer
439
+ # to the resource set.
296
440
  # @return [String]
297
441
  #
298
442
  # @!attribute [rw] failed_items
@@ -309,8 +453,8 @@ module Aws::FMS
309
453
  end
310
454
 
311
455
  # @!attribute [rw] resource_set_identifier
312
- # A unique identifier for the resource set, used in a TODO to refer to
313
- # the resource set.
456
+ # A unique identifier for the resource set, used in a request to refer
457
+ # to the resource set.
314
458
  # @return [String]
315
459
  #
316
460
  # @!attribute [rw] items
@@ -329,8 +473,8 @@ module Aws::FMS
329
473
  end
330
474
 
331
475
  # @!attribute [rw] resource_set_identifier
332
- # A unique identifier for the resource set, used in a TODO to refer to
333
- # the resource set.
476
+ # A unique identifier for the resource set, used in a request to refer
477
+ # to the resource set.
334
478
  # @return [String]
335
479
  #
336
480
  # @!attribute [rw] failed_items
@@ -465,8 +609,8 @@ module Aws::FMS
465
609
  end
466
610
 
467
611
  # @!attribute [rw] identifier
468
- # A unique identifier for the resource set, used in a TODO to refer to
469
- # the resource set.
612
+ # A unique identifier for the resource set, used in a request to refer
613
+ # to the resource set.
470
614
  # @return [String]
471
615
  #
472
616
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DeleteResourceSetRequest AWS API Documentation
@@ -1061,13 +1205,13 @@ module Aws::FMS
1061
1205
  class GetAdminAccountRequest < Aws::EmptyStructure; end
1062
1206
 
1063
1207
  # @!attribute [rw] admin_account
1064
- # The Amazon Web Services account that is set as the Firewall Manager
1208
+ # The account that is set as the Firewall Manager default
1065
1209
  # administrator.
1066
1210
  # @return [String]
1067
1211
  #
1068
1212
  # @!attribute [rw] role_status
1069
- # The status of the Amazon Web Services account that you set as the
1070
- # Firewall Manager administrator.
1213
+ # The status of the account that you set as the Firewall Manager
1214
+ # default administrator.
1071
1215
  # @return [String]
1072
1216
  #
1073
1217
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminAccountResponse AWS API Documentation
@@ -1079,6 +1223,50 @@ module Aws::FMS
1079
1223
  include Aws::Structure
1080
1224
  end
1081
1225
 
1226
+ # @!attribute [rw] admin_account
1227
+ # The administator account that you want to get the details for.
1228
+ # @return [String]
1229
+ #
1230
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScopeRequest AWS API Documentation
1231
+ #
1232
+ class GetAdminScopeRequest < Struct.new(
1233
+ :admin_account)
1234
+ SENSITIVE = []
1235
+ include Aws::Structure
1236
+ end
1237
+
1238
+ # @!attribute [rw] admin_scope
1239
+ # Contains details about the administrative scope of the requested
1240
+ # account.
1241
+ # @return [Types::AdminScope]
1242
+ #
1243
+ # @!attribute [rw] status
1244
+ # The current status of the request to onboard a member account as an
1245
+ # Firewall Manager administator.
1246
+ #
1247
+ # * `ONBOARDING` - The account is onboarding to Firewall Manager as an
1248
+ # administrator.
1249
+ #
1250
+ # * `ONBOARDING_COMPLETE` - Firewall Manager The account is onboarded
1251
+ # to Firewall Manager as an administrator, and can perform actions
1252
+ # on the resources defined in their AdminScope.
1253
+ #
1254
+ # * `OFFBOARDING` - The account is being removed as an Firewall
1255
+ # Manager administrator.
1256
+ #
1257
+ # * `OFFBOARDING_COMPLETE` - The account has been removed as an
1258
+ # Firewall Manager administrator.
