aws-sdk-fms 1.63.0 → 1.64.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 006e450a2654c8f5a8465278b9d0eb85510a075721014be0ec508cc866fb8b94
-  data.tar.gz: 903dfdd380be50746ea325a9e1e2e3a31682318634a61b9eefffe0b5cff7f55f
+  metadata.gz: 39eb8bae4d7a1f5972c29f806406cc909eeec6aeea13793da7efc6c497c7e1ef
+  data.tar.gz: 1e06cb0918b3e945992322cfd9802dfb449b77ecc723bad67cc13026ae2e8072
 SHA512:
-  metadata.gz: 0cefe496421fb0c0c34c9b55022a45af2b051de1d0591eb1175efef7f4b4fb39a684028db6a0a4c5e6bc2eb97830f763822e7df69b89b2ec45cee6e7068fe39f
-  data.tar.gz: 5fe6ea26ced86d299e005ed062b7c6efb8aeae92d3963ffa8350d34e68d0b387cc468d8c3439f58847f96261002b4148be6c929ec1ef5c1c13afc1f727f8729b
+  metadata.gz: eacb5200cb9f01938ec2e4bcad981b40071f54eeb1d259a35bf4ca92f93a7f2aa6ac32ddfd6777761f37888ad5be91dda24bd012a3429b2fc6e5e6a67706685a
+  data.tar.gz: c4a1fdb5b78b74c4366ceb304e2f0d13a6af3d92321efff3a73b7dfd8bb0a515a784a88a65db8fba43d719670690e517ad8f096e229e638c0b857afe44f5b41e

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.64.0 (2023-11-10)
+------------------
+
+* Feature - Adds optimizeUnassociatedWebACL flag to ManagedServiceData, updates third-party firewall examples, and other minor documentation updates.
+
 1.63.0 (2023-09-27)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.63.0
+1.64.0

data/lib/aws-sdk-fms/client.rb

@@ -616,6 +616,12 @@ module Aws::FMS
     #     Manager and if it's no longer associated with any resources through
     #     another policy
     #
+    #   <note markdown="1"> For security group common policies, even if set to `False`, Firewall
+    #   Manager deletes all security groups created by Firewall Manager that
+    #   aren't associated with any other resources through another policy.
+    #
+    #    </note>
+    #
     #   After the cleanup, in-scope resources are no longer protected by web
     #   ACLs in this policy. Protection of out-of-scope resources remains
     #   unchanged. Scope is determined by tags that you create and accounts
@@ -1194,7 +1200,17 @@ module Aws::FMS
     #
     # @option params [required, String] :policy_id
     #   The ID of the Firewall Manager policy that you want the details for.
-    #   This currently only supports security group content audit policies.
+    #   You can get violation details for the following policy types:
+    #
+    #   * DNS Firewall
+    #
+    #   * Imported Network Firewall
+    #
+    #   * Network Firewall
+    #
+    #   * Security group content audit
+    #
+    #   * Third-party firewall
     #
     # @option params [required, String] :member_account
     #   The Amazon Web Services account ID that you want the details for.
@@ -2366,37 +2382,51 @@ module Aws::FMS
 
     # Creates an Firewall Manager policy.
     #
-    # Firewall Manager provides the following types of policies:
+    # A Firewall Manager policy is specific to the individual policy type.
+    # If you want to enforce multiple policy types across accounts, you can
+    # create multiple policies. You can create more than one policy for each
+    # type.
     #
-    # * An WAF policy (type WAFV2), which defines rule groups to run first
-    #   in the corresponding WAF web ACL and rule groups to run last in the
-    #   web ACL.
+    # If you add a new account to an organization that you created with
+    # Organizations, Firewall Manager automatically applies the policy to
+    # the resources in that account that are within scope of the policy.
+    #
+    # Firewall Manager provides the following types of policies:
     #
-    # * An WAF Classic policy (type WAF), which defines a rule group.
+    # * **Shield Advanced policy** - This policy applies Shield Advanced
+    #   protection to specified accounts and resources.
     #
-    # * A Shield Advanced policy, which applies Shield Advanced protection
-    #   to specified accounts and resources.
+    # * **Security Groups policy** - This type of policy gives you control
+    #   over security groups that are in use throughout your organization in
+    #   Organizations and lets you enforce a baseline set of rules across
+    #   your organization.
     #
-    # * A security group policy, which manages VPC security groups across
-    #   your Amazon Web Services organization.
+    # * **Network Firewall policy** - This policy applies Network Firewall
+    #   protection to your organization's VPCs.
     #
-    # * An Network Firewall policy, which provides firewall rules to filter
-    #   network traffic in specified Amazon VPCs.
+    # * **DNS Firewall policy** - This policy applies Amazon Route 53
+    #   Resolver DNS Firewall protections to your organization's VPCs.
     #
-    # * A DNS Firewall policy, which provides Route 53 Resolver DNS Firewall
-    #   rules to filter DNS queries for specified VPCs.
+    # * **Third-party firewall policy** - This policy applies third-party
+    #   firewall protections. Third-party firewalls are available by
+    #   subscription through the Amazon Web Services Marketplace console at
+    #   [Amazon Web Services Marketplace][1].
     #
-    # Each policy is specific to one of the types. If you want to enforce
-    # more than one policy type across accounts, create multiple policies.
-    # You can create multiple policies for each type.
+    #   * **Palo Alto Networks Cloud NGFW policy** - This policy applies
+    #     Palo Alto Networks Cloud Next Generation Firewall (NGFW)
+    #     protections and Palo Alto Networks Cloud NGFW rulestacks to your
+    #     organization's VPCs.
     #
-    # You must be subscribed to Shield Advanced to create a Shield Advanced
-    # policy. For more information about subscribing to Shield Advanced, see
-    # [CreateSubscription][1].
+    #   * **Fortigate CNF policy** - This policy applies Fortigate Cloud
+    #     Native Firewall (CNF) protections. Fortigate CNF is a
+    #     cloud-centered solution that blocks Zero-Day threats and secures
+    #     cloud infrastructures with industry-leading advanced threat
+    #     prevention, smart web application firewalls (WAF), and API
+    #     protection.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_CreateSubscription.html
+    # [1]: https://aws.amazon.com/marketplace
     #
     # @option params [required, Types::Policy] :policy
     #   The details of the Firewall Manager policy to be created.
@@ -2690,7 +2720,7 @@ module Aws::FMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-fms'
-      context[:gem_version] = '1.63.0'
+      context[:gem_version] = '1.64.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-fms/endpoint_provider.rb

@@ -32,7 +32,7 @@ module Aws::FMS
             raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
           end
           if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+            if Aws::Endpoints::Matchers.boolean_equals?(Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"), true)
               return Aws::Endpoints::Endpoint.new(url: "https://fms-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
             end
             raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"

data/lib/aws-sdk-fms/types.rb

@@ -575,6 +575,12 @@ module Aws::FMS
     #     Manager and if it's no longer associated with any resources
     #     through another policy
     #
+    #   <note markdown="1"> For security group common policies, even if set to `False`, Firewall
+    #   Manager deletes all security groups created by Firewall Manager that
+    #   aren't associated with any other resources through another policy.
+    #
+    #    </note>
+    #
     #   After the cleanup, in-scope resources are no longer protected by web
     #   ACLs in this policy. Protection of out-of-scope resources remains
     #   unchanged. Scope is determined by tags that you create and accounts
@@ -1621,7 +1627,17 @@ module Aws::FMS
 
     # @!attribute [rw] policy_id
     #   The ID of the Firewall Manager policy that you want the details for.
-    #   This currently only supports security group content audit policies.
+    #   You can get violation details for the following policy types:
+    #
+    #   * DNS Firewall
+    #
+    #   * Imported Network Firewall
+    #
+    #   * Network Firewall
+    #
+    #   * Security group content audit
+    #
+    #   * Third-party firewall
     #   @return [String]
     #
     # @!attribute [rw] member_account
@@ -2970,17 +2986,28 @@ module Aws::FMS
     #   specify a resource type of `ResourceTypeList` and then specify the
     #   resource types in a `ResourceTypeList`.
     #
-    #   For WAF and Shield Advanced, resource types include
-    #   `AWS::ElasticLoadBalancingV2::LoadBalancer`,
-    #   `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::EC2::EIP`, and
-    #   `AWS::CloudFront::Distribution`. For a security group common policy,
-    #   valid values are `AWS::EC2::NetworkInterface` and
-    #   `AWS::EC2::Instance`. For a security group content audit policy,
-    #   valid values are `AWS::EC2::SecurityGroup`,
-    #   `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`. For a
-    #   security group usage audit policy, the value is
-    #   `AWS::EC2::SecurityGroup`. For an Network Firewall policy or DNS
-    #   Firewall policy, the value is `AWS::EC2::VPC`.
+    #   The following are valid resource types for each Firewall Manager
+    #   policy type:
+    #
+    #   * Amazon Web Services WAF Classic - `AWS::ApiGateway::Stage`,
+    #     `AWS::CloudFront::Distribution`, and
+    #     `AWS::ElasticLoadBalancingV2::LoadBalancer`.
+    #
+    #   * WAF - `AWS::ApiGateway::Stage`,
+    #     `AWS::ElasticLoadBalancingV2::LoadBalancer`, and
+    #     `AWS::CloudFront::Distribution`.
+    #
+    #   * DNS Firewall, Network Firewall, and third-party firewall -
+    #     `AWS::EC2::VPC`.
+    #
+    #   * Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer`,
+    #     `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::EC2::EIP`, and
+    #     `AWS::CloudFront::Distribution`.
+    #
+    #   * Security group content audit - `AWS::EC2::SecurityGroup`,
+    #     `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`.
+    #
+    #   * Security group usage audit - `AWS::EC2::SecurityGroup`.
     #
     #
     #
@@ -4307,6 +4334,7 @@ module Aws::FMS
     #      </note>
     #
     #   * Example: `IMPORT_NETWORK_FIREWALL`
+    #
     #     `"\{"type":"IMPORT_NETWORK_FIREWALL","awsNetworkFirewallConfig":\{"networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1","priority":1\}],"networkFirewallStatelessDefaultActions":["aws:drop"],"networkFirewallStatelessFragmentDefaultActions":["aws:pass"],"networkFirewallStatelessCustomActions":[],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder","priority":8\}],"networkFirewallStatefulEngineOptions":\{"ruleOrder":"STRICT_ORDER"\},"networkFirewallStatefulDefaultActions":["aws:drop_strict"]\}\}"`
     #
     #     `"\{"type":"DNS_FIREWALL","preProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-1","priority":10\}],"postProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-2","priority":9911\}]\}"`
@@ -4376,20 +4404,6 @@ module Aws::FMS
     #     To use the distributed deployment model, you must set
     #     [PolicyOption][1] to `NULL`.
     #
-    #   * Example: `THIRD_PARTY_FIREWALL`
-    #
-    #     `"\{ "type":"THIRD_PARTY_FIREWALL",
-    #     "thirdPartyFirewall":"PALO_ALTO_NETWORKS_CLOUD_NGFW",
-    #     "thirdPartyFirewallConfig":\{
-    #     "thirdPartyFirewallPolicyList":["global-1"] \},
-    #     "firewallDeploymentModel":\{
-    #     "distributedFirewallDeploymentModel":\{
-    #     "distributedFirewallOrchestrationConfig":\{
-    #     "firewallCreationConfig":\{ "endpointLocation":\{
-    #     "availabilityZoneConfigList":[ \{
-    #     "availabilityZoneName":"$\{AvailabilityZone\}" \} ] \} \},
-    #     "allowedIPV4CidrList":[ ] \} \} \} \}"`
-    #
     #   * Example: `SECURITY_GROUPS_COMMON`
     #
     #     `"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
@@ -4436,13 +4450,40 @@ module Aws::FMS
     #
     #     `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
     #
+    #   * Example: `SHIELD_ADVANCED` with web ACL management
+    #
+    #     `"\{"type":"SHIELD_ADVANCED","optimizeUnassociatedWebACL":true\}"`
+    #
+    #     If you set `optimizeUnassociatedWebACL` to `true`, Firewall
+    #     Manager creates web ACLs in accounts within the policy scope if
+    #     the web ACLs will be used by at least one resource. Firewall
+    #     Manager creates web ACLs in the accounts within policy scope only
+    #     if the web ACLs will be used by at least one resource. If at any
+    #     time an account comes into policy scope, Firewall Manager
+    #     automatically creates a web ACL in the account if at least one
+    #     resource will use the web ACL.
+    #
+    #     Upon enablement, Firewall Manager performs a one-time cleanup of
+    #     unused web ACLs in your account. The cleanup process can take
+    #     several hours. If a resource leaves policy scope after Firewall
+    #     Manager creates a web ACL, Firewall Manager doesn't disassociate
+    #     the resource from the web ACL. If you want Firewall Manager to
+    #     clean up the web ACL, you must first manually disassociate the
+    #     resources from the web ACL, and then enable the manage unused web
+    #     ACLs option in your policy.
+    #
+    #     If you set `optimizeUnassociatedWebACL` to `false`, and Firewall
+    #     Manager automatically creates an empty web ACL in each account
+    #     that's within policy scope.
+    #
     #   * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
     #     distributions
     #
     #     `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
     #     \{"automaticResponseStatus":"ENABLED|IGNORED|DISABLED",
     #     "automaticResponseAction":"BLOCK|COUNT"\},
-    #     "overrideCustomerWebaclClassic":true|false\}"`
+    #     "overrideCustomerWebaclClassic":true|false,
+    #     "optimizeUnassociatedWebACL":true|false\}"`
     #
     #     For example:
     #     `"\{"type":"SHIELD_ADVANCED","automaticResponseConfiguration":
@@ -4458,21 +4499,62 @@ module Aws::FMS
     #     Advanced policy, this `ManagedServiceData` configuration is an
     #     empty string.
     #
-    #   * Example: `WAFV2` - Account takeover prevention and Bot Control
-    #     managed rule groups, and rule action override
+    #   * Example: `THIRD_PARTY_FIREWALL`
     #
-    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesATPRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesATPRuleSet":\{"loginPath":"/loginpath","requestInspection":\{"payloadType":"FORM_ENCODED|JSON","usernameField":\{"identifier":"/form/username"\},"passwordField":\{"identifier":"/form/password"\}\}\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\},\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesBotControlRuleSet":\{"inspectionLevel":"TARGETED|COMMON"\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true,"ruleActionOverrides":[\{"name":"Rule1","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\},\{"name":"Rule2","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true\}"`
+    #     Replace `THIRD_PARTY_FIREWALL_NAME` with the name of the
+    #     third-party firewall.
     #
-    #     * Fraud Control account takeover prevention (ATP) - For
-    #       information about the properties available for
-    #       `AWSManagedRulesATPRuleSet` managed rule groups, see
-    #       [AWSManagedRulesATPRuleSet][2] in the *WAF API Reference*.
+    #     `"\{ "type":"THIRD_PARTY_FIREWALL",
+    #     "thirdPartyFirewall":"THIRD_PARTY_FIREWALL_NAME",
+    #     "thirdPartyFirewallConfig":\{
+    #     "thirdPartyFirewallPolicyList":["global-1"] \},
+    #     "firewallDeploymentModel":\{
+    #     "distributedFirewallDeploymentModel":\{
+    #     "distributedFirewallOrchestrationConfig":\{
+    #     "firewallCreationConfig":\{ "endpointLocation":\{
+    #     "availabilityZoneConfigList":[ \{
+    #     "availabilityZoneName":"$\{AvailabilityZone\}" \} ] \} \},
+    #     "allowedIPV4CidrList":[ ] \} \} \} \}"`
+    #
+    #   * Example: `WAFV2` - Account takeover prevention, Bot Control
+    #     managed rule groups, optimize unassociated web ACL, and rule
+    #     action override
+    #
+    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesATPRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesATPRuleSet":\{"loginPath":"/loginpath","requestInspection":\{"payloadType":"FORM_ENCODED|JSON","usernameField":\{"identifier":"/form/username"\},"passwordField":\{"identifier":"/form/password"\}\}\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\},\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet","managedRuleGroupConfigs":[\{"awsmanagedRulesBotControlRuleSet":\{"inspectionLevel":"TARGETED|COMMON"\}\}]\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true,"ruleActionOverrides":[\{"name":"Rule1","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\},\{"name":"Rule2","actionToUse":\{"allow|block|count|captcha|challenge":\{\}\}\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"optimizeUnassociatedWebACL":true\}"`
     #
     #     * Bot Control - For information about
     #       `AWSManagedRulesBotControlRuleSet` managed rule groups, see
-    #       [AWSManagedRulesBotControlRuleSet][3] in the *WAF API
+    #       [AWSManagedRulesBotControlRuleSet][2] in the *WAF API
     #       Reference*.
     #
+    #     * Fraud Control account takeover prevention (ATP) - For
+    #       information about the properties available for
+    #       `AWSManagedRulesATPRuleSet` managed rule groups, see
+    #       [AWSManagedRulesATPRuleSet][3] in the *WAF API Reference*.
+    #
+    #     * Optimize unassociated web ACL - If you set
+    #       `optimizeUnassociatedWebACL` to `true`, Firewall Manager creates
+    #       web ACLs in accounts within the policy scope if the web ACLs
+    #       will be used by at least one resource. Firewall Manager creates
+    #       web ACLs in the accounts within policy scope only if the web
+    #       ACLs will be used by at least one resource. If at any time an
+    #       account comes into policy scope, Firewall Manager automatically
+    #       creates a web ACL in the account if at least one resource will
+    #       use the web ACL.
+    #
+    #       Upon enablement, Firewall Manager performs a one-time cleanup of
+    #       unused web ACLs in your account. The cleanup process can take
+    #       several hours. If a resource leaves policy scope after Firewall
+    #       Manager creates a web ACL, Firewall Manager disassociates the
+    #       resource from the web ACL, but won't clean up the unused web
+    #       ACL. Firewall Manager only cleans up unused web ACLs when you
+    #       first enable management of unused web ACLs in a policy.
+    #
+    #       If you set `optimizeUnassociatedWebACL` to `false` Firewall
+    #       Manager doesn't manage unused web ACLs, and Firewall Manager
+    #       automatically creates an empty web ACL in each account that's
+    #       within policy scope.
+    #
     #     * Rule action overrides - Firewall Manager supports rule action
     #       overrides only for managed rule groups. To configure a
     #       `RuleActionOverrides` add the `Name` of the rule to override,
@@ -4482,16 +4564,25 @@ module Aws::FMS
     #
     #   * Example: `WAFV2` - `CAPTCHA` and `Challenge` configs
     #
-    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"captchaConfig":\{"immunityTimeProperty":\{"immunityTime":500\}\},"challengeConfig":\{"immunityTimeProperty":\{"immunityTime":800\}\},"tokenDomains":["google.com","amazon.com"]\}"`
-    #
-    #     If you update the policy's values for `captchaConfig`,
-    #     `challengeConfig`, or `tokenDomains`, Firewall Manager will
-    #     overwrite your local web ACLs to contain the new value(s).
-    #     However, if you don't update the policy's `captchaConfig`,
-    #     `challengeConfig`, or `tokenDomains` values, the values in your
-    #     local web ACLs will remain unchanged. For information about
-    #     CAPTCHA and Challenge configs, see [CaptchaConfig][5] and
-    #     [ChallengeConfig][6] in the *WAF API Reference*.
+    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":null,"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAdminProtectionRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"customRequestHandling":null,"customResponse":null,"overrideCustomerWebACLAssociation":false,"loggingConfiguration":null,"sampledRequestsEnabledForDefaultActions":true,"captchaConfig":\{"immunityTimeProperty":\{"immunityTime":500\}\},"challengeConfig":\{"immunityTimeProperty":\{"immunityTime":800\}\},"tokenDomains":["google.com","amazon.com"],"associationConfig":\{"requestBody":\{"CLOUDFRONT":\{"defaultSizeInspectionLimit":"KB_16"\}\}\}\}"`
+    #
+    #     * `CAPTCHA` and `Challenge` configs - If you update the policy's
+    #       values for `associationConfig`, `captchaConfig`,
+    #       `challengeConfig`, or `tokenDomains`, Firewall Manager will
+    #       overwrite your local web ACLs to contain the new value(s).
+    #       However, if you don't update the policy's `associationConfig`,
+    #       `captchaConfig`, `challengeConfig`, or `tokenDomains` values,
+    #       the values in your local web ACLs will remain unchanged. For
+    #       information about association configs, see
+    #       [AssociationConfig][5]. For information about CAPTCHA and
+    #       Challenge configs, see [CaptchaConfig][6] and
+    #       [ChallengeConfig][7] in the *WAF API Reference*.
+    #
+    #     * `defaultSizeInspectionLimit` - Specifies the maximum size of the
+    #       web request body component that an associated Amazon CloudFront
+    #       distribution should send to WAF for inspection. For more
+    #       information, see [DefaultSizeInspectionLimit][8] in the *WAF API
+    #       Reference*.
     #
     #   * Example: `WAFV2` - Firewall Manager support for WAF managed rule
     #     group versioning
@@ -4526,7 +4617,7 @@ module Aws::FMS
     #     Firewall Manager supports Amazon Kinesis Data Firehose and Amazon
     #     S3 as the `logDestinationConfigs` in your `loggingConfiguration`.
     #     For information about WAF logging configurations, see
-    #     [LoggingConfiguration][7] in the *WAF API Reference*
+    #     [LoggingConfiguration][9] in the *WAF API Reference*
     #
     #     In the `loggingConfiguration`, you can specify one
     #     `logDestinationConfigs`. Optionally provide as many as 20
@@ -4543,12 +4634,14 @@ module Aws::FMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
-    #   [2]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html
-    #   [3]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html
+    #   [2]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html
+    #   [3]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html
     #   [4]: https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleActionOverride.html
-    #   [5]: https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html
-    #   [6]: https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html
-    #   [7]: https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
+    #   [5]: https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociationConfig.html
+    #   [6]: https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html
+    #   [7]: https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html
+    #   [8]: https://docs.aws.amazon.com/waf/latest/APIReference/API_RequestBodyAssociatedResourceTypeConfig.html#WAF-Type-RequestBodyAssociatedResourceTypeConfig-DefaultSizeInspectionLimit
+    #   [9]: https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
     #   @return [String]
     #
     # @!attribute [rw] policy_option

data/lib/aws-sdk-fms.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-fms/customizations'
 # @!group service
 module Aws::FMS
 
-  GEM_VERSION = '1.63.0'
+  GEM_VERSION = '1.64.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-fms
 version: !ruby/object:Gem::Version
-  version: 1.63.0
+  version: 1.64.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-27 00:00:00.000000000 Z
+date: 2023-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core