aws-sdk-fms 1.83.0 → 1.85.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-fms/client.rb +12 -5
- data/lib/aws-sdk-fms/client_api.rb +15 -0
- data/lib/aws-sdk-fms/types.rb +123 -75
- data/lib/aws-sdk-fms.rb +1 -1
- data/sig/types.rbs +15 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7d2561eef33bdc50c82844067358b74031daf4bb6b946e82824aa0e49507391c
|
|
4
|
+
data.tar.gz: 9cd91805243df01cb41440aecf5ccb6069957218402413cce948a261e029fcc9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 964db7321c8846752e8d5710dbc34733130954261190264f8affb6829712b34c6f0eed4a9d9007aef2e3e6e78e05d7ae3320091fb55e046e12079b85d98e0f98
|
|
7
|
+
data.tar.gz: cab1eef3b037a2597ff6a97901ce887b7af8cf9aec8240646869089a6efc25202c7a524797a848b23826b580c95d6c38687e7c0ac90e6e8793d2ee7540217d9e
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.85.0 (2024-11-06)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
|
8
|
+
|
|
9
|
+
1.84.0 (2024-10-21)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - Update AWS WAF policy - add the option to retrofit existing web ACLs instead of creating all new web ACLs.
|
|
13
|
+
|
|
4
14
|
1.83.0 (2024-10-18)
|
|
5
15
|
------------------
|
|
6
16
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.85.0
|
data/lib/aws-sdk-fms/client.rb
CHANGED
|
@@ -954,7 +954,7 @@ module Aws::FMS
|
|
|
954
954
|
# resp.policy_compliance_detail.member_account #=> String
|
|
955
955
|
# resp.policy_compliance_detail.violators #=> Array
|
|
956
956
|
# resp.policy_compliance_detail.violators[0].resource_id #=> String
|
|
957
|
-
# resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT", "FMS_CREATED_SECURITY_GROUP_EDITED", "MISSING_FIREWALL", "MISSING_FIREWALL_SUBNET_IN_AZ", "MISSING_EXPECTED_ROUTE_TABLE", "NETWORK_FIREWALL_POLICY_MODIFIED", "FIREWALL_SUBNET_IS_OUT_OF_SCOPE", "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE", "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE", "UNEXPECTED_FIREWALL_ROUTES", "UNEXPECTED_TARGET_GATEWAY_ROUTES", "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY", "INVALID_ROUTE_CONFIGURATION", "MISSING_TARGET_GATEWAY", "INTERNET_TRAFFIC_NOT_INSPECTED", "BLACK_HOLE_ROUTE_DETECTED", "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL", "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT", "INVALID_NETWORK_ACL_ENTRY"
|
|
957
|
+
# resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT", "FMS_CREATED_SECURITY_GROUP_EDITED", "MISSING_FIREWALL", "MISSING_FIREWALL_SUBNET_IN_AZ", "MISSING_EXPECTED_ROUTE_TABLE", "NETWORK_FIREWALL_POLICY_MODIFIED", "FIREWALL_SUBNET_IS_OUT_OF_SCOPE", "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE", "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE", "UNEXPECTED_FIREWALL_ROUTES", "UNEXPECTED_TARGET_GATEWAY_ROUTES", "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY", "INVALID_ROUTE_CONFIGURATION", "MISSING_TARGET_GATEWAY", "INTERNET_TRAFFIC_NOT_INSPECTED", "BLACK_HOLE_ROUTE_DETECTED", "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL", "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT", "INVALID_NETWORK_ACL_ENTRY", "WEB_ACL_CONFIGURATION_OR_SCOPE_OF_USE"
|
|
958
958
|
# resp.policy_compliance_detail.violators[0].resource_type #=> String
|
|
959
959
|
# resp.policy_compliance_detail.violators[0].metadata #=> Hash
|
|
960
960
|
# resp.policy_compliance_detail.violators[0].metadata["LengthBoundedString"] #=> String
|
|
@@ -1265,6 +1265,8 @@ module Aws::FMS
|
|
|
1265
1265
|
# The ID of the Firewall Manager policy that you want the details for.
|
|
1266
1266
|
# You can get violation details for the following policy types:
|
|
1267
1267
|
#
|
|
1268
|
+
# * WAF
|
|
1269
|
+
#
|
|
1268
1270
|
# * DNS Firewall
|
|
1269
1271
|
#
|
|
1270
1272
|
# * Imported Network Firewall
|
|
@@ -1286,9 +1288,9 @@ module Aws::FMS
|
|
|
1286
1288
|
# @option params [required, String] :resource_type
|
|
1287
1289
|
# The resource type. This is in the format shown in the [Amazon Web
|
|
1288
1290
|
# Services Resource Types Reference][1]. Supported resource types are:
|
|
1289
|
-
# `AWS::
|
|
1290
|
-
# `AWS::EC2::
|
|
1291
|
-
# `AWS::EC2::Subnet`.
|
|
1291
|
+
# `AWS::WAFv2::WebACL`, `AWS::EC2::Instance`,
|
|
1292
|
+
# `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`,
|
|
1293
|
+
# `AWS::NetworkFirewall::FirewallPolicy`, and `AWS::EC2::Subnet`.
|
|
1292
1294
|
#
|
|
1293
1295
|
#
|
|
1294
1296
|
#
|
|
@@ -1708,6 +1710,11 @@ module Aws::FMS
|
|
|
1708
1710
|
# resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].remediation_action.delete_network_acl_entries_action.fms_can_remediate #=> Boolean
|
|
1709
1711
|
# resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].ordered_remediation_actions[0].order #=> Integer
|
|
1710
1712
|
# resp.violation_detail.resource_violations[0].possible_remediation_actions.actions[0].is_default_action #=> Boolean
|
|
1713
|
+
# resp.violation_detail.resource_violations[0].web_acl_has_incompatible_configuration_violation.web_acl_arn #=> String
|
|
1714
|
+
# resp.violation_detail.resource_violations[0].web_acl_has_incompatible_configuration_violation.description #=> String
|
|
1715
|
+
# resp.violation_detail.resource_violations[0].web_acl_has_out_of_scope_resources_violation.web_acl_arn #=> String
|
|
1716
|
+
# resp.violation_detail.resource_violations[0].web_acl_has_out_of_scope_resources_violation.out_of_scope_resource_list #=> Array
|
|
1717
|
+
# resp.violation_detail.resource_violations[0].web_acl_has_out_of_scope_resources_violation.out_of_scope_resource_list[0] #=> String
|
|
1711
1718
|
# resp.violation_detail.resource_tags #=> Array
|
|
1712
1719
|
# resp.violation_detail.resource_tags[0].key #=> String
|
|
1713
1720
|
# resp.violation_detail.resource_tags[0].value #=> String
|
|
@@ -2947,7 +2954,7 @@ module Aws::FMS
|
|
|
2947
2954
|
tracer: tracer
|
|
2948
2955
|
)
|
|
2949
2956
|
context[:gem_name] = 'aws-sdk-fms'
|
|
2950
|
-
context[:gem_version] = '1.