1259
+ # @return [String]
1260
+ #
1261
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScopeResponse AWS API Documentation
1262
+ #
1263
+ class GetAdminScopeResponse < Struct.new(
1264
+ :admin_scope,
1265
+ :status)
1266
+ SENSITIVE = []
1267
+ include Aws::Structure
1268
+ end
1269
+
1082
1270
  # @!attribute [rw] list_id
1083
1271
  # The ID of the Firewall Manager applications list that you want the
1084
1272
  # details for.
@@ -1342,8 +1530,8 @@ module Aws::FMS
1342
1530
  end
1343
1531
 
1344
1532
  # @!attribute [rw] identifier
1345
- # A unique identifier for the resource set, used in a TODO to refer to
1346
- # the resource set.
1533
+ # A unique identifier for the resource set, used in a request to refer
1534
+ # to the resource set.
1347
1535
  # @return [String]
1348
1536
  #
1349
1537
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetResourceSetRequest AWS API Documentation
@@ -1558,6 +1746,99 @@ module Aws::FMS
1558
1746
  include Aws::Structure
1559
1747
  end
1560
1748
 
1749
+ # @!attribute [rw] next_token
1750
+ # When you request a list of objects with a `MaxResults` setting, if
1751
+ # the number of objects that are still available for retrieval exceeds
1752
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1753
+ # value in the response. To retrieve the next batch of objects, use
1754
+ # the token returned from the prior request in your next request.
1755
+ # @return [String]
1756
+ #
1757
+ # @!attribute [rw] max_results
1758
+ # The maximum number of objects that you want Firewall Manager to
1759
+ # return for this request. If more objects are available, in the
1760
+ # response, Firewall Manager provides a `NextToken` value that you can
1761
+ # use in a subsequent call to get the next batch of objects.
1762
+ # @return [Integer]
1763
+ #
1764
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganizationRequest AWS API Documentation
1765
+ #
1766
+ class ListAdminAccountsForOrganizationRequest < Struct.new(
1767
+ :next_token,
1768
+ :max_results)
1769
+ SENSITIVE = []
1770
+ include Aws::Structure
1771
+ end
1772
+
1773
+ # @!attribute [rw] admin_accounts
1774
+ # A list of Firewall Manager administrator accounts within the
1775
+ # organization that were onboarded as administrators by
1776
+ # AssociateAdminAccount or PutAdminAccount.
1777
+ # @return [Array<Types::AdminAccountSummary>]
1778
+ #
1779
+ # @!attribute [rw] next_token
1780
+ # When you request a list of objects with a `MaxResults` setting, if
1781
+ # the number of objects that are still available for retrieval exceeds
1782
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1783
+ # value in the response. To retrieve the next batch of objects, use
1784
+ # the token returned from the prior request in your next request.
1785
+ # @return [String]
1786
+ #
1787
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganizationResponse AWS API Documentation
1788
+ #
1789
+ class ListAdminAccountsForOrganizationResponse < Struct.new(
1790
+ :admin_accounts,
1791
+ :next_token)
1792
+ SENSITIVE = []
1793
+ include Aws::Structure
1794
+ end
1795
+
1796
+ # @!attribute [rw] next_token
1797
+ # When you request a list of objects with a `MaxResults` setting, if
1798
+ # the number of objects that are still available for retrieval exceeds
1799
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1800
+ # value in the response. To retrieve the next batch of objects, use
1801
+ # the token returned from the prior request in your next request.
1802
+ # @return [String]
1803
+ #
1804
+ # @!attribute [rw] max_results
1805
+ # The maximum number of objects that you want Firewall Manager to
1806
+ # return for this request. If more objects are available, in the
1807
+ # response, Firewall Manager provides a `NextToken` value that you can
1808
+ # use in a subsequent call to get the next batch of objects.
1809
+ # @return [Integer]
1810
+ #
1811
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccountRequest AWS API Documentation
1812
+ #
1813
+ class ListAdminsManagingAccountRequest < Struct.new(
1814
+ :next_token,
1815
+ :max_results)
1816
+ SENSITIVE = []
1817
+ include Aws::Structure
1818
+ end
1819
+
1820
+ # @!attribute [rw] admin_accounts
1821
+ # The list of accounts who manage member accounts within their
1822
+ # AdminScope.
