RubyGems - aws-sdk-networkfirewall - Versions diffs - 1.35.0 → 1.37.0 - Mend

aws-sdk-networkfirewall 1.35.0 → 1.37.0

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/VERSION +1 -1
data/lib/aws-sdk-networkfirewall/client.rb +106 -34
data/lib/aws-sdk-networkfirewall/client_api.rb +26 -0
data/lib/aws-sdk-networkfirewall/endpoint_provider.rb +1 -1
data/lib/aws-sdk-networkfirewall/types.rb +272 -62
data/lib/aws-sdk-networkfirewall.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93f906c49425708a99fefe392ecc65c744ed614c3731a9449151acf53512963b
-  data.tar.gz: cba122ba325f3fc897c5d8303d76244f9b984114ab4ebdde8c6525a0c78bcc96
+  metadata.gz: 1ead7232a47e4248e5f8e27ffea9f25c2440d542fc0bfa6578c81b9486b7b07b
+  data.tar.gz: c85889a00b03ab03b4b4497d90bc5d43b820a91ed2138c8794e65bd58f5eba3e
 SHA512:
-  metadata.gz: 43149af37997bf292ad1d3da81402f90a52e89f512b437300bd5778529a93413a02716ee61b0523da651d9af9909e402671124ecdc17753dfabe4e82b23a43fb
-  data.tar.gz: 29ff4749347cae6fa3d96730e7aab182271168077a16b8da3e9b4f27a9edaa89ebbc4a13c359f3079da293f1b0f0bae8ac6d2ab35e3f8bc2e6aa7d15f090b9da
+  metadata.gz: 0f9693651148e310a4006394e3381083ef03f7eff5d883e8cf5e9ac9957d55ec79b1cce56c4251feca36e702c1136804a58740568ccd3b7088a321edad22af15
+  data.tar.gz: dfc2ed10eb6ad18b5191eddc9c48ce7d233239c5fe911503882d981891d126e7a0c6ae6e2c189ee1ce8344051a4b8dfc3b44a7396a7cd5c97c878027e8831fbe

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
+1.37.0 (2023-11-02)
+------------------
+* Feature - This release introduces the stateless rule analyzer, which enables you to analyze your stateless rules for asymmetric routing.
+1.36.0 (2023-10-26)
+------------------
+* Feature - Network Firewall now supports inspection of outbound SSL/TLS traffic.
 1.35.0 (2023-09-27)
 ------------------