|
|
2957
|
+
context[:gem_version] = '1.85.0'
|
|
2951
2958
|
Seahorse::Client::Request.new(handlers, context)
|
|
2952
2959
|
end
|
|
2953
2960
|
|
|
@@ -248,6 +248,7 @@ module Aws::FMS
|
|
|
248
248
|
ReplaceNetworkAclAssociationAction = Shapes::StructureShape.new(name: 'ReplaceNetworkAclAssociationAction')
|
|
249
249
|
Resource = Shapes::StructureShape.new(name: 'Resource')
|
|
250
250
|
ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
|
|
251
|
+
ResourceArnList = Shapes::ListShape.new(name: 'ResourceArnList')
|
|
251
252
|
ResourceCount = Shapes::IntegerShape.new(name: 'ResourceCount')
|
|
252
253
|
ResourceDescription = Shapes::StringShape.new(name: 'ResourceDescription')
|
|
253
254
|
ResourceId = Shapes::StringShape.new(name: 'ResourceId')
|
|
@@ -310,6 +311,8 @@ module Aws::FMS
|
|
|
310
311
|
ViolationDetail = Shapes::StructureShape.new(name: 'ViolationDetail')
|
|
311
312
|
ViolationReason = Shapes::StringShape.new(name: 'ViolationReason')
|
|
312
313
|
ViolationTarget = Shapes::StringShape.new(name: 'ViolationTarget')
|
|
314
|
+
WebACLHasIncompatibleConfigurationViolation = Shapes::StructureShape.new(name: 'WebACLHasIncompatibleConfigurationViolation')
|
|
315
|
+
WebACLHasOutOfScopeResourcesViolation = Shapes::StructureShape.new(name: 'WebACLHasOutOfScopeResourcesViolation')
|
|
313
316
|
|
|
314
317
|
AWSAccountIdList.member = Shapes::ShapeRef.new(shape: AWSAccountId)
|
|
315
318
|
|
|
@@ -1119,6 +1122,8 @@ module Aws::FMS
|
|
|
1119
1122
|
Resource.add_member(:account_id, Shapes::ShapeRef.new(shape: AWSAccountId, location_name: "AccountId"))
|
|
1120
1123
|
Resource.struct_class = Types::Resource
|
|
1121
1124
|
|
|
1125
|
+
ResourceArnList.member = Shapes::ShapeRef.new(shape: ResourceArn)
|
|
1126
|
+
|
|
1122
1127
|
ResourceIdList.member = Shapes::ShapeRef.new(shape: ResourceId)
|
|
1123
1128
|
|
|
1124
1129
|
ResourceList.member = Shapes::ShapeRef.new(shape: Resource)
|
|
@@ -1178,6 +1183,8 @@ module Aws::FMS
|
|
|
1178
1183
|
ResourceViolation.add_member(:firewall_subnet_missing_vpc_endpoint_violation, Shapes::ShapeRef.new(shape: FirewallSubnetMissingVPCEndpointViolation, location_name: "FirewallSubnetMissingVPCEndpointViolation"))
|
|
1179
1184
|
ResourceViolation.add_member(:invalid_network_acl_entries_violation, Shapes::ShapeRef.new(shape: InvalidNetworkAclEntriesViolation, location_name: "InvalidNetworkAclEntriesViolation"))
|
|
1180
1185
|
ResourceViolation.add_member(:possible_remediation_actions, Shapes::ShapeRef.new(shape: PossibleRemediationActions, location_name: "PossibleRemediationActions"))
|
|
1186
|
+
ResourceViolation.add_member(:web_acl_has_incompatible_configuration_violation, Shapes::ShapeRef.new(shape: WebACLHasIncompatibleConfigurationViolation, location_name: "WebACLHasIncompatibleConfigurationViolation"))
|
|
1187
|
+
ResourceViolation.add_member(:web_acl_has_out_of_scope_resources_violation, Shapes::ShapeRef.new(shape: WebACLHasOutOfScopeResourcesViolation, location_name: "WebACLHasOutOfScopeResourcesViolation"))
|
|
1181
1188
|
ResourceViolation.struct_class = Types::ResourceViolation
|
|
1182
1189
|
|
|
1183
1190
|
ResourceViolations.member = Shapes::ShapeRef.new(shape: ResourceViolation)
|
|
@@ -1305,6 +1312,14 @@ module Aws::FMS
|
|
|
1305
1312
|
ViolationDetail.add_member(:resource_description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "ResourceDescription"))
|
|
1306
1313
|
ViolationDetail.struct_class = Types::ViolationDetail
|
|
1307
1314
|
|
|
1315
|
+
WebACLHasIncompatibleConfigurationViolation.add_member(:web_acl_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "WebACLArn"))
|
|
1316
|
+
WebACLHasIncompatibleConfigurationViolation.add_member(:description, Shapes::ShapeRef.new(shape: LengthBoundedString, location_name: "Description"))
|
|
1317
|
+
WebACLHasIncompatibleConfigurationViolation.struct_class = Types::WebACLHasIncompatibleConfigurationViolation
|
|
1318
|
+
|
|
1319
|
+
WebACLHasOutOfScopeResourcesViolation.add_member(:web_acl_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "WebACLArn"))
|
|
1320
|
+
WebACLHasOutOfScopeResourcesViolation.add_member(:out_of_scope_resource_list, Shapes::ShapeRef.new(shape: ResourceArnList, location_name: "OutOfScopeResourceList"))
|
|
1321
|
+
WebACLHasOutOfScopeResourcesViolation.struct_class = Types::WebACLHasOutOfScopeResourcesViolation
|
|
1322
|
+
|
|
1308
1323
|
|
|
1309
1324
|
# @api private
|
|
1310
1325
|
API = Seahorse::Model::Api.new.tap do |api|
|
data/lib/aws-sdk-fms/types.rb
CHANGED
|
@@ -1813,6 +1813,8 @@ module Aws::FMS
|
|
|
1813
1813
|
# The ID of the Firewall Manager policy that you want the details for.
|
|
1814
1814
|
# You can get violation details for the following policy types:
|
|
1815
1815
|
#
|
|
1816
|
+
# * WAF
|
|
1817
|
+
#
|
|
1816
1818
|
# * DNS Firewall
|
|
1817
1819
|
#
|
|
1818
1820
|
# * Imported Network Firewall
|
|
@@ -1837,9 +1839,9 @@ module Aws::FMS
|
|
|
1837
1839
|
# @!attribute [rw] resource_type
|
|
1838
1840
|
# The resource type. This is in the format shown in the [Amazon Web
|
|
1839
1841
|
# Services Resource Types Reference][1]. Supported resource types are:
|
|
1840
|
-
# `AWS::
|
|
1841
|
-
# `AWS::EC2::
|
|
1842
|
-
# and `AWS::EC2::Subnet`.
|
|
1842
|
+
# `AWS::WAFv2::WebACL`, `AWS::EC2::Instance`,
|
|
1843
|
+
# `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`,
|
|
1844
|
+
# `AWS::NetworkFirewall::FirewallPolicy`, and `AWS::EC2::Subnet`.
|
|
1843
1845
|
#
|
|
1844
1846
|
#
|
|
1845
1847
|
#
|
|
@@ -3487,17 +3489,16 @@ module Aws::FMS
|
|
|
3487
3489
|
# You can specify account IDs, OUs, or a combination:
|
|
3488
3490
|
#
|
|
3489
3491
|
# * Specify account IDs by setting the key to `ACCOUNT`. For example,
|
|
3490
|
-
# the following is a valid map:
|
|
3491
|
-
# “accountID2”]
|
|
3492
|
+
# the following is a valid map: `{“ACCOUNT” : [“accountID1”,
|
|
3493
|
+
# “accountID2”]}`.
|
|
3492
3494
|
#
|
|
3493
3495
|
# * Specify OUs by setting the key to `ORG_UNIT`. For example, the
|
|
3494
|
-
# following is a valid map:
|
|
3495
|
-
# “ouid112”]\}`.
|
|
3496
|
+
# following is a valid map: `{“ORG_UNIT” : [“ouid111”, “ouid112”]}`.
|
|
3496
3497
|
#
|
|
3497
3498
|
# * Specify accounts and OUs together in a single map, separated with
|
|
3498
|
-
# a comma. For example, the following is a valid map:
|
|
3499
|
+
# a comma. For example, the following is a valid map: `{“ACCOUNT” :
|
|
3499
3500
|
# [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”,
|
|
3500
|
-
# “ouid112”]
|
|
3501
|
+
# “ouid112”]}`.
|
|
3501
3502
|
# @return [Hash<String,Array<String>>]
|
|
3502
3503
|
#
|
|
3503
3504
|
# @!attribute [rw] exclude_map
|
|
@@ -3517,17 +3518,16 @@ module Aws::FMS
|
|
|
3517
3518
|
# You can specify account IDs, OUs, or a combination:
|
|
3518
3519
|
#
|
|
3519
3520
|
# * Specify account IDs by setting the key to `ACCOUNT`. For example,
|
|
3520
|
-
# the following is a valid map:
|
|
3521
|
-
# “accountID2”]
|
|
3521
|
+
# the following is a valid map: `{“ACCOUNT” : [“accountID1”,
|
|
3522
|
+
# “accountID2”]}`.
|
|
3522
3523
|
#
|
|
3523
3524
|
# * Specify OUs by setting the key to `ORG_UNIT`. For example, the
|
|
3524
|
-
# following is a valid map:
|
|
3525
|
-
# “ouid112”]\}`.
|
|
3525
|
+
# following is a valid map: `{“ORG_UNIT” : [“ouid111”, “ouid112”]}`.
|
|
3526
3526
|
#
|
|
3527
3527
|
# * Specify accounts and OUs together in a single map, separated with
|
|
3528
|
-
# a comma. For example, the following is a valid map:
|
|
3528
|
+
# a comma. For example, the following is a valid map: `{“ACCOUNT” :
|
|
3529
3529
|
# [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”,
|
|
3530
|
-
# “ouid112”]
|
|
3530
|
+
# “ouid112”]}`.
|
|
3531
3531
|
# @return [Hash<String,Array<String>>]
|
|
3532
3532
|
#
|
|
3533
3533
|
# @!attribute [rw] resource_set_ids
|
|
@@ -4588,6 +4588,16 @@ module Aws::FMS
|
|
|
4588
4588
|
# actions.
|
|
4589
4589
|
# @return [Types::PossibleRemediationActions]
|
|
4590
4590
|
#
|
|
4591
|
+
# @!attribute [rw] web_acl_has_incompatible_configuration_violation
|
|
4592
|
+
# The violation details for a web ACL whose configuration is
|
|
4593
|
+
# incompatible with the Firewall Manager policy.
|
|
4594
|
+
# @return [Types::WebACLHasIncompatibleConfigurationViolation]
|
|
4595
|
+
#
|
|
4596
|
+
# @!attribute [rw] web_acl_has_out_of_scope_resources_violation
|
|
4597
|
+
# The violation details for a web ACL that's associated with at least
|
|
4598
|
+
# one resource that's out of scope of the Firewall Manager policy.
|
|
4599
|
+
# @return [Types::WebACLHasOutOfScopeResourcesViolation]
|
|
4600
|
+
#
|
|
4591
4601
|
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceViolation AWS API Documentation
|
|
4592
4602
|
#
|
|
4593
4603
|
class ResourceViolation < Struct.new(
|
|
@@ -4614,7 +4624,9 @@ module Aws::FMS
|
|
|
4614
4624
|
:third_party_firewall_missing_expected_route_table_violation,
|
|
4615
4625
|
:firewall_subnet_missing_vpc_endpoint_violation,
|
|
4616
4626
|
:invalid_network_acl_entries_violation,
|
|
4617
|
-
:possible_remediation_actions
|
|
4627
|
+
:possible_remediation_actions,
|
|
4628
|
+
:web_acl_has_incompatible_configuration_violation,
|
|
4629
|
+
:web_acl_has_out_of_scope_resources_violation)
|
|
4618
4630
|
SENSITIVE = []
|
|
4619
4631
|
include Aws::Structure
|
|
4620
4632
|
end
|
|
@@ -4810,7 +4822,7 @@ module Aws::FMS
|
|
|
4810
4822
|
#
|
|
4811
4823
|
# * Example: `DNS_FIREWALL`
|
|
4812
4824
|
#
|
|
4813
|
-
# `"
|
|
4825
|
+
# `"{"type":"DNS_FIREWALL","preProcessRuleGroups":[{"ruleGroupId":"rslvr-frg-1","priority":10}],"postProcessRuleGroups":[{"ruleGroupId":"rslvr-frg-2","priority":9911}]}"`
|
|
4814
4826
|
#
|
|
4815
4827
|
# <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
|
|
4816
4828
|
# Valid values for `postProcessRuleGroups` are between 9901 and
|
|
@@ -4820,9 +4832,9 @@ module Aws::FMS
|
|
|
4820
4832
|
#
|
|
4821
4833
|
# * Example: `IMPORT_NETWORK_FIREWALL`
|
|
4822
4834
|
#
|
|
4823
|
-
# `"
|
|
4835
|
+
# `"{"type":"IMPORT_NETWORK_FIREWALL","awsNetworkFirewallConfig":{"networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1","priority":1}],"networkFirewallStatelessDefaultActions":["aws:drop"],"networkFirewallStatelessFragmentDefaultActions":["aws:pass"],"networkFirewallStatelessCustomActions":[],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder","priority":8}],"networkFirewallStatefulEngineOptions":{"ruleOrder":"STRICT_ORDER"},"networkFirewallStatefulDefaultActions":["aws:drop_strict"]}}"`
|
|
4824
4836
|
#
|
|
4825
|
-
# `"
|
|
4837
|
+
# `"{"type":"DNS_FIREWALL","preProcessRuleGroups":[{"ruleGroupId":"rslvr-frg-1","priority":10}],"postProcessRuleGroups":[{"ruleGroupId":"rslvr-frg-2","priority":9911}]}"`
|
|
4826
4838
|
#
|
|
4827
4839
|
# <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
|
|
4828
4840
|
# Valid values for `postProcessRuleGroups` are between 9901 and
|
|
@@ -4832,7 +4844,7 @@ module Aws::FMS
|
|
|
4832
4844
|
#
|
|
4833
4845
|
# * Example: `NETWORK_FIREWALL` - Centralized deployment model
|
|
4834
4846
|
#
|
|
4835
|
-
# `"
|
|
4847
|
+
# `"{"type":"NETWORK_FIREWALL","awsNetworkFirewallConfig":{"networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[{"actionName":"customActionName","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"metricdimensionvalue"}]}}}],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"}],"networkFirewallLoggingConfiguration":{"logDestinationConfigs":[{"logDestinationType":"S3","logType":"ALERT","logDestination":{"bucketName":"s3-bucket-name"}},{"logDestinationType":"S3","logType":"FLOW","logDestination":{"bucketName":"s3-bucket-name"}}],"overrideExistingConfig":true}},"firewallDeploymentModel":{"centralizedFirewallDeploymentModel":{"centralizedFirewallOrchestrationConfig":{"inspectionVpcIds":[{"resourceId":"vpc-1234","accountId":"123456789011"}],"firewallCreationConfig":{"endpointLocation":{"availabilityZoneConfigList":[{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]}]}},"allowedIPV4CidrList":[]}}}}"`
|
|
4836
4848
|
#
|
|
4837
4849
|
# To use the centralized deployment model, you must set
|
|
4838
4850
|
# [PolicyOption][1] to `CENTRALIZED`.
|
|
@@ -4841,7 +4853,7 @@ module Aws::FMS
|
|
|
4841
4853
|
# automatic Availability Zone configuration
|
|
4842
4854
|
#
|
|
4843
4855
|
# `
|
|
4844
|
-
# "
|
|
4856
|
+
# "{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[{"actionName":"customActionName","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"metricdimensionvalue"}]}}}],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"}],"networkFirewallOrchestrationConfig":{"singleFirewallEndpointPerVPC":false,"allowedIPV4CidrList":["10.0.0.0/28","192.168.0.0/28"],"routeManagementAction":"OFF"},"networkFirewallLoggingConfiguration":{"logDestinationConfigs":[{"logDestinationType":"S3","logType":"ALERT","logDestination":{"bucketName":"s3-bucket-name"}},{"logDestinationType":"S3","logType":"FLOW","logDestination":{"bucketName":"s3-bucket-name"}}],"overrideExistingConfig":true}}"
|
|
4845
4857
|
# `
|
|
4846
4858
|
#
|
|
4847
4859
|
# With automatic Availbility Zone configuration, Firewall Manager
|
|
@@ -4853,8 +4865,8 @@ module Aws::FMS
|
|
|
4853
4865
|
# automatic Availability Zone configuration and route management
|
|
4854
4866
|
#
|
|
4855
4867
|
# `
|
|
4856
|
-
# "
|
|
4857
|
-
# "FLOW","logDestination"
|
|
4868
|
+
# "{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessCustomActions":[{"actionName":"customActionName","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"metricdimensionvalue"}]}}}],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"}],"networkFirewallOrchestrationConfig":{"singleFirewallEndpointPerVPC":false,"allowedIPV4CidrList":["10.0.0.0/28","192.168.0.0/28"],"routeManagementAction":"MONITOR","routeManagementTargetTypes":["InternetGateway"]},"networkFirewallLoggingConfiguration":{"logDestinationConfigs":[{"logDestinationType":"S3","logType":"ALERT","logDestination":{"bucketName":"s3-bucket-name"}},{"logDestinationType":"S3","logType":
|
|
4869
|
+
# "FLOW","logDestination":{"bucketName":"s3-bucket-name"}}],"overrideExistingConfig":true}}"
|
|
4858
4870
|
# `
|
|
4859
4871
|
#
|
|
4860
4872
|
# To use the distributed deployment model, you must set
|
|
@@ -4863,11 +4875,11 @@ module Aws::FMS
|
|
|
4863
4875
|
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
|
4864
4876
|
# custom Availability Zone configuration
|
|
4865
4877
|
#
|
|
4866
|
-
# `"
|
|
4867
|
