aws-sdk-fms 1.55.0 → 1.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,6 +10,52 @@
10
10
  module Aws::FMS
11
11
  module Types
12
12
 
13
+ # Configures the accounts within the administrator's Organizations
14
+ # organization that the specified Firewall Manager administrator can
15
+ # apply policies to.
16
+ #
17
+ # @!attribute [rw] accounts
18
+ # The list of accounts within the organization that the specified
19
+ # Firewall Manager administrator either can or cannot apply policies
20
+ # to, based on the value of `ExcludeSpecifiedAccounts`. If
21
+ # `ExcludeSpecifiedAccounts` is set to `true`, then the Firewall
22
+ # Manager administrator can apply policies to all members of the
23
+ # organization except for the accounts in this list. If
24
+ # `ExcludeSpecifiedAccounts` is set to `false`, then the Firewall
25
+ # Manager administrator can only apply policies to the accounts in
26
+ # this list.
27
+ # @return [Array<String>]
28
+ #
29
+ # @!attribute [rw] all_accounts_enabled
30
+ # A boolean value that indicates if the administrator can apply
31
+ # policies to all accounts within an organization. If true, the
32
+ # administrator can apply policies to all accounts within the
33
+ # organization. You can either enable management of all accounts
34
+ # through this operation, or you can specify a list of accounts to
35
+ # manage in `AccountScope$Accounts`. You cannot specify both.
36
+ # @return [Boolean]
37
+ #
38
+ # @!attribute [rw] exclude_specified_accounts
39
+ # A boolean value that excludes the accounts in
40
+ # `AccountScope$Accounts` from the administrator's scope. If true,
41
+ # the Firewall Manager administrator can apply policies to all members
42
+ # of the organization except for the accounts listed in
43
+ # `AccountScope$Accounts`. You can either specify a list of accounts
44
+ # to exclude by `AccountScope$Accounts`, or you can enable management
45
+ # of all accounts by `AccountScope$AllAccountsEnabled`. You cannot
46
+ # specify both.
47
+ # @return [Boolean]
48
+ #
49
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AccountScope AWS API Documentation
50
+ #
51
+ class AccountScope < Struct.new(
52
+ :accounts,
53
+ :all_accounts_enabled,
54
+ :exclude_specified_accounts)
55
+ SENSITIVE = []
56
+ include Aws::Structure
57
+ end
58
+
13
59
  # Describes a remediation action target.
14
60
  #
15
61
  # @!attribute [rw] resource_id
@@ -29,6 +75,103 @@ module Aws::FMS
29
75
  include Aws::Structure
30
76
  end
31
77
 
78
+ # Contains high level information about the Firewall Manager
79
+ # administrator account.
80
+ #
81
+ # @!attribute [rw] admin_account
82
+ # The Amazon Web Services account ID of the Firewall Manager
83
+ # administrator's account.
84
+ # @return [String]
85
+ #
86
+ # @!attribute [rw] default_admin
87
+ # A boolean value that indicates if the administrator is the default
88
+ # administrator. If true, then this is the default administrator
89
+ # account. The default administrator can manage third-party firewalls
90
+ # and has full administrative scope. There is only one default
91
+ # administrator account per organization. For information about
92
+ # Firewall Manager default administrator accounts, see [Managing
93
+ # Firewall Manager administrators][1] in the *Firewall Manager
94
+ # Developer Guide*.
95
+ #
96
+ #
97
+ #
98
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html
99
+ # @return [Boolean]
100
+ #
101
+ # @!attribute [rw] status
102
+ # The current status of the request to onboard a member account as an
103
+ # Firewall Manager administator.
104
+ #
105
+ # * `ONBOARDING` - The account is onboarding to Firewall Manager as an
106
+ # administrator.
107
+ #
108
+ # * `ONBOARDING_COMPLETE` - Firewall Manager The account is onboarded
109
+ # to Firewall Manager as an administrator, and can perform actions
110
+ # on the resources defined in their AdminScope.
111
+ #
112
+ # * `OFFBOARDING` - The account is being removed as an Firewall
113
+ # Manager administrator.
114
+ #
115
+ # * `OFFBOARDING_COMPLETE` - The account has been removed as an
116
+ # Firewall Manager administrator.
117
+ # @return [String]
118
+ #
119
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AdminAccountSummary AWS API Documentation
120
+ #
121
+ class AdminAccountSummary < Struct.new(
122
+ :admin_account,
123
+ :default_admin,
124
+ :status)
125
+ SENSITIVE = []
126
+ include Aws::Structure
127
+ end
128
+
129
+ # Defines the resources that the Firewall Manager administrator can
130
+ # manage. For more information about administrative scope, see [Managing
131
+ # Firewall Manager administrators][1] in the *Firewall Manager Developer
132
+ # Guide*.
133
+ #
134
+ #
135
+ #
136
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html
137
+ #
138
+ # @!attribute [rw] account_scope
139
+ # Defines the accounts that the specified Firewall Manager
140
+ # administrator can apply policies to.
141
+ # @return [Types::AccountScope]
142
+ #
143
+ # @!attribute [rw] organizational_unit_scope
144
+ # Defines the Organizations organizational units that the specified
145
+ # Firewall Manager administrator can apply policies to. For more
146
+ # information about OUs in Organizations, see [Managing organizational
147
+ # units (OUs) ][1] in the *Organizations User Guide*.
148
+ #
149
+ #
150
+ #
151
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
152
+ # @return [Types::OrganizationalUnitScope]
153
+ #
154
+ # @!attribute [rw] region_scope
155
+ # Defines the Amazon Web Services Regions that the specified Firewall
156
+ # Manager administrator can perform actions in.
157
+ # @return [Types::RegionScope]
158
+ #
159
+ # @!attribute [rw] policy_type_scope
160
+ # Defines the Firewall Manager policy types that the specified
161
+ # Firewall Manager administrator can create and manage.
162
+ # @return [Types::PolicyTypeScope]
163
+ #
164
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AdminScope AWS API Documentation
165
+ #
166
+ class AdminScope < Struct.new(
167
+ :account_scope,
168
+ :organizational_unit_scope,
169
+ :region_scope,
170
+ :policy_type_scope)
171
+ SENSITIVE = []
172
+ include Aws::Structure
173
+ end
174
+
32
175
  # An individual Firewall Manager application.
33
176
  #
34
177
  # @!attribute [rw] app_name
@@ -139,10 +282,11 @@ module Aws::FMS
139
282
 
140
283
  # @!attribute [rw] admin_account
141
284
  # The Amazon Web Services account ID to associate with Firewall
142
- # Manager as the Firewall Manager administrator account. This must be
143
- # an Organizations member account. For more information about
144
- # Organizations, see [Managing the Amazon Web Services Accounts in
145
- # Your Organization][1].
285
+ # Manager as the Firewall Manager default administrator account. This
286
+ # account must be a member account of the organization in
287
+ # Organizations whose resources you want to protect. For more
288
+ # information about Organizations, see [Managing the Amazon Web
289
+ # Services Accounts in Your Organization][1].
146
290
  #
147
291
  #
148
292
  #
@@ -271,8 +415,8 @@ module Aws::FMS
271
415
  end
272
416
 
273
417
  # @!attribute [rw] resource_set_identifier
274
- # A unique identifier for the resource set, used in a TODO to refer to
275
- # the resource set.
418
+ # A unique identifier for the resource set, used in a request to refer
419
+ # to the resource set.
276
420
  # @return [String]
277
421
  #
278
422
  # @!attribute [rw] items
@@ -291,8 +435,8 @@ module Aws::FMS
291
435
  end
292
436
 
293
437
  # @!attribute [rw] resource_set_identifier
294
- # A unique identifier for the resource set, used in a TODO to refer to
295
- # the resource set.
438
+ # A unique identifier for the resource set, used in a request to refer
439
+ # to the resource set.
296
440
  # @return [String]
297
441
  #
298
442
  # @!attribute [rw] failed_items
@@ -309,8 +453,8 @@ module Aws::FMS
309
453
  end
310
454
 
311
455
  # @!attribute [rw] resource_set_identifier
312
- # A unique identifier for the resource set, used in a TODO to refer to
313
- # the resource set.
456
+ # A unique identifier for the resource set, used in a request to refer
457
+ # to the resource set.
314
458
  # @return [String]
315
459
  #
316
460
  # @!attribute [rw] items
@@ -329,8 +473,8 @@ module Aws::FMS
329
473
  end
330
474
 
331
475
  # @!attribute [rw] resource_set_identifier
332
- # A unique identifier for the resource set, used in a TODO to refer to
333
- # the resource set.
476
+ # A unique identifier for the resource set, used in a request to refer
477
+ # to the resource set.
334
478
  # @return [String]
335
479
  #
336
480
  # @!attribute [rw] failed_items
@@ -465,8 +609,8 @@ module Aws::FMS
465
609
  end
466
610
 
467
611
  # @!attribute [rw] identifier
468
- # A unique identifier for the resource set, used in a TODO to refer to
469
- # the resource set.
612
+ # A unique identifier for the resource set, used in a request to refer
613
+ # to the resource set.
470
614
  # @return [String]
471
615
  #
472
616
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DeleteResourceSetRequest AWS API Documentation
@@ -1061,13 +1205,13 @@ module Aws::FMS
1061
1205
  class GetAdminAccountRequest < Aws::EmptyStructure; end
1062
1206
 
1063
1207
  # @!attribute [rw] admin_account
1064
- # The Amazon Web Services account that is set as the Firewall Manager
1208
+ # The account that is set as the Firewall Manager default
1065
1209
  # administrator.
1066
1210
  # @return [String]
1067
1211
  #
1068
1212
  # @!attribute [rw] role_status
1069
- # The status of the Amazon Web Services account that you set as the
1070
- # Firewall Manager administrator.
1213
+ # The status of the account that you set as the Firewall Manager
1214
+ # default administrator.
1071
1215
  # @return [String]
1072
1216
  #
1073
1217
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminAccountResponse AWS API Documentation
@@ -1079,6 +1223,50 @@ module Aws::FMS
1079
1223
  include Aws::Structure
1080
1224
  end
1081
1225
 
1226
+ # @!attribute [rw] admin_account
1227
+ # The administator account that you want to get the details for.
1228
+ # @return [String]
1229
+ #
1230
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScopeRequest AWS API Documentation
1231
+ #
1232
+ class GetAdminScopeRequest < Struct.new(
1233
+ :admin_account)
1234
+ SENSITIVE = []
1235
+ include Aws::Structure
1236
+ end
1237
+
1238
+ # @!attribute [rw] admin_scope
1239
+ # Contains details about the administrative scope of the requested
1240
+ # account.
1241
+ # @return [Types::AdminScope]
1242
+ #
1243
+ # @!attribute [rw] status
1244
+ # The current status of the request to onboard a member account as an
1245
+ # Firewall Manager administator.
1246
+ #
1247
+ # * `ONBOARDING` - The account is onboarding to Firewall Manager as an
1248
+ # administrator.
1249
+ #
1250
+ # * `ONBOARDING_COMPLETE` - Firewall Manager The account is onboarded
1251
+ # to Firewall Manager as an administrator, and can perform actions
1252
+ # on the resources defined in their AdminScope.
1253
+ #
1254
+ # * `OFFBOARDING` - The account is being removed as an Firewall
1255
+ # Manager administrator.
1256
+ #
1257
+ # * `OFFBOARDING_COMPLETE` - The account has been removed as an
1258
+ # Firewall Manager administrator.
1259
+ # @return [String]
1260
+ #
1261
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScopeResponse AWS API Documentation
1262
+ #
1263
+ class GetAdminScopeResponse < Struct.new(
1264
+ :admin_scope,
1265
+ :status)
1266
+ SENSITIVE = []
1267
+ include Aws::Structure
1268
+ end
1269
+
1082
1270
  # @!attribute [rw] list_id
1083
1271
  # The ID of the Firewall Manager applications list that you want the
1084
1272
  # details for.
@@ -1342,8 +1530,8 @@ module Aws::FMS
1342
1530
  end
1343
1531
 
1344
1532
  # @!attribute [rw] identifier
1345
- # A unique identifier for the resource set, used in a TODO to refer to
1346
- # the resource set.
1533
+ # A unique identifier for the resource set, used in a request to refer
1534
+ # to the resource set.
1347
1535
  # @return [String]
1348
1536
  #
1349
1537
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetResourceSetRequest AWS API Documentation
@@ -1558,6 +1746,99 @@ module Aws::FMS
1558
1746
  include Aws::Structure
1559
1747
  end
1560
1748
 
1749
+ # @!attribute [rw] next_token
1750
+ # When you request a list of objects with a `MaxResults` setting, if
1751
+ # the number of objects that are still available for retrieval exceeds
1752
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1753
+ # value in the response. To retrieve the next batch of objects, use
1754
+ # the token returned from the prior request in your next request.
1755
+ # @return [String]
1756
+ #
1757
+ # @!attribute [rw] max_results
1758
+ # The maximum number of objects that you want Firewall Manager to
1759
+ # return for this request. If more objects are available, in the
1760
+ # response, Firewall Manager provides a `NextToken` value that you can
1761
+ # use in a subsequent call to get the next batch of objects.
1762
+ # @return [Integer]
1763
+ #
1764
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganizationRequest AWS API Documentation
1765
+ #
1766
+ class ListAdminAccountsForOrganizationRequest < Struct.new(
1767
+ :next_token,
1768
+ :max_results)
1769
+ SENSITIVE = []
1770
+ include Aws::Structure
1771
+ end
1772
+
1773
+ # @!attribute [rw] admin_accounts
1774
+ # A list of Firewall Manager administrator accounts within the
1775
+ # organization that were onboarded as administrators by
1776
+ # AssociateAdminAccount or PutAdminAccount.
1777
+ # @return [Array<Types::AdminAccountSummary>]
1778
+ #
1779
+ # @!attribute [rw] next_token
1780
+ # When you request a list of objects with a `MaxResults` setting, if
1781
+ # the number of objects that are still available for retrieval exceeds
1782
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1783
+ # value in the response. To retrieve the next batch of objects, use
1784
+ # the token returned from the prior request in your next request.
1785
+ # @return [String]
1786
+ #
1787
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganizationResponse AWS API Documentation
1788
+ #
1789
+ class ListAdminAccountsForOrganizationResponse < Struct.new(
1790
+ :admin_accounts,
1791
+ :next_token)
1792
+ SENSITIVE = []
1793
+ include Aws::Structure
1794
+ end
1795
+
1796
+ # @!attribute [rw] next_token
1797
+ # When you request a list of objects with a `MaxResults` setting, if
1798
+ # the number of objects that are still available for retrieval exceeds
1799
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1800
+ # value in the response. To retrieve the next batch of objects, use
1801
+ # the token returned from the prior request in your next request.
1802
+ # @return [String]
1803
+ #
1804
+ # @!attribute [rw] max_results
1805
+ # The maximum number of objects that you want Firewall Manager to
1806
+ # return for this request. If more objects are available, in the
1807
+ # response, Firewall Manager provides a `NextToken` value that you can
1808
+ # use in a subsequent call to get the next batch of objects.
1809
+ # @return [Integer]
1810
+ #
1811
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccountRequest AWS API Documentation
1812
+ #
1813
+ class ListAdminsManagingAccountRequest < Struct.new(
1814
+ :next_token,
1815
+ :max_results)
1816
+ SENSITIVE = []
1817
+ include Aws::Structure
1818
+ end
1819
+
1820
+ # @!attribute [rw] admin_accounts
1821
+ # The list of accounts who manage member accounts within their
1822
+ # AdminScope.
1823
+ # @return [Array<String>]
1824
+ #
1825
+ # @!attribute [rw] next_token
1826
+ # When you request a list of objects with a `MaxResults` setting, if
1827
+ # the number of objects that are still available for retrieval exceeds
1828
+ # the maximum you requested, Firewall Manager returns a `NextToken`
1829
+ # value in the response. To retrieve the next batch of objects, use
1830
+ # the token returned from the prior request in your next request.
1831
+ # @return [String]
1832
+ #
1833
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccountResponse AWS API Documentation
1834
+ #
1835
+ class ListAdminsManagingAccountResponse < Struct.new(
1836
+ :admin_accounts,
1837
+ :next_token)
1838
+ SENSITIVE = []
1839
+ include Aws::Structure
1840
+ end
1841
+
1561
1842
  # @!attribute [rw] default_lists
1562
1843
  # Specifies whether the lists to retrieve are default lists owned by
1563
1844
  # Firewall Manager.
@@ -1873,8 +2154,8 @@ module Aws::FMS
1873
2154
  end
1874
2155
 
1875
2156
  # @!attribute [rw] identifier
1876
- # A unique identifier for the resource set, used in a TODO to refer to
1877
- # the resource set.
2157
+ # A unique identifier for the resource set, used in a request to refer
2158
+ # to the resource set.
1878
2159
  # @return [String]
1879
2160
  #
1880
2161
  # @!attribute [rw] max_results
@@ -2582,6 +2863,62 @@ module Aws::FMS
2582
2863
  include Aws::Structure
2583
2864
  end
2584
2865
 