1823
+ # @return [Array<String>]
1824
+ #
1825
+ # @!attribute [rw] next_token
1826
+ # When you request a list of objects with a `MaxResults` setting, if
1827
+ # the number of objects that are still available for retrieval exceeds
1828
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1829
+ # value in the response. To retrieve the next batch of objects, use
1830
+ # the token returned from the prior request in your next request.
1831
+ # @return [String]
1832
+ #
1833
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccountResponse AWS API Documentation
1834
+ #
1835
+ class ListAdminsManagingAccountResponse < Struct.new(
1836
+ :admin_accounts,
1837
+ :next_token)
1838
+ SENSITIVE = []
1839
+ include Aws::Structure
1840
+ end
1841
+
1561
1842
  # @!attribute [rw] default_lists
1562
1843
  # Specifies whether the lists to retrieve are default lists owned by
1563
1844
  # Firewall Manager.
@@ -1873,8 +2154,8 @@ module Aws::FMS
1873
2154
  end
1874
2155
 
1875
2156
  # @!attribute [rw] identifier
1876
- # A unique identifier for the resource set, used in a TODO to refer to
1877
- # the resource set.
2157
+ # A unique identifier for the resource set, used in a request to refer
2158
+ # to the resource set.
1878
2159
  # @return [String]
1879
2160
  #
1880
2161
  # @!attribute [rw] max_results
@@ -2582,6 +2863,62 @@ module Aws::FMS
2582
2863
  include Aws::Structure
2583
2864
  end
2584
2865
 
2866
+ # Defines the Organizations organizational units (OUs) that the
2867
+ # specified Firewall Manager administrator can apply policies to. For
2868
+ # more information about OUs in Organizations, see [Managing
2869
+ # organizational units (OUs) ][1] in the *Organizations User Guide*.
2870
+ #
2871
+ #
2872
+ #
2873
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
2874
+ #
2875
+ # @!attribute [rw] organizational_units
2876
+ # The list of OUs within the organization that the specified Firewall
2877
+ # Manager administrator either can or cannot apply policies to, based
2878
+ # on the value of
2879
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits`. If
2880
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set
2881
+ # to `true`, then the Firewall Manager administrator can apply
2882
+ # policies to all OUs in the organization except for the OUs in this
2883
+ # list. If
2884
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set
2885
+ # to `false`, then the Firewall Manager administrator can only apply
2886
+ # policies to the OUs in this list.
2887
+ # @return [Array<String>]
2888
+ #
2889
+ # @!attribute [rw] all_organizational_units_enabled
2890
+ # A boolean value that indicates if the administrator can apply
2891
+ # policies to all OUs within an organization. If true, the
2892
+ # administrator can manage all OUs within the organization. You can
2893
+ # either enable management of all OUs through this operation, or you
2894
+ # can specify OUs to manage in
2895
+ # `OrganizationalUnitScope$OrganizationalUnits`. You cannot specify
2896
+ # both.
2897
+ # @return [Boolean]
2898
+ #
2899
+ # @!attribute [rw] exclude_specified_organizational_units
2900
+ # A boolean value that excludes the OUs in
2901
+ # `OrganizationalUnitScope$OrganizationalUnits` from the
2902
+ # administrator's scope. If true, the Firewall Manager administrator
2903
+ # can apply policies to all OUs in the organization except for the OUs
2904
+ # listed in `OrganizationalUnitScope$OrganizationalUnits`. You can
2905
+ # either specify a list of OUs to exclude by
2906
+ # `OrganizationalUnitScope$OrganizationalUnits`, or you can enable
2907
+ # management of all OUs by
2908
+ # `OrganizationalUnitScope$AllOrganizationalUnitsEnabled`. You cannot
2909
+ # specify both.
2910
+ # @return [Boolean]
2911
+ #
2912
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/OrganizationalUnitScope AWS API Documentation
2913
+ #
2914
+ class OrganizationalUnitScope < Struct.new(
2915
+ :organizational_units,
2916
+ :all_organizational_units_enabled,
2917
+ :exclude_specified_organizational_units)
2918
+ SENSITIVE = []
2919
+ include Aws::Structure
2920
+ end
2921
+
2585
2922
  # The reference rule that partially matches the `ViolationTarget` rule
2586
2923
  # and violation reason.
2587
2924
  #
@@ -2755,6 +3092,18 @@ module Aws::FMS
2755
3092
  # The definition of the Network Firewall firewall policy.
2756
3093
  # @return [String]
2757
3094
  #
3095
+ # @!attribute [rw] policy_status
3096
+ # Indicates whether the policy is in or out of an admin's policy or
3097
+ # Region scope.
3098
+ #
3099
+ # * `ACTIVE` - The administrator can manage and delete the policy.
3100
+ #
3101
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but
3102
+ # they can't edit or delete the policy. Existing policy protections
3103
+ # stay in place. Any new resources that come into scope of the
3104
+ # policy won't be protected.
3105
+ # @return [String]
3106
+ #
2758
3107
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/Policy AWS API Documentation
2759
3108
  #
2760
3109
  class Policy < Struct.new(
@@ -2771,7 +3120,8 @@ module Aws::FMS
2771
3120
  :include_map,
2772
3121
  :exclude_map,
2773
3122
  :resource_set_ids,
2774
- :policy_description)
3123
+ :policy_description,
3124
+ :policy_status)
2775
3125
  SENSITIVE = []
2776
3126
  include Aws::Structure
2777
3127
  end
@@ -2959,6 +3309,18 @@ module Aws::FMS
2959
3309
  # policies.
2960
3310
  # @return [Boolean]
2961
3311
  #
3312
+ # @!attribute [rw] policy_status
3313
+ # Indicates whether the policy is in or out of an admin's policy or
3314
+ # Region scope.
3315
+ #
3316
+ # * `ACTIVE` - The administrator can manage and delete the policy.
3317
+ #
3318
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but
3319
+ # they can't edit or delete the policy. Existing policy protections
3320
+ # stay in place. Any new resources that come into scope of the
3321
+ # policy won't be protected.
3322
+ # @return [String]
3323
+ #
2962
3324
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicySummary AWS API Documentation
2963
3325
  #
2964
3326
  class PolicySummary < Struct.new(
@@ -2968,7 +3330,32 @@ module Aws::FMS
2968
3330
  :resource_type,
2969
3331
  :security_service_type,
2970
3332
  :remediation_enabled,
2971
- :delete_unused_fm_managed_resources)
3333
+ :delete_unused_fm_managed_resources,
3334
+ :policy_status)
3335
+ SENSITIVE = []
3336
+ include Aws::Structure
3337
+ end
3338
+
3339
+ # Defines the policy types that the specified Firewall Manager
3340
+ # administrator can manage.
3341
+ #
3342
+ # @!attribute [rw] policy_types
3343
+ # The list of policy types that the specified Firewall Manager
3344
+ # administrator can manage.
3345
+ # @return [Array<String>]
3346
+ #
3347
+ # @!attribute [rw] all_policy_types_enabled
3348
+ # Allows the specified Firewall Manager administrator to manage all
3349
+ # Firewall Manager policy types, except for third-party policy types.
3350
+ # Third-party policy types can only be managed by the Firewall Manager
3351
+ # default administrator.
3352
+ # @return [Boolean]
3353
+ #
3354
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicyTypeScope AWS API Documentation
3355
+ #
3356
+ class PolicyTypeScope < Struct.new(
3357
+ :policy_types,
3358
+ :all_policy_types_enabled)
2972
3359
  SENSITIVE = []
2973
3360
  include Aws::Structure
2974
3361
  end
@@ -3094,6 +3481,35 @@ module Aws::FMS
3094
3481
  include Aws::Structure
3095
3482
  end
3096
3483
 
3484
+ # @!attribute [rw] admin_account
3485
+ # The Amazon Web Services account ID to add as an Firewall Manager
3486
+ # administrator account. The account must be a member of the
3487
+ # organization that was onboarded to Firewall Manager by
3488
+ # AssociateAdminAccount. For more information about Organizations, see
3489
+ # [Managing the Amazon Web Services Accounts in Your Organization][1].