-
# "actionDefinition"
|
|
4868
|
-
# "endpointLocation"
|
|
4869
|
-
# "10.0.0.0/28"]
|
|
4870
|
-
#
|
|
4878
|
+
# `"{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","fragmentcustomactionname"],"networkFirewallStatelessCustomActions":[{"actionName":"customActionName",
|
|
4879
|
+
# "actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"metricdimensionvalue"}]}}},{"actionName":"fragmentcustomactionname","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"fragmentmetricdimensionvalue"}]}}}],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"}],"networkFirewallOrchestrationConfig":{"firewallCreationConfig":{
|
|
4880
|
+
# "endpointLocation":{"availabilityZoneConfigList":[{"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]},{"availabilityZoneName":"us-east-1b","allowedIPV4CidrList":[
|
|
4881
|
+
# "10.0.0.0/28"]}]}
|
|
4882
|
+
# },"singleFirewallEndpointPerVPC":false,"allowedIPV4CidrList":null,"routeManagementAction":"OFF","networkFirewallLoggingConfiguration":{"logDestinationConfigs":[{"logDestinationType":"S3","logType":"ALERT","logDestination":{"bucketName":"s3-bucket-name"}},{"logDestinationType":"S3","logType":"FLOW","logDestination":{"bucketName":"s3-bucket-name"}}],"overrideExistingConfig":boolean}}"
|
|
4871
4883
|
# `
|
|
4872
4884
|
#
|
|
4873
4885
|
# With custom Availability Zone configuration, you define which
|
|
@@ -4883,7 +4895,7 @@ module Aws::FMS
|
|
|
4883
4895
|
# * Example: `NETWORK_FIREWALL` - Distributed deployment model with
|
|
4884
4896
|
# custom Availability Zone configuration and route management
|
|
4885
4897
|
#
|
|
4886
|
-
# `"
|
|
4898
|
+
# `"{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1}],"networkFirewallStatelessDefaultActions":["aws:forward_to_sfe","customActionName"],"networkFirewallStatelessFragmentDefaultActions":["aws:forward_to_sfe","fragmentcustomactionname"],"networkFirewallStatelessCustomActions":[{"actionName":"customActionName","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"metricdimensionvalue"}]}}},{"actionName":"fragmentcustomactionname","actionDefinition":{"publishMetricAction":{"dimensions":[{"value":"fragmentmetricdimensionvalue"}]}}}],"networkFirewallStatefulRuleGroupReferences":[{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"}],"networkFirewallOrchestrationConfig":{"firewallCreationConfig":{"endpointLocation":{"availabilityZoneConfigList":[{"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.0.0/28"]},{"availabilityZoneName":"us-east-1b","allowedIPV4CidrList":["10.0.0.0/28"]}]}},"singleFirewallEndpointPerVPC":false,"allowedIPV4CidrList":null,"routeManagementAction":"MONITOR","routeManagementTargetTypes":["InternetGateway"],"routeManagementConfig":{"allowCrossAZTrafficIfNoEndpoint":true}},"networkFirewallLoggingConfiguration":{"logDestinationConfigs":[{"logDestinationType":"S3","logType":"ALERT","logDestination":{"bucketName":"s3-bucket-name"}},{"logDestinationType":"S3","logType":"FLOW","logDestination":{"bucketName":"s3-bucket-name"}}],"overrideExistingConfig":boolean}}"
|
|
4887
4899
|
# `
|
|
4888
4900
|
#
|
|
4889
4901
|
# To use the distributed deployment model, you must set
|
|
@@ -4891,14 +4903,12 @@ module Aws::FMS
|
|
|
4891
4903
|
#
|
|
4892
4904
|
# * Example: `SECURITY_GROUPS_COMMON`
|
|
4893
4905
|
#
|
|
4894
|
-
# `"
|
|
4895
|
-
# "applyToAllEC2InstanceENIs":false,"securityGroups":[\{"id":"
|
|
4896
|
-
# sg-000e55995d61a06bd"\}]\}"`
|
|
4906
|
+
# `"{"type":"SECURITY_GROUPS_COMMON","securityGroups":[{"id":"sg-03b1f67d69ed00197"}],"revertManualSecurityGroupChanges":true,"exclusiveResourceSecurityGroupManagement":true,"applyToAllEC2InstanceENIs":false,"includeSharedVPC":true,"enableSecurityGroupReferencesDistribution":true}"`
|
|
4897
4907
|
#
|
|
4898
4908
|
# * Example: `SECURITY_GROUPS_COMMON` - Security group tag
|
|
4899
4909
|
# distribution
|
|
4900
4910
|
#
|
|
4901
|
-
# `""
|
|
4911
|
+
# `""{"type":"SECURITY_GROUPS_COMMON","securityGroups":[{"id":"sg-000e55995d61a06bd"}],"revertManualSecurityGroupChanges":true,"exclusiveResourceSecurityGroupManagement":false,"applyToAllEC2InstanceENIs":false,"includeSharedVPC":false,"enableTagDistribution":true}""`
|
|
4902
4912
|
#
|
|
4903
4913
|
# Firewall Manager automatically distributes tags from the primary
|
|
4904
4914
|
# group to the security groups created by this policy. To use
|
|
@@ -4916,13 +4926,13 @@ module Aws::FMS
|
|
|
4916
4926
|
# * Example: Shared VPCs. Apply the preceding policy to resources in
|
|
4917
4927
|
# shared VPCs as well as to those in VPCs that the account owns
|
|
4918
4928
|
#
|
|
4919
|
-
# `"
|
|
4920
|
-
# "applyToAllEC2InstanceENIs":false,"includeSharedVPC":true,"securityGroups":[
|
|
4921
|
-
# sg-000e55995d61a06bd"
|
|
4929
|
+
# `"{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
|
|
4930
|
+
# "applyToAllEC2InstanceENIs":false,"includeSharedVPC":true,"securityGroups":[{"id":"
|
|
4931
|
+
# sg-000e55995d61a06bd"}]}"`
|
|
4922
4932
|
#
|
|
4923
4933
|
# * Example: `SECURITY_GROUPS_CONTENT_AUDIT`
|
|
4924
4934
|
#
|
|
4925
|
-
# `"
|