2866
+ # Defines the Organizations organizational units (OUs) that the
2867
+ # specified Firewall Manager administrator can apply policies to. For
2868
+ # more information about OUs in Organizations, see [Managing
2869
+ # organizational units (OUs) ][1] in the *Organizations User Guide*.
2870
+ #
2871
+ #
2872
+ #
2873
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
2874
+ #
2875
+ # @!attribute [rw] organizational_units
2876
+ # The list of OUs within the organization that the specified Firewall
2877
+ # Manager administrator either can or cannot apply policies to, based
2878
+ # on the value of
2879
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits`. If
2880
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set
2881
+ # to `true`, then the Firewall Manager administrator can apply
2882
+ # policies to all OUs in the organization except for the OUs in this
2883
+ # list. If
2884
+ # `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set
2885
+ # to `false`, then the Firewall Manager administrator can only apply
2886
+ # policies to the OUs in this list.
2887
+ # @return [Array<String>]
2888
+ #
2889
+ # @!attribute [rw] all_organizational_units_enabled
2890
+ # A boolean value that indicates if the administrator can apply
2891
+ # policies to all OUs within an organization. If true, the
2892
+ # administrator can manage all OUs within the organization. You can
2893
+ # either enable management of all OUs through this operation, or you
2894
+ # can specify OUs to manage in
2895
+ # `OrganizationalUnitScope$OrganizationalUnits`. You cannot specify
2896
+ # both.
2897
+ # @return [Boolean]
2898
+ #
2899
+ # @!attribute [rw] exclude_specified_organizational_units
2900
+ # A boolean value that excludes the OUs in
2901
+ # `OrganizationalUnitScope$OrganizationalUnits` from the
2902
+ # administrator's scope. If true, the Firewall Manager administrator
2903
+ # can apply policies to all OUs in the organization except for the OUs
2904
+ # listed in `OrganizationalUnitScope$OrganizationalUnits`. You can
2905
+ # either specify a list of OUs to exclude by
2906
+ # `OrganizationalUnitScope$OrganizationalUnits`, or you can enable
2907
+ # management of all OUs by
2908
+ # `OrganizationalUnitScope$AllOrganizationalUnitsEnabled`. You cannot
2909
+ # specify both.
2910
+ # @return [Boolean]
2911
+ #
2912
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/OrganizationalUnitScope AWS API Documentation
2913
+ #
2914
+ class OrganizationalUnitScope < Struct.new(
2915
+ :organizational_units,
2916
+ :all_organizational_units_enabled,
2917
+ :exclude_specified_organizational_units)
2918
+ SENSITIVE = []
2919
+ include Aws::Structure
2920
+ end
2921
+
2585
2922
  # The reference rule that partially matches the `ViolationTarget` rule
2586
2923
  # and violation reason.
2587
2924
  #
@@ -2755,6 +3092,18 @@ module Aws::FMS
2755
3092
  # The definition of the Network Firewall firewall policy.
2756
3093
  # @return [String]
2757
3094
  #
3095
+ # @!attribute [rw] policy_status
3096
+ # Indicates whether the policy is in or out of an admin's policy or
3097
+ # Region scope.
3098
+ #
3099
+ # * `ACTIVE` - The administrator can manage and delete the policy.
3100
+ #
3101
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but
3102
+ # they can't edit or delete the policy. Existing policy protections
3103
+ # stay in place. Any new resources that come into scope of the
3104
+ # policy won't be protected.
3105
+ # @return [String]
3106
+ #
2758
3107
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/Policy AWS API Documentation
2759
3108
  #
2760
3109
  class Policy < Struct.new(
@@ -2771,7 +3120,8 @@ module Aws::FMS
2771
3120
  :include_map,
2772
3121
  :exclude_map,
2773
3122
  :resource_set_ids,
2774
- :policy_description)
3123
+ :policy_description,
3124
+ :policy_status)
2775
3125
  SENSITIVE = []
2776
3126
  include Aws::Structure
2777
3127
  end
@@ -2959,6 +3309,18 @@ module Aws::FMS
2959
3309
  # policies.
2960
3310
  # @return [Boolean]
2961
3311
  #
3312
+ # @!attribute [rw] policy_status
3313
+ # Indicates whether the policy is in or out of an admin's policy or
3314
+ # Region scope.
3315
+ #
3316
+ # * `ACTIVE` - The administrator can manage and delete the policy.
3317
+ #
3318
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but
3319
+ # they can't edit or delete the policy. Existing policy protections
3320
+ # stay in place. Any new resources that come into scope of the
3321
+ # policy won't be protected.
3322
+ # @return [String]
3323
+ #
2962
3324
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicySummary AWS API Documentation
2963
3325
  #
2964
3326
  class PolicySummary < Struct.new(
@@ -2968,7 +3330,32 @@ module Aws::FMS
2968
3330
  :resource_type,
2969
3331
  :security_service_type,
2970
3332
  :remediation_enabled,
2971
- :delete_unused_fm_managed_resources)
3333
+ :delete_unused_fm_managed_resources,
3334
+ :policy_status)
3335
+ SENSITIVE = []
3336
+ include Aws::Structure
3337
+ end
3338
+
3339
+ # Defines the policy types that the specified Firewall Manager
3340
+ # administrator can manage.
3341
+ #
3342
+ # @!attribute [rw] policy_types
3343
+ # The list of policy types that the specified Firewall Manager
3344
+ # administrator can manage.
3345
+ # @return [Array<String>]
3346
+ #
3347
+ # @!attribute [rw] all_policy_types_enabled
3348
+ # Allows the specified Firewall Manager administrator to manage all
3349
+ # Firewall Manager policy types, except for third-party policy types.
3350
+ # Third-party policy types can only be managed by the Firewall Manager
3351
+ # default administrator.
3352
+ # @return [Boolean]
3353
+ #
3354
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicyTypeScope AWS API Documentation
3355
+ #
3356
+ class PolicyTypeScope < Struct.new(
3357
+ :policy_types,
3358
+ :all_policy_types_enabled)
2972
3359
  SENSITIVE = []
2973
3360
  include Aws::Structure
2974
3361
  end
@@ -3094,6 +3481,35 @@ module Aws::FMS
3094
3481
  include Aws::Structure
3095
3482
  end
3096
3483
 
3484
+ # @!attribute [rw] admin_account
3485
+ # The Amazon Web Services account ID to add as an Firewall Manager
3486
+ # administrator account. The account must be a member of the
3487
+ # organization that was onboarded to Firewall Manager by
3488
+ # AssociateAdminAccount. For more information about Organizations, see
3489
+ # [Managing the Amazon Web Services Accounts in Your Organization][1].
3490
+ #
3491
+ #
3492
+ #
3493
+ # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html
3494
+ # @return [String]
3495
+ #
3496
+ # @!attribute [rw] admin_scope
3497
+ # Configures the resources that the specified Firewall Manager
3498
+ # administrator can manage. As a best practice, set the administrative
3499
+ # scope according to the principles of least privilege. Only grant the
3500
+ # administrator the specific resources or permissions that they need
3501
+ # to perform the duties of their role.
3502
+ # @return [Types::AdminScope]
3503
+ #
3504
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutAdminAccountRequest AWS API Documentation
3505
+ #
3506
+ class PutAdminAccountRequest < Struct.new(
3507
+ :admin_account,
3508
+ :admin_scope)
3509
+ SENSITIVE = []
3510
+ include Aws::Structure
3511
+ end
3512
+
3097
3513
  # @!attribute [rw] apps_list
3098
3514
  # The details of the Firewall Manager applications list to be created.
3099
3515
  # @return [Types::AppsListData]
@@ -3254,6 +3670,28 @@ module Aws::FMS
3254
3670
  include Aws::Structure
3255
3671
  end
3256
3672
 
3673
+ # Defines the Amazon Web Services Regions that the specified Firewall
3674
+ # Manager administrator can manage.
3675
+ #
3676
+ # @!attribute [rw] regions
3677
+ # The Amazon Web Services Regions that the specified Firewall Manager
3678
+ # administrator can perform actions in.
3679
+ # @return [Array<String>]
3680
+ #
3681
+ # @!attribute [rw] all_regions_enabled
3682
+ # Allows the specified Firewall Manager administrator to manage all
3683
+ # Amazon Web Services Regions.
3684
+ # @return [Boolean]
3685
+ #
3686
+ # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RegionScope AWS API Documentation
3687
+ #
3688
+ class RegionScope < Struct.new(
3689
+ :regions,
3690
+ :all_regions_enabled)
3691
+ SENSITIVE = []
3692
+ include Aws::Structure
3693
+ end
3694
+
3257
3695
  # Information about an individual action you can take to remediate a
3258
3696
  # violation.
3259
3697
  #
@@ -3413,6 +3851,19 @@ module Aws::FMS
3413
3851
  # The last time that the resource set was changed.
3414
3852
  # @return [Time]
3415
3853
  #
3854
+ # @!attribute [rw] resource_set_status
3855
+ # Indicates whether the resource set is in or out of an admin's
3856
+ # Region scope.
3857
+ #
3858
+ # * `ACTIVE` - The administrator can manage and delete the resource
3859
+ # set.
3860
+ #
3861
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource
3862
+ # set, but they can't edit or delete the resource set. Existing
3863
+ # protections stay in place. Any new resource that come into scope
3864
+ # of the resource set won't be protected.
3865
+ # @return [String]
3866
+ #
3416
3867
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSet AWS API Documentation
3417
3868
  #
3418
3869
  class ResourceSet < Struct.new(
@@ -3421,7 +3872,8 @@ module Aws::FMS
3421
3872
  :description,
3422
3873
  :update_token,
3423
3874
  :resource_type_list,
3424
- :last_update_time)
3875
+ :last_update_time,
3876
+ :resource_set_status)
3425
3877
  SENSITIVE = []
3426
3878
  include Aws::Structure
3427
3879
  end
@@ -3447,13 +3899,27 @@ module Aws::FMS
3447
3899
  # The last time that the resource set was changed.
3448
3900
  # @return [Time]
3449
3901
  #
3902
+ # @!attribute [rw] resource_set_status
3903
+ # Indicates whether the resource set is in or out of an admin's
3904
+ # Region scope.
3905
+ #
3906
+ # * `ACTIVE` - The administrator can manage and delete the resource
3907
+ # set.
3908
+ #
3909
+ # * `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource
3910
+ # set, but they can't edit or delete the resource set. Existing
3911
+ # protections stay in place. Any new resource that come into scope
3912
+ # of the resource set won't be protected.
3913
+ # @return [String]
3914
+ #
3450
3915
  # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceSetSummary AWS API Documentation
3451
3916
  #
3452
3917
  class ResourceSetSummary < Struct.new(
3453
3918
  :id,
3454
3919
  :name,
3455
3920
  :description,
3456
- :last_update_time)
3921
+ :last_update_time,
3922
+ :resource_set_status)
3457
3923
  SENSITIVE = []
3458
3924
  include Aws::Structure
3459
3925
  end
@@ -3840,6 +4306,17 @@ module Aws::FMS
3840
4306
  #
3841
4307
  # </note>
3842
4308
  #
4309
+ # * Example: `IMPORT_NETWORK_FIREWALL`
4310
+ # `"\{"type":"IMPORT_NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:drop"],"networkFirewallStatelessFragmentDefaultActions":["aws:pass"],"networkFirewallStatelessCustomActions":[],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder","priority":8\}],"networkFirewallStatefulEngineOptions":\{"ruleOrder":"STRICT_ORDER"\},"networkFirewallStatefulDefaultActions":["aws:drop_strict"]\}\}"`
4311
+ #
4312
+ # `"\{"type":"DNS_FIREWALL","preProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-1","priority":10\}],"postProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-2","priority":9911\}]\}"`
4313
+ #
4314
+ # <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
4315
+ # Valid values for `postProcessRuleGroups` are between 9901 and
4316
+ # 10000.
4317
+ #
4318
+ # </note>
4319
+ #
3843
4320
  # * Example: `NETWORK_FIREWALL` - Centralized deployment model
3844
4321
  #
3845
4322
  # `"\{"type":"NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[\{"actionName":"customActionName","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"metricdimensionvalue"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"\}],"networkFirewallLoggingConfiguration":\{"logDestinationConfigs":[\{"logDestinationType":"S3","logType":"ALERT","logDestination":\{"bucketName":"s3-bucket-name"\}\},\{"logDestinationType":"S3","logType":"FLOW","logDestination":\{"bucketName":"s3-bucket-name"\}\}],"overrideExistingConfig":true\}\},"firewallDeploymentModel":\{"centralizedFirewallDeploymentModel":\{"centralizedFirewallOrchestrationConfig":\{"inspectionVpcIds":[\{"resourceId":"vpc-1234","accountId":"123456789011"\}],"firewallCreationConfig":\{"endpointLocation":\{"availabilityZoneConfigList":[\{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]\}]\}\},"allowedIPV4CidrList":[]\}\}\}\}"`
@@ -3981,14 +4458,40 @@ module Aws::FMS
3981
4458
  # Advanced policy, this `ManagedServiceData` configuration is an
3982
4459
  # empty string.
3983
4460
  #
3984
- # * Example: `WAFV2`
4461
+ # * Example: `WAFV2` - Account takeover prevention and Bot Control
4462
+ # managed rule groups, and rule action override
3985
4463
  #
3986
- # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
4464
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesATPRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesATPRuleSet":\{"loginPath":"/loginpath","requestInspection":\{"payloadType":"FORM_ENCODED|JSON","usernameField":\{"identifier":"/form/username"\},"passwordField":\{"identifier":"/form/password"\}\}\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\},\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesBotControlRuleSet":\{"inspectionLevel":"TARGETED|COMMON"\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true,"ruleActionOverrides":[\{"name":"Rule1","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\},\{"name":"Rule2","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true\}"`
3987
4465
  #
3988
- # In the `loggingConfiguration`, you can specify one
3989
- # `logDestinationConfigs`, you can optionally provide up to 20
3990
- # `redactedFields`, and the `RedactedFieldType` must be one of
3991
- # `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
4466
+ # * Fraud Control account takeover prevention (ATP) - For
4467
+ # information about the properties available for
4468
+ # `AWSManagedRulesATPRuleSet` managed rule groups, see
4469
+ # [AWSManagedRulesATPRuleSet][2] in the *WAF API Reference*.
4470
+ #
4471
+ # * Bot Control - For information about
4472
+ # `AWSManagedRulesBotControlRuleSet` managed rule groups, see
4473
+ # [AWSManagedRulesBotControlRuleSet][3] in the *WAF API
4474
+ # Reference*.
4475
+ #
4476
+ # * Rule action overrides - Firewall Manager supports rule action
4477
+ # overrides only for managed rule groups. To configure a
4478
+ # `RuleActionOverrides` add the `Name` of the rule to override,
4479
+ # and `ActionToUse`, which is the new action to use for the rule.
4480
+ # For information about using rule action override, see
4481
+ # [RuleActionOverride][4] in the *WAF API Reference*.
4482
+ #
4483
+ # * Example: `WAFV2` - `CAPTCHA` and `Challenge` configs
4484
+ #
4485
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"captchaConfig":\{"immunityTimeProperty":\{"immunityTime":500\}\},"challengeConfig":\{"immunityTimeProperty":\{"immunityTime":800\}\},"tokenDomains":["google.com","amazon.com"]\}"`
4486
+ #
4487
+ # If you update the policy's values for `captchaConfig`,
4488
+ # `challengeConfig`, or `tokenDomains`, Firewall Manager will
4489
+ # overwrite your local web ACLs to contain the new value(s).
4490
+ # However, if you don't update the policy's `captchaConfig`,
4491
+ # `challengeConfig`, or `tokenDomains` values, the values in your
4492
+ # local web ACLs will remain unchanged. For information about
4493
+ # CAPTCHA and Challenge configs, see [CaptchaConfig][5] and
4494
+ # [ChallengeConfig][6] in the *WAF API Reference*.
3992
4495
  #
3993
4496
  # * Example: `WAFV2` - Firewall Manager support for WAF managed rule
3994
4497
  # group versioning
@@ -4002,6 +4505,34 @@ module Aws::FMS
4002
4505
  # then Firewall Manager uses the default version of the WAF managed
4003
4506
  # rule group.
4004
4507
  #
4508
+ # * Example: `WAFV2` - Logging configurations
4509
+ #
4510
+ # `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,
4511
+ # "overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":
4512
+ # \{"versionEnabled":null,"version":null,"vendorName":"AWS",
4513
+ # "managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\}
4514
+ # ,"ruleGroupType":"ManagedRuleGroup","excludeRules":[],
4515
+ # "sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],
4516
+ # "defaultAction":\{"type":"ALLOW"\},"customRequestHandling"
4517
+ # \:null,"customResponse":null,"overrideCustomerWebACLAssociation"
4518
+ # \:false,"loggingConfiguration":\{"logDestinationConfigs":
4519
+ # ["arn:aws:s3:::aws-waf-logs-example-bucket"]
4520
+ # ,"redactedFields":[],"loggingFilterConfigs":\{"defaultBehavior":"KEEP",
4521
+ # "filters":[\{"behavior":"KEEP","requirement":"MEETS_ALL",
4522
+ # "conditions":[\{"actionCondition":"CAPTCHA"\},\{"actionCondition":
4523
+ # "CHALLENGE"\},
4524
+ # \{"actionCondition":"EXCLUDED_AS_COUNT"\}]\}]\}\},"sampledRequestsEnabledForDefaultActions":true\}"`
4525
+ #
4526
+ # Firewall Manager supports Amazon Kinesis Data Firehose and Amazon
4527
+ # S3 as the `logDestinationConfigs` in your `loggingConfiguration`.
4528
+ # For information about WAF logging configurations, see
4529
+ # [LoggingConfiguration][7] in the *WAF API Reference*
4530
+ #
4531
+ # In the `loggingConfiguration`, you can specify one
4532
+ # `logDestinationConfigs`. Optionally provide as many as 20
4533
+ # `redactedFields`. The `RedactedFieldType` must be one of `URI`,
4534
+ # `QUERY_STRING`, `HEADER`, or `METHOD`.
4535
+ #
4005
4536
  # * Example: `WAF Classic`
4006
4537
  #
4007
4538
  # `"\{"type": "WAF", "ruleGroups":
@@ -4012,6 +4543,12 @@ module Aws::FMS
4012
4543
  #
4013
4544
  #
4014
4545
  # [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
4546
+ # [2]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html
4547
+ # [3]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html
4548
+ # [4]: https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleActionOverride.html
4549
+ # [5]: https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html
4550
+ # [6]: https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html
4551
+ # [7]: https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
4015
4552
  # @return [String]
4016
4553
  #
4017
4554
  # @!attribute [rw] policy_option