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.35.0
1	+ 1.37.0

data/lib/aws-sdk-networkfirewall/client.rb CHANGED Viewed

@@ -818,7 +818,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -955,6 +955,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then creates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without creating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::CreateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateRuleGroupResponse#update_token #update_token} => String
@@ -1089,6 +1096,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1100,7 +1108,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1112,6 +1120,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroup AWS API Documentation
     #
@@ -1123,12 +1136,13 @@ module Aws::NetworkFirewall
     end
     # Creates an Network Firewall TLS inspection configuration. A TLS
-    # inspection configuration contains the Certificate Manager certificate
-    # references that Network Firewall uses to decrypt and re-encrypt
-    # inbound traffic.
+    # inspection configuration contains Certificate Manager certificate
+    # associations between and the scope configurations that Network
+    # Firewall uses to decrypt and re-encrypt traffic traveling through your
+    # firewall.
     #
-    # After you create a TLS inspection configuration, you associate it with
-    # a new firewall policy.
+    # After you create a TLS inspection configuration, you can associate it
+    # with a new firewall policy.
     #
     # To update the settings for a TLS inspection configuration, use
     # UpdateTLSInspectionConfiguration.
@@ -1142,7 +1156,7 @@ module Aws::NetworkFirewall
     # DescribeTLSInspectionConfiguration.
     #
     # For more information about TLS inspection configurations, see
-    # [Decrypting SSL/TLS traffic with TLS inspection configurations][1] in
+    # [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
     # the *Network Firewall Developer Guide*.
     #
     #
@@ -1166,12 +1180,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information about
-    #   using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    #   with TLS inspection configurations][1] in the *Network Firewall
-    #   Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    #   the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1242,6 +1256,11 @@ module Aws::NetworkFirewall
     #               protocols: [1],
     #             },
     #           ],
+    #           certificate_authority_arn: "ResourceArn",
+    #           check_certificate_revocation_status: {
+    #             revoked_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #             unknown_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #           },
     #         },
     #       ],
     #     },
@@ -1264,7 +1283,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -1278,6 +1297,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateTLSInspectionConfiguration AWS API Documentation
     #
@@ -1400,7 +1423,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -1487,7 +1510,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1499,6 +1522,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteRuleGroup AWS API Documentation
     #
@@ -1538,7 +1566,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -1552,6 +1580,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteTLSInspectionConfiguration AWS API Documentation
     #
@@ -1665,7 +1697,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -1804,6 +1836,11 @@ module Aws::NetworkFirewall
     #
     #    </note>
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis.
+    #
     # @return [Types::DescribeRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeRuleGroupResponse#update_token #update_token} => String
@@ -1816,6 +1853,7 @@ module Aws::NetworkFirewall
     #     rule_group_name: "ResourceName",
     #     rule_group_arn: "ResourceArn",
     #     type: "STATELESS", # accepts STATELESS, STATEFUL
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1879,7 +1917,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1891,6 +1929,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroup AWS API Documentation
     #
@@ -2011,10 +2054,13 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].destination_ports[0].to_port #=> Integer
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].protocols #=> Array
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].protocols[0] #=> Integer
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].certificate_authority_arn #=> String
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].check_certificate_revocation_status.revoked_status_action #=> String, one of "PASS", "DROP", "REJECT"
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].check_certificate_revocation_status.unknown_status_action #=> String, one of "PASS", "DROP", "REJECT"
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -2028,6 +2074,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeTLSInspectionConfiguration AWS API Documentation
     #
@@ -2880,7 +2930,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -3149,6 +3199,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then updates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without updating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::UpdateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateRuleGroupResponse#update_token #update_token} => String
@@ -3278,6 +3335,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -3289,7 +3347,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -3301,6 +3359,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroup AWS API Documentation
     #
@@ -3382,9 +3445,9 @@ module Aws::NetworkFirewall
     # Updates the TLS inspection configuration settings for the specified
     # TLS inspection configuration. You use a TLS inspection configuration
-    # by reference in one or more firewall policies. When you modify a TLS
-    # inspection configuration, you modify all firewall policies that use
-    # the TLS inspection configuration.
+    # by referencing it in one or more firewall policies. When you modify a
+    # TLS inspection configuration, you modify all firewall policies that
+    # use the TLS inspection configuration.
     #
     # To update a TLS inspection configuration, first call
     # DescribeTLSInspectionConfiguration to retrieve the current
@@ -3411,12 +3474,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information about
-    #   using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    #   with TLS inspection configurations][1] in the *Network Firewall
-    #   Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    #   the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3489,6 +3552,11 @@ module Aws::NetworkFirewall
     #               protocols: [1],
     #             },
     #           ],
+    #           certificate_authority_arn: "ResourceArn",
+    #           check_certificate_revocation_status: {
+    #             revoked_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #             unknown_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #           },
     #         },
     #       ],
     #     },
@@ -3506,7 +3574,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -3520,6 +3588,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateTLSInspectionConfiguration AWS API Documentation
     #
@@ -3543,7 +3615,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.35.0'
+      context[:gem_version] = '1.37.0'
       Seahorse::Client::Request.new(handlers, context)
     end