3490
+ #
3491
+ #
3492
+ #
3493
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html
3494
+ # @return [String]
3495
+ #
3496
+ # @!attribute [rw] admin_scope
3497
+ # Configures the resources that the specified Firewall Manager
3498
+ # administrator can manage. As a best practice, set the administrative
3499
+ # scope according to the principles of least privilege. Only grant the
3500
+ # administrator the specific resources or permissions that they need
3501
+ # to perform the duties of their role.
3502
+ # @return [Types::AdminScope]
3503
+ #
3504
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutAdminAccountRequest AWS API Documentation
3505
+ #
3506
+ class PutAdminAccountRequest < Struct.new(
3507
+ :admin_account,
3508
+ :admin_scope)
3509
+ SENSITIVE = []
3510
+ include Aws::Structure
3511
+ end
3512
+
3097
3513
  # @!attribute [rw] apps_list
3098
3514
  # The details of the Firewall Manager applications list to be created.
3099
3515
  # @return [Types::AppsListData]
@@ -3254,6 +3670,28 @@ module Aws::FMS
3254
3670
  include Aws::Structure
3255
3671
  end
3256
3672
 
3673
+ # Defines the Amazon Web Services Regions that the specified Firewall
3674
+ # Manager administrator can manage.
3675
+ #
3676
+ # @!attribute [rw] regions
3677
+ # The Amazon Web Services Regions that the specified Firewall Manager
3678
+ # administrator can perform actions in.
3679
+ # @return [Array<String>]
3680
+ #
3681
+ # @!attribute [rw] all_regions_enabled
3682
+ # Allows the specified Firewall Manager administrator to manage all
3683
+ # Amazon Web Services Regions.
3684
+ # @return [Boolean]
3685
+ #
3686
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RegionScope AWS API Documentation
3687
+ #
3688
+ class RegionScope < Struct.new(
3689
+ :regions,
3690
+ :all_regions_enabled)
3691
+ SENSITIVE = []
3692
+ include Aws::Structure
3693
+ end
3694
+
3257
3695
  # Information about an individual action you can take to remediate a
3258
3696
  # violation.
3259
3697
  #
@@ -3413,6 +3851,19 @@ module Aws::FMS
3413
3851
  # The last time that the resource set was changed.
3414
3852
  # @return [Time]
3415
3853
  #
3854
+ # @!attribute [rw] resource_set_status
3855
+ # Indicates whether the resource set is in or out of an admin's
3856
+ # Region scope.
3857
+ #
3858
+ # * `ACTIVE` - The administrator can manage and delete the resource
3859
+ # set.
3860
+ #
3861
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource
3862
+ # set, but they can't edit or delete the resource set. Existing
3863
+ # protections stay in place. Any new resource that come into scope
3864
+ # of the resource set won't be protected.
3865
+ # @return [String]
3866
+ #
3416
3867
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSet AWS API Documentation
3417
3868
  #
3418
3869
  class ResourceSet < Struct.new(
@@ -3421,7 +3872,8 @@ module Aws::FMS
3421
3872
  :description,
3422
3873
  :update_token,
3423
3874
  :resource_type_list,
3424
- :last_update_time)
3875
+ :last_update_time,
3876
+ :resource_set_status)
3425
3877
  SENSITIVE = []
3426
3878
  include Aws::Structure
3427
3879
  end
@@ -3447,13 +3899,27 @@ module Aws::FMS
3447
3899
  # The last time that the resource set was changed.
3448
3900
  # @return [Time]
3449
3901
  #
3902
+ # @!attribute [rw] resource_set_status
3903
+ # Indicates whether the resource set is in or out of an admin's
3904
+ # Region scope.
3905
+ #
3906
+ # * `ACTIVE` - The administrator can manage and delete the resource
3907
+ # set.
3908
+ #
3909
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource
3910
+ # set, but they can't edit or delete the resource set. Existing
3911
+ # protections stay in place. Any new resource that come into scope
3912
+ # of the resource set won't be protected.
3913
+ # @return [String]
3914
+ #
3450
3915
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSetSummary AWS API Documentation
3451
3916
  #
3452
3917
  class ResourceSetSummary < Struct.new(
3453
3918
  :id,
3454
3919
  :name,
3455
3920
  :description,
3456
- :last_update_time)
3921
+ :last_update_time,
3922
+ :resource_set_status)
3457
3923
  SENSITIVE = []
3458
3924
  include Aws::Structure
3459
3925
  end
@@ -3840,6 +4306,17 @@ module Aws::FMS
3840
4306
  #
3841
4307
  # </note>
3842
4308
  #
4309
+ # * Example: `IMPORT_NETWORK_FIREWALL`
4310
+ # `"\{"type":"IMPORT_NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:drop"],"networkFirewallStatelessFragmentDefaultActions":["aws:pass"],"networkFirewallStatelessCustomActions":[],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder","priority":8\}],"networkFirewallStatefulEngineOptions":\{"ruleOrder":"STRICT_ORDER"\},"networkFirewallStatefulDefaultActions":["aws:drop_strict"]\}\}"`
4311
+ #
4312
+ # `"\{"type":"DNS_FIREWALL","preProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-1","priority":10\}],"postProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-2","priority":9911\}]\}"`
4313
+ #
4314
+ # <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
4315
+ # Valid values for `postProcessRuleGroups` are between 9901 and
4316
+ # 10000.
4317
+ #
4318
+ # </note>
4319
+ #
3843
4320
  # * Example: `NETWORK_FIREWALL` - Centralized deployment model
3844
4321
  #
3845
4322
  # `"\{"type":"NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[\{"actionName":"customActionName","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"metricdimensionvalue"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"\}],"networkFirewallLoggingConfiguration":\{"logDestinationConfigs":[\{"logDestinationType":"S3","logType":"ALERT","logDestination":\{"bucketName":"s3-bucket-name"\}\},\{"logDestinationType":"S3","logType":"FLOW","logDestination":\{"bucketName":"s3-bucket-name"\}\}],"overrideExistingConfig":true\}\},"firewallDeploymentModel":\{"centralizedFirewallDeploymentModel":\{"centralizedFirewallOrchestrationConfig":\{"inspectionVpcIds":[\{"resourceId":"vpc-1234","accountId":"123456789011"\}],"firewallCreationConfig":\{"endpointLocation":\{"availabilityZoneConfigList":[\{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]\}]\}\},"allowedIPV4CidrList":[]\}\}\}\}"`
@@ -3981,14 +4458,40 @@ module Aws::FMS
3981
4458
  # Advanced policy, this `ManagedServiceData` configuration is an
3982
4459
  # empty string.
3983
4460
  #
3984
- # * Example: `WAFV2`
4461
+ # * Example: `WAFV2` - Account takeover prevention and Bot Control
4462
+ # managed rule groups, and rule action override
3985
4463
  #
3986
- # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
4464
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesATPRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesATPRuleSet":\{"loginPath":"/loginpath","requestInspection":\{"payloadType":"FORM_ENCODED|JSON","usernameField":\{"identifier":"/form/username"\},"passwordField":\{"identifier":"/form/password"\}\}\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\},\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesBotControlRuleSet":\{"inspectionLevel":"TARGETED|COMMON"\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true,"ruleActionOverrides":[\{"name":"Rule1","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\},\{"name":"Rule2","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true\}"`
3987
4465
  #
3988
- # In the `loggingConfiguration`, you can specify one
3989
- # `logDestinationConfigs`, you can optionally provide up to 20
3990
- # `redactedFields`, and the `RedactedFieldType` must be one of
3991
- # `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
4466
+ # * Fraud Control account takeover prevention (ATP) - For
4467
+ # information about the properties available for
4468
+ # `AWSManagedRulesATPRuleSet` managed rule groups, see
4469
+ # [AWSManagedRulesATPRuleSet][2] in the *WAF API Reference*.
4470
+ #
4471
+ # * Bot Control - For information about
4472
+ # `AWSManagedRulesBotControlRuleSet` managed rule groups, see
4473
+ # [AWSManagedRulesBotControlRuleSet][3] in the *WAF API
4474
+ # Reference*.
4475
+ #
4476
+ # * Rule action overrides - Firewall Manager supports rule action
4477
+ # overrides only for managed rule groups. To configure a
4478
+ # `RuleActionOverrides` add the `Name` of the rule to override,
4479
+ # and `ActionToUse`, which is the new action to use for the rule.
4480
+ # For information about using rule action override, see
4481
+ # [RuleActionOverride][4] in the *WAF API Reference*.
4482
+ #
4483
+ # * Example: `WAFV2` - `CAPTCHA` and `Challenge` configs
4484
+ #
4485
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"captchaConfig":\{"immunityTimeProperty":\{"immunityTime":500\}\},"challengeConfig":\{"immunityTimeProperty":\{"immunityTime":800\}\},"tokenDomains":["google.com","amazon.com"]\}"`
4486
+ #
4487
+ # If you update the policy's values for `captchaConfig`,
4488
+ # `challengeConfig`, or `tokenDomains`, Firewall Manager will
4489
+ # overwrite your local web ACLs to contain the new value(s).
4490
+ # However, if you don't update the policy's `captchaConfig`,
4491
+ # `challengeConfig`, or `tokenDomains` values, the values in your
4492
+ # local web ACLs will remain unchanged. For information about
4493
+ # CAPTCHA and Challenge configs, see [CaptchaConfig][5] and
4494
+ # [ChallengeConfig][6] in the *WAF API Reference*.
3992
4495
  #
3993
4496
  # * Example: `WAFV2` - Firewall Manager support for WAF managed rule
3994
4497
  # group versioning
@@ -4002,6 +4505,34 @@ module Aws::FMS
4002
4505
  # then Firewall Manager uses the default version of the WAF managed
4003
4506
  # rule group.
4004
4507
  #
4508
+ # * Example: `WAFV2` - Logging configurations
4509
+ #
4510
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,
4511
+ # "overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":
4512
+ # \{"versionEnabled":null,"version":null,"vendorName":"AWS",
4513
+ # "managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\}
4514
+ # ,"ruleGroupType":"ManagedRuleGroup","excludeRules":[],
4515
+ # "sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],
4516
+ # "defaultAction":\{"type":"ALLOW"\},"customRequestHandling"
4517
+ # \:null,"customResponse":null,"overrideCustomerWebACLAssociation"
4518
+ # \:false,"loggingConfiguration":\{"logDestinationConfigs":
4519
+ # ["arn:aws:s3:::aws-waf-logs-example-bucket"]
4520
+ # ,"redactedFields":[],"loggingFilterConfigs":\{"defaultBehavior":"KEEP",
4521
+ # "filters":[\{"behavior":"KEEP","requirement":"MEETS_ALL",
4522
+ # "conditions":[\{"actionCondition":"CAPTCHA"\},\{"actionCondition":
4523
+ # "CHALLENGE"\},
4524
+ # \{"actionCondition":"EXCLUDED_AS_COUNT"\}]\}]\}\},"sampledRequestsEnabledForDefaultActions":true\}"`
4525
+ #
4526
+ # Firewall Manager supports Amazon Kinesis Data Firehose and Amazon
4527
+ # S3 as the `logDestinationConfigs` in your `loggingConfiguration`.
4528
+ # For information about WAF logging configurations, see
4529
+ # [LoggingConfiguration][7] in the *WAF API Reference*
4530
+ #
4531
+ # In the `loggingConfiguration`, you can specify one
4532
+ # `logDestinationConfigs`. Optionally provide as many as 20
4533
+ # `redactedFields`. The `RedactedFieldType` must be one of `URI`,
4534
+ # `QUERY_STRING`, `HEADER`, or `METHOD`.
4535
+ #
4005
4536
  # * Example: `WAF Classic`
4006
4537
  #
4007
4538
  # `"\{"type": "WAF", "ruleGroups":
@@ -4012,6 +4543,12 @@ module Aws::FMS
4012
4543
  #
4013
4544
  #
4014
4545
  # [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
4546
+ # [2]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html
4547
+ # [3]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html
4548
+ # [4]: https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleActionOverride.html
4549
+ # [5]: https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html
4550
+ # [6]: https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html
4551
+ # [7]: https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
4015
4552
  # @return [String]
4016
4553
  #
4017
4554
  # @!attribute [rw] policy_option