|
4935
|
+
# `"{"type":"SECURITY_GROUPS_CONTENT_AUDIT","preManagedOptions":[{"denyProtocolAllValue":true},{"auditSgDirection":{"type":"ALL"}}],"securityGroups":[{"id":"sg-049b2393a25468971"}],"securityGroupAction":{"type":"ALLOW"}}"`
|
|
4926
4936
|
#
|
|
4927
4937
|
# The security group action for content audit can be `ALLOW` or
|
|
4928
4938
|
# `DENY`. For `ALLOW`, all in-scope security group rules must be
|
|
@@ -4933,11 +4943,11 @@ module Aws::FMS
|
|
|
4933
4943
|
#
|
|
4934
4944
|
# * Example: `SECURITY_GROUPS_USAGE_AUDIT`
|
|
4935
4945
|
#
|
|
4936
|
-
# `"
|
|
4946
|
+
# `"{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true,"optionalDelayForUnusedInMinutes":60}"`
|
|
4937
4947
|
#
|
|
4938
4948
|
# * Example: `SHIELD_ADVANCED` with web ACL management
|
|
4939
4949
|
#
|
|
4940
|
-
# `"
|
|
4950
|
+
# `"{"type":"SHIELD_ADVANCED","optimizeUnassociatedWebACL":true}"`
|
|
4941
4951
|
#
|
|
4942
4952
|
# If you set `optimizeUnassociatedWebACL` to `true`, Firewall
|
|
4943
4953
|
# Manager creates web ACLs in accounts within the policy scope if
|
|
@@ -4964,16 +4974,16 @@ module Aws::FMS
|
|
|
4964
4974
|
# * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
|
|
4965
4975
|
# distributions
|
|
4966
4976
|
#
|
|
4967
|
-
# `"
|
|
4968
|
-
#
|
|
4969
|
-
# "automaticResponseAction":"BLOCK|COUNT"
|
|
4977
|
+
# `"{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
|
|
4978
|
+
# {"automaticResponseStatus":"ENABLED|IGNORED|DISABLED",
|
|
4979
|
+
# "automaticResponseAction":"BLOCK|COUNT"},
|
|
4970
4980
|
# "overrideCustomerWebaclClassic":true|false,
|
|
4971
|
-
# "optimizeUnassociatedWebACL":true|false
|
|
4981
|
+
# "optimizeUnassociatedWebACL":true|false}"`
|
|
4972
4982
|
#
|
|
4973
4983
|
# For example:
|
|
4974
|
-
# `"
|
|
4975
|
-
#
|
|
4976
|
-
# "automaticResponseAction":"COUNT"
|
|
4984
|
+
# `"{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
|
|
4985
|
+
# {"automaticResponseStatus":"ENABLED",
|
|
4986
|
+
# "automaticResponseAction":"COUNT"}}"`
|
|
4977
4987
|
#
|
|
4978
4988
|
# The default value for `automaticResponseStatus` is `IGNORED`. The
|
|
4979
4989
|
# value for `automaticResponseAction` is only required when
|
|
@@ -4989,23 +4999,22 @@ module Aws::FMS
|
|
|
4989
4999
|
# Replace `THIRD_PARTY_FIREWALL_NAME` with the name of the
|
|
4990
5000
|
# third-party firewall.
|
|
4991
5001
|
#
|
|
4992
|
-
# `"
|
|
5002
|
+
# `"{ "type":"THIRD_PARTY_FIREWALL",
|
|
4993
5003
|
# "thirdPartyFirewall":"THIRD_PARTY_FIREWALL_NAME",
|
|
4994
|
-
# "thirdPartyFirewallConfig"
|
|
4995
|
-
# "thirdPartyFirewallPolicyList":["global-1"]
|
|
4996
|
-
# "firewallDeploymentModel"
|
|
4997
|
-
# "
|
|
4998
|
-
# "
|
|
4999
|
-
# "
|
|
5000
|
-
# "
|
|
5001
|
-
# "
|
|
5002
|
-
# "allowedIPV4CidrList":[ ] \} \} \} \}"`
|
|
5004
|
+
# "thirdPartyFirewallConfig":{
|
|
5005
|
+
# "thirdPartyFirewallPolicyList":["global-1"] },
|
|
5006
|
+
# "firewallDeploymentModel":{ "distributedFirewallDeploymentModel":{
|
|
5007
|
+
# "distributedFirewallOrchestrationConfig":{
|
|
5008
|
+
# "firewallCreationConfig":{ "endpointLocation":{
|
|
5009
|
+
# "availabilityZoneConfigList":[ {
|
|
5010
|
+
# "availabilityZoneName":"${AvailabilityZone}" } ] } },
|
|
5011
|
+
# "allowedIPV4CidrList":[ ] } } } }"`
|
|
5003
5012
|
#
|
|
5004
5013
|
# * Example: `WAFV2` - Account takeover prevention, Bot Control
|
|
5005
5014
|
# managed rule groups, optimize unassociated web ACL, and rule
|
|
5006
5015
|
# action override
|
|
5007
5016
|
#
|
|
5008
|
-
# `"
|
|
5017
|
+
# `"{"type":"WAFV2","preProcessRuleGroups":[{"ruleGroupArn":null,"overrideAction":{"type":"NONE"},"managedRuleGroupIdentifier":{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesATPRuleSet","managedRuleGroupConfigs":[{"awsmanagedRulesATPRuleSet":{"loginPath":"/loginpath","requestInspection":{"payloadType":"FORM_ENCODED|JSON","usernameField":{"identifier":"/form/username"},"passwordField":{"identifier":"/form/password"}}}}]},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true},{"ruleGroupArn":null,"overrideAction":{"type":"NONE"},"managedRuleGroupIdentifier":{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet","managedRuleGroupConfigs":[{"awsmanagedRulesBotControlRuleSet":{"inspectionLevel":"TARGETED|COMMON"}}]},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true,"ruleActionOverrides":[{"name":"Rule1","actionToUse":{"allow|block|count|captcha|challenge":{}}},{"name":"Rule2","actionToUse":{"allow|block|count|captcha|challenge":{}}}]}],"postProcessRuleGroups":[],"defaultAction":{"type":"ALLOW"},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"optimizeUnassociatedWebACL":true}"`
|
|
5009
5018
|
#
|
|
5010
5019
|
# * Bot Control - For information about
|
|
5011
5020
|
# `AWSManagedRulesBotControlRuleSet` managed rule groups, see
|
|
@@ -5049,7 +5058,7 @@ module Aws::FMS
|
|
|
5049
5058
|
#
|
|
5050
5059
|
# * Example: `WAFV2` - `CAPTCHA` and `Challenge` configs
|
|
5051
5060
|
#
|
|
5052
|
-
# `"
|
|
5061
|
+
# `"{"type":"WAFV2","preProcessRuleGroups":[{"ruleGroupArn":null,"overrideAction":{"type":"NONE"},"managedRuleGroupIdentifier":{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true}],"postProcessRuleGroups":[],"defaultAction":{"type":"ALLOW"},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"captchaConfig":{"immunityTimeProperty":{"immunityTime":500}},"challengeConfig":{"immunityTimeProperty":{"immunityTime":800}},"tokenDomains":["google.com","amazon.com"],"associationConfig":{"requestBody":{"CLOUDFRONT":{"defaultSizeInspectionLimit":"KB_16"}}}}"`
|
|
5053
5062
|
#
|
|
5054
5063
|
# * `CAPTCHA` and `Challenge` configs - If you update the policy's
|
|
5055
5064
|
# values for `associationConfig`, `captchaConfig`,
|
|
@@ -5072,7 +5081,7 @@ module Aws::FMS
|
|
|
5072
5081
|
# * Example: `WAFV2` - Firewall Manager support for WAF managed rule
|
|
5073
5082
|
# group versioning
|
|
5074
5083
|
#
|
|
5075
|
-
# `"
|
|
5084
|
+
# `"{"preProcessRuleGroups":[{"ruleGroupType":"ManagedRuleGroup","overrideAction":{"type":"NONE"},"sampledRequestsEnabled":true,"managedRuleGroupIdentifier":{"managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet","vendorName":"AWS","managedRuleGroupConfigs":null}}],"postProcessRuleGroups":[],"defaultAction":{"type":"ALLOW"},"customRequestHandling":null,"tokenDomains":null,"customResponse":null,"type":"WAFV2","overrideCustomerWebACLAssociation":false,"sampledRequestsEnabledForDefaultActions":true,"optimizeUnassociatedWebACL":true,"webACLSource":"RETROFIT_EXISTING"}"`
|
|
5076
5085
|
#
|
|
5077
5086
|
# To use a specific version of a WAF managed rule group in your
|
|
5078
5087
|
# Firewall Manager policy, you must set `versionEnabled` to `true`,
|
|
@@ -5083,21 +5092,21 @@ module Aws::FMS
|
|
|
5083
5092
|
#
|
|
5084
5093
|
# * Example: `WAFV2` - Logging configurations
|
|
5085
5094
|
#
|
|
5086
|
-
# `"
|
|
5087
|
-
# "overrideAction"
|
|
5088
|
-
#
|
|
5089
|
-
# "managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"
|
|
5095
|
+
# `"{"type":"WAFV2","preProcessRuleGroups":[{"ruleGroupArn":null,
|
|
5096
|
+
# "overrideAction":{"type":"NONE"},"managedRuleGroupIdentifier":
|
|
5097
|
+
# {"versionEnabled":null,"version":null,"vendorName":"AWS",
|
|
5098
|
+
# "managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"}
|
|
5090
5099
|
# ,"ruleGroupType":"ManagedRuleGroup","excludeRules":[],
|
|
5091
|
-
# "sampledRequestsEnabled":true
|
|
5092
|
-
# "defaultAction"
|
|
5100
|
+
# "sampledRequestsEnabled":true}],"postProcessRuleGroups":[],
|
|
5101
|
+
# "defaultAction":{"type":"ALLOW"},"customRequestHandling"
|
|
5093
5102
|
# \:null,"customResponse":null,"overrideCustomerWebACLAssociation"
|
|
5094
|
-
# \:false,"loggingConfiguration"
|
|
5103
|
+
# \:false,"loggingConfiguration":{"logDestinationConfigs":
|
|
5095
5104
|
# ["arn:aws:s3:::aws-waf-logs-example-bucket"]
|
|
5096
|
-
# ,"redactedFields":[],"loggingFilterConfigs"
|
|
5097
|
-
# "filters":[
|
|
5098
|
-
# "conditions":[
|
|
5099
|
-
# "CHALLENGE"
|
|
5100
|
-
#
|
|
5105
|
+
# ,"redactedFields":[],"loggingFilterConfigs":{"defaultBehavior":"KEEP",
|
|
5106
|
+
# "filters":[{"behavior":"KEEP","requirement":"MEETS_ALL",
|
|
5107
|
+
# "conditions":[{"actionCondition":"CAPTCHA"},{"actionCondition":
|
|
5108
|
+
# "CHALLENGE"},
|
|
5109
|
+
# {"actionCondition":"EXCLUDED_AS_COUNT"}]}]}},"sampledRequestsEnabledForDefaultActions":true}"`
|
|
5101
5110
|
#
|
|
5102
5111
|
# Firewall Manager supports Amazon Kinesis Data Firehose and Amazon
|
|
5103
5112
|
# S3 as the `logDestinationConfigs` in your `loggingConfiguration`.
|
|
@@ -5111,10 +5120,7 @@ module Aws::FMS
|
|
|
5111
5120
|
#
|
|
5112
5121
|
# * Example: `WAF Classic`
|
|
5113
5122
|
#
|
|
5114
|
-
# `"
|
|
5115
|
-
# [\{"id":"12345678-1bcd-9012-efga-0987654321ab",
|
|
5116
|
-
# "overrideAction" : \{"type": "COUNT"\}\}],
|
|
5117
|
-
# "defaultAction": \{"type": "BLOCK"\}\}"`
|
|
5123
|
+
# `"{"ruleGroups":[{"id":"78cb36c0-1b5e-4d7d-82b2-cf48d3ad9659","overrideAction":{"type":"NONE"}}],"overrideCustomerWebACLAssociation":true,"defaultAction":{"type":"ALLOW"},"type":"WAF"}"`
|
|
5118
5124
|
#
|
|
5119
5125
|
#
|
|
5120
5126
|
#
|
|
@@ -5542,6 +5548,48 @@ module Aws::FMS
|
|
|
5542
5548
|
include Aws::Structure
|
|
5543
5549
|
end
|
|
5544
5550
|
|
|
5551
|
+
# The violation details for a web ACL whose configuration is
|
|
5552
|
+
# incompatible with the Firewall Manager policy.
|
|
5553
|
+
#
|
|
5554
|
+
# @!attribute [rw] web_acl_arn
|
|
5555
|
+
# The Amazon Resource Name (ARN) of the web ACL.
|
|
5556
|
+
# @return [String]
|
|
5557
|
+
#
|
|
5558
|
+
# @!attribute [rw] description
|
|
5559
|
+
# Information about the problems that Firewall Manager encountered
|
|
5560
|
+
# with the web ACL configuration.
|
|
5561
|
+
# @return [String]
|
|
5562
|
+
#
|
|
5563
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/WebACLHasIncompatibleConfigurationViolation AWS API Documentation
|
|
5564
|
+
#
|
|
5565
|
+
class WebACLHasIncompatibleConfigurationViolation < Struct.new(
|
|
5566
|
+
:web_acl_arn,
|
|
5567
|
+
:description)
|
|
5568
|
+
SENSITIVE = []