data/lib/aws-sdk-networkfirewall/client_api.rb CHANGED Viewed

@@ -18,6 +18,8 @@ module Aws::NetworkFirewall
     Address = Shapes::StructureShape.new(name: 'Address')
     AddressDefinition = Shapes::StringShape.new(name: 'AddressDefinition')
     Addresses = Shapes::ListShape.new(name: 'Addresses')
+    AnalysisResult = Shapes::StructureShape.new(name: 'AnalysisResult')
+    AnalysisResultList = Shapes::ListShape.new(name: 'AnalysisResultList')
     AssociateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyRequest')
     AssociateFirewallPolicyResponse = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyResponse')
     AssociateSubnetsRequest = Shapes::StructureShape.new(name: 'AssociateSubnetsRequest')
@@ -32,6 +34,7 @@ module Aws::NetworkFirewall
     CIDRSummary = Shapes::StructureShape.new(name: 'CIDRSummary')
     CapacityUsageSummary = Shapes::StructureShape.new(name: 'CapacityUsageSummary')
     Certificates = Shapes::ListShape.new(name: 'Certificates')
+    CheckCertificateRevocationStatusActions = Shapes::StructureShape.new(name: 'CheckCertificateRevocationStatusActions')
     CollectionMember_String = Shapes::StringShape.new(name: 'CollectionMember_String')
     ConfigurationSyncState = Shapes::StringShape.new(name: 'ConfigurationSyncState')
     CreateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'CreateFirewallPolicyRequest')
@@ -102,6 +105,7 @@ module Aws::NetworkFirewall
     IPSetReferenceMap = Shapes::MapShape.new(name: 'IPSetReferenceMap')
     IPSetReferenceName = Shapes::StringShape.new(name: 'IPSetReferenceName')
     IPSets = Shapes::MapShape.new(name: 'IPSets')
+    IdentifiedType = Shapes::StringShape.new(name: 'IdentifiedType')
     InsufficientCapacityException = Shapes::StructureShape.new(name: 'InsufficientCapacityException')
     InternalServerError = Shapes::StructureShape.new(name: 'InternalServerError')
     InvalidOperationException = Shapes::StructureShape.new(name: 'InvalidOperationException')
@@ -159,6 +163,7 @@ module Aws::NetworkFirewall
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceOwnerCheckException = Shapes::StructureShape.new(name: 'ResourceOwnerCheckException')
     ResourceStatus = Shapes::StringShape.new(name: 'ResourceStatus')
+    RevocationCheckAction = Shapes::StringShape.new(name: 'RevocationCheckAction')
     RuleCapacity = Shapes::IntegerShape.new(name: 'RuleCapacity')
     RuleDefinition = Shapes::StructureShape.new(name: 'RuleDefinition')
     RuleGroup = Shapes::StructureShape.new(name: 'RuleGroup')
@@ -166,6 +171,7 @@ module Aws::NetworkFirewall
     RuleGroupResponse = Shapes::StructureShape.new(name: 'RuleGroupResponse')
     RuleGroupType = Shapes::StringShape.new(name: 'RuleGroupType')
     RuleGroups = Shapes::ListShape.new(name: 'RuleGroups')
+    RuleIdList = Shapes::ListShape.new(name: 'RuleIdList')
     RuleOption = Shapes::StructureShape.new(name: 'RuleOption')
     RuleOptions = Shapes::ListShape.new(name: 'RuleOptions')
     RuleOrder = Shapes::StringShape.new(name: 'RuleOrder')
@@ -264,6 +270,13 @@ module Aws::NetworkFirewall
     Addresses.member = Shapes::ShapeRef.new(shape: Address)
+    AnalysisResult.add_member(:identified_rule_ids, Shapes::ShapeRef.new(shape: RuleIdList, location_name: "IdentifiedRuleIds"))
+    AnalysisResult.add_member(:identified_type, Shapes::ShapeRef.new(shape: IdentifiedType, location_name: "IdentifiedType"))
+    AnalysisResult.add_member(:analysis_detail, Shapes::ShapeRef.new(shape: CollectionMember_String, location_name: "AnalysisDetail"))
+    AnalysisResult.struct_class = Types::AnalysisResult
+    AnalysisResultList.member = Shapes::ShapeRef.new(shape: AnalysisResult)
     AssociateFirewallPolicyRequest.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
     AssociateFirewallPolicyRequest.add_member(:firewall_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "FirewallArn"))
     AssociateFirewallPolicyRequest.add_member(:firewall_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "FirewallName"))
@@ -306,6 +319,10 @@ module Aws::NetworkFirewall
     Certificates.member = Shapes::ShapeRef.new(shape: TlsCertificateData)
+    CheckCertificateRevocationStatusActions.add_member(:revoked_status_action, Shapes::ShapeRef.new(shape: RevocationCheckAction, location_name: "RevokedStatusAction"))
+    CheckCertificateRevocationStatusActions.add_member(:unknown_status_action, Shapes::ShapeRef.new(shape: RevocationCheckAction, location_name: "UnknownStatusAction"))
+    CheckCertificateRevocationStatusActions.struct_class = Types::CheckCertificateRevocationStatusActions
     CreateFirewallPolicyRequest.add_member(:firewall_policy_name, Shapes::ShapeRef.new(shape: ResourceName, required: true, location_name: "FirewallPolicyName"))
     CreateFirewallPolicyRequest.add_member(:firewall_policy, Shapes::ShapeRef.new(shape: FirewallPolicy, required: true, location_name: "FirewallPolicy"))
     CreateFirewallPolicyRequest.add_member(:description, Shapes::ShapeRef.new(shape: Description, location_name: "Description"))
@@ -344,6 +361,7 @@ module Aws::NetworkFirewall
     CreateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     CreateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     CreateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    CreateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     CreateRuleGroupRequest.struct_class = Types::CreateRuleGroupRequest
     CreateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -451,6 +469,7 @@ module Aws::NetworkFirewall
     DescribeRuleGroupRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
     DescribeRuleGroupRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
     DescribeRuleGroupRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
+    DescribeRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     DescribeRuleGroupRequest.struct_class = Types::DescribeRuleGroupRequest
     DescribeRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -729,10 +748,13 @@ module Aws::NetworkFirewall
     RuleGroupResponse.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
     RuleGroupResponse.add_member(:sns_topic, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "SnsTopic"))
     RuleGroupResponse.add_member(:last_modified_time, Shapes::ShapeRef.new(shape: LastUpdateTime, location_name: "LastModifiedTime"))
+    RuleGroupResponse.add_member(:analysis_results, Shapes::ShapeRef.new(shape: AnalysisResultList, location_name: "AnalysisResults"))
     RuleGroupResponse.struct_class = Types::RuleGroupResponse
     RuleGroups.member = Shapes::ShapeRef.new(shape: RuleGroupMetadