aws-sdk-fms 1.68.0 → 1.69.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc395802b27205d2a12a13a49f9d374b13fea6905610404981b6cc82e73ca734
-  data.tar.gz: '09d25d9c04593db28c4232cecbe79cbd5ae07a7c5bbcaad8f97c37fbf2855711'
+  metadata.gz: 62a6a89ea46f5e5261fe3dc66de59afa7588c78b5c44e425f66761048013388a
+  data.tar.gz: 26b63a1a6850685bfcf6017eda89e4ab4555e9c19be48ad8b0253f6d543f93a2
 SHA512:
-  metadata.gz: 7849d3d2181f681a3355e60c09f28fd06d8a93b784a515d36957b7935f24f4dd3d038ea380b6f4f24c6a98b2d477721e0a0fe77720bc2c8893f27b3aba7d57d3
-  data.tar.gz: bb5d26da0876cb7ba114679b4a107de68ba7ff0a70418bd4ed764b366b54d08b047251d2e6e77ac250bf87de9fcaeb51ff3d845308be9e886128800845f26625
+  metadata.gz: f7745ed92a2d16f0e115b5039bd320f3751bf3ce236790043688bf78fdf7c686329af6bb367c3a734d3b6e10b12426d7055e99152aee8ff94bc10f3fe0beb498
+  data.tar.gz: 3e88919d17b0e0346fbb52ffdd41bf08ba3fef2a0195c3b374b02aa00be2a61037275c96ae3887946cfb61604f68f6c8f87d2f198f94b3e4b65c7ce898e68af5

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.69.0 (2024-04-30)
+------------------
+
+* Feature - AWS Firewall Manager now supports the network firewall service stream exception policy feature for accounts within your organization.
+
 1.68.0 (2024-04-25)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.68.0
+1.69.0

data/lib/aws-sdk-fms/client.rb

@@ -1338,6 +1338,7 @@ module Aws::FMS
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.current_policy_description.stateful_default_actions #=> Array
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.current_policy_description.stateful_default_actions[0] #=> String
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.current_policy_description.stateful_engine_options.rule_order #=> String, one of "STRICT_ORDER", "DEFAULT_ACTION_ORDER"
+    #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.current_policy_description.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE", "REJECT", "FMS_IGNORE"
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateless_rule_groups #=> Array
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateless_rule_groups[0].rule_group_name #=> String
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateless_rule_groups[0].resource_id #=> String
@@ -1356,6 +1357,7 @@ module Aws::FMS
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateful_default_actions #=> Array
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateful_default_actions[0] #=> String
     #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateful_engine_options.rule_order #=> String, one of "STRICT_ORDER", "DEFAULT_ACTION_ORDER"
+    #   resp.violation_detail.resource_violations[0].network_firewall_policy_modified_violation.expected_policy_description.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE", "REJECT", "FMS_IGNORE"
     #   resp.violation_detail.resource_violations[0].network_firewall_internet_traffic_not_inspected_violation.subnet_id #=> String
     #   resp.violation_detail.resource_violations[0].network_firewall_internet_traffic_not_inspected_violation.subnet_availability_zone #=> String
     #   resp.violation_detail.resource_violations[0].network_firewall_internet_traffic_not_inspected_violation.route_table_id #=> String
@@ -2908,7 +2910,7 @@ module Aws::FMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-fms'
-      context[:gem_version] = '1.68.0'
+      context[:gem_version] = '1.69.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-fms/client_api.rb

@@ -283,6 +283,7 @@ module Aws::FMS
     StatelessRuleGroup = Shapes::StructureShape.new(name: 'StatelessRuleGroup')
     StatelessRuleGroupList = Shapes::ListShape.new(name: 'StatelessRuleGroupList')
     StatelessRuleGroupPriority = Shapes::IntegerShape.new(name: 'StatelessRuleGroupPriority')
+    StreamExceptionPolicy = Shapes::StringShape.new(name: 'StreamExceptionPolicy')
     Tag = Shapes::StructureShape.new(name: 'Tag')
     TagKey = Shapes::StringShape.new(name: 'TagKey')
     TagKeyList = Shapes::ListShape.new(name: 'TagKeyList')
@@ -1226,6 +1227,7 @@ module Aws::FMS
     SecurityServiceTypeList.member = Shapes::ShapeRef.new(shape: SecurityServiceType)
 
     StatefulEngineOptions.add_member(:rule_order, Shapes::ShapeRef.new(shape: RuleOrder, location_name: "RuleOrder"))
+    StatefulEngineOptions.add_member(:stream_exception_policy, Shapes::ShapeRef.new(shape: StreamExceptionPolicy, location_name: "StreamExceptionPolicy"))
     StatefulEngineOptions.struct_class = Types::StatefulEngineOptions
 
     StatefulRuleGroup.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: NetworkFirewallResourceName, location_name: "RuleGroupName"))

data/lib/aws-sdk-fms/types.rb

@@ -2668,6 +2668,9 @@ module Aws::FMS
     #   network ACLs that it creates.
     #
     #    </note>
+    #
+    #   You must specify at least one first entry or one last entry in any
+    #   network ACL policy.
     #   @return [Array<Types::NetworkAclEntry>]
     #
     # @!attribute [rw] force_remediate_for_first_entries
@@ -2696,6 +2699,9 @@ module Aws::FMS
     #   network ACLs that it creates.
     #
     #    </note>
+    #
+    #   You must specify at least one first entry or one last entry in any
+    #   network ACL policy.
     #   @return [Array<Types::NetworkAclEntry>]
     #
     # @!attribute [rw] force_remediate_for_last_entries
@@ -5138,21 +5144,63 @@ module Aws::FMS
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
-    #   rules are provided to the rule engine as Suricata compatible
-    #   strings, and Suricata evaluates them based on certain settings. For
-    #   more information, see [Evaluation order for stateful rules][1] in
-    #   the *Network Firewall Developer Guide*.
+    #   the policy. Stateful rules are provided to the rule engine as
+    #   Suricata compatible strings, and Suricata evaluates them based on
+    #   certain settings. For more information, see [Evaluation order for
+    #   stateful rules][1] in the *Network Firewall Developer Guide*.
+    #
+    #   Default: `DEFAULT_ACTION_ORDER`
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html
     #   @return [String]
     #
+    # @!attribute [rw] stream_exception_policy
+    #   Indicates how Network Firewall should handle traffic when a network
+    #   connection breaks midstream.
+    #
+    #   * `DROP` - Fail closed and drop all subsequent traffic going to the
+    #     firewall.
+    #
+    #   * `CONTINUE` - Continue to apply rules to subsequent traffic without
+    #     context from traffic before the break. This impacts the behavior
+    #     of rules that depend on context. For example, with a stateful rule
+    #     that drops HTTP traffic, Network Firewall won't match subsequent
+    #     traffic because the it won't have the context from session
+    #     initialization, which defines the application layer protocol as
+    #     HTTP. However, a TCP-layer rule using a `flow:stateless` rule
+    #     would still match, and so would the `aws:drop_strict` default
+    #     action.
+    #
+    #   * `REJECT` - Fail closed and drop all subsequent traffic going to
+    #     the firewall. With this option, Network Firewall also sends a TCP
+    #     reject packet back to the client so the client can immediately
+    #     establish a new session. With the new session, Network Firewall
+    #     will have context and will apply rules appropriately.
+    #
+    #     For applications that are reliant on long-lived TCP connections
+    #     that trigger Gateway Load Balancer idle timeouts, this is the
+    #     recommended setting.
+    #
+    #   * `FMS_IGNORE` - Firewall Manager doesn't monitor or modify the
+    #     Network Firewall stream exception policy settings.
+    #
+    #   For more information, see [Stream exception policy in your firewall
+    #   policy][1] in the *Network Firewall Developer Guide*.
+    #
+    #   Default: `FMS_IGNORE`
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/stream-exception-policy.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/StatefulEngineOptions AWS API Documentation
     #
     class StatefulEngineOptions < Struct.new(
-      :rule_order)
+      :rule_order,
+      :stream_exception_policy)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-fms.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-fms/customizations'
 # @!group service
 module Aws::FMS
 
-  GEM_VERSION = '1.68.0'
+  GEM_VERSION = '1.69.0'
 
 end

data/sig/types.rbs

@@ -1135,6 +1135,7 @@ module Aws::FMS
 
     class StatefulEngineOptions
       attr_accessor rule_order: ("STRICT_ORDER" | "DEFAULT_ACTION_ORDER")
+      attr_accessor stream_exception_policy: ("DROP" | "CONTINUE" | "REJECT" | "FMS_IGNORE")
       SENSITIVE: []
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-fms
 version: !ruby/object:Gem::Version
-  version: 1.68.0
+  version: 1.69.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-25 00:00:00.000000000 Z
+date: 2024-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core