|
|
5569
|
+
include Aws::Structure
|
|
5570
|
+
end
|
|
5571
|
+
|
|
5572
|
+
# The violation details for a web ACL that's associated with at least
|
|
5573
|
+
# one resource that's out of scope of the Firewall Manager policy.
|
|
5574
|
+
#
|
|
5575
|
+
# @!attribute [rw] web_acl_arn
|
|
5576
|
+
# The Amazon Resource Name (ARN) of the web ACL.
|
|
5577
|
+
# @return [String]
|
|
5578
|
+
#
|
|
5579
|
+
# @!attribute [rw] out_of_scope_resource_list
|
|
5580
|
+
# An array of Amazon Resource Name (ARN) for the resources that are
|
|
5581
|
+
# out of scope of the policy and are associated with the web ACL.
|
|
5582
|
+
# @return [Array<String>]
|
|
5583
|
+
#
|
|
5584
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/WebACLHasOutOfScopeResourcesViolation AWS API Documentation
|
|
5585
|
+
#
|
|
5586
|
+
class WebACLHasOutOfScopeResourcesViolation < Struct.new(
|
|
5587
|
+
:web_acl_arn,
|
|
5588
|
+
:out_of_scope_resource_list)
|
|
5589
|
+
SENSITIVE = []
|
|
5590
|
+
include Aws::Structure
|
|
5591
|
+
end
|
|
5592
|
+
|
|
5545
5593
|
end
|
|
5546
5594
|
end
|
|
5547
5595
|
|
data/lib/aws-sdk-fms.rb
CHANGED
data/sig/types.rbs
CHANGED
|
@@ -123,7 +123,7 @@ module Aws::FMS
|
|
|
123
123
|
|
|
124
124
|
class ComplianceViolator
|
|
125
125
|
attr_accessor resource_id: ::String
|
|
126
|
-
attr_accessor violation_reason: ("WEB_ACL_MISSING_RULE_GROUP" | "RESOURCE_MISSING_WEB_ACL" | "RESOURCE_INCORRECT_WEB_ACL" | "RESOURCE_MISSING_SHIELD_PROTECTION" | "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" | "RESOURCE_MISSING_SECURITY_GROUP" | "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" | "SECURITY_GROUP_UNUSED" | "SECURITY_GROUP_REDUNDANT" | "FMS_CREATED_SECURITY_GROUP_EDITED" | "MISSING_FIREWALL" | "MISSING_FIREWALL_SUBNET_IN_AZ" | "MISSING_EXPECTED_ROUTE_TABLE" | "NETWORK_FIREWALL_POLICY_MODIFIED" | "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" | "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" | "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" | "UNEXPECTED_FIREWALL_ROUTES" | "UNEXPECTED_TARGET_GATEWAY_ROUTES" | "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" | "INVALID_ROUTE_CONFIGURATION" | "MISSING_TARGET_GATEWAY" | "INTERNET_TRAFFIC_NOT_INSPECTED" | "BLACK_HOLE_ROUTE_DETECTED" | "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" | "RESOURCE_MISSING_DNS_FIREWALL" | "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" | "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" | "INVALID_NETWORK_ACL_ENTRY")
|
|
126
|
+
attr_accessor violation_reason: ("WEB_ACL_MISSING_RULE_GROUP" | "RESOURCE_MISSING_WEB_ACL" | "RESOURCE_INCORRECT_WEB_ACL" | "RESOURCE_MISSING_SHIELD_PROTECTION" | "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" | "RESOURCE_MISSING_SECURITY_GROUP" | "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" | "SECURITY_GROUP_UNUSED" | "SECURITY_GROUP_REDUNDANT" | "FMS_CREATED_SECURITY_GROUP_EDITED" | "MISSING_FIREWALL" | "MISSING_FIREWALL_SUBNET_IN_AZ" | "MISSING_EXPECTED_ROUTE_TABLE" | "NETWORK_FIREWALL_POLICY_MODIFIED" | "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" | "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" | "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" | "UNEXPECTED_FIREWALL_ROUTES" | "UNEXPECTED_TARGET_GATEWAY_ROUTES" | "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" | "INVALID_ROUTE_CONFIGURATION" | "MISSING_TARGET_GATEWAY" | "INTERNET_TRAFFIC_NOT_INSPECTED" | "BLACK_HOLE_ROUTE_DETECTED" | "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" | "RESOURCE_MISSING_DNS_FIREWALL" | "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" | "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" | "INVALID_NETWORK_ACL_ENTRY" | "WEB_ACL_CONFIGURATION_OR_SCOPE_OF_USE")
|
|
127
127
|
attr_accessor resource_type: ::String
|
|
128
128
|
attr_accessor metadata: ::Hash[::String, ::String]
|
|
129
129
|
SENSITIVE: []
|
|
@@ -1081,6 +1081,8 @@ module Aws::FMS
|
|
|
1081
1081
|
attr_accessor firewall_subnet_missing_vpc_endpoint_violation: Types::FirewallSubnetMissingVPCEndpointViolation
|
|
1082
1082
|
attr_accessor invalid_network_acl_entries_violation: Types::InvalidNetworkAclEntriesViolation
|
|
1083
1083
|
attr_accessor possible_remediation_actions: Types::PossibleRemediationActions
|
|
1084
|
+
attr_accessor web_acl_has_incompatible_configuration_violation: Types::WebACLHasIncompatibleConfigurationViolation
|
|
1085
|
+
attr_accessor web_acl_has_out_of_scope_resources_violation: Types::WebACLHasOutOfScopeResourcesViolation
|
|
1084
1086
|
SENSITIVE: []
|
|
1085
1087
|
end
|
|
1086
1088
|
|
|
@@ -1224,5 +1226,17 @@ module Aws::FMS
|
|
|
1224
1226
|
attr_accessor resource_description: ::String
|
|
1225
1227
|
SENSITIVE: []
|
|
1226
1228
|
end
|
|
1229
|
+
|
|
1230
|
+
class WebACLHasIncompatibleConfigurationViolation
|
|
1231
|
+
attr_accessor web_acl_arn: ::String
|
|
1232
|
+
attr_accessor description: ::String
|
|
1233
|
+
SENSITIVE: []
|
|
1234
|
+
end
|
|
1235
|
+
|
|
1236
|
+
class WebACLHasOutOfScopeResourcesViolation
|
|
1237
|
+
attr_accessor web_acl_arn: ::String
|
|
1238
|
+
attr_accessor out_of_scope_resource_list: ::Array[::String]
|
|
1239
|
+
SENSITIVE: []
|
|
1240
|
+
end
|
|
1227
1241
|
end
|
|
1228
1242
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sdk-fms
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.85.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-11-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-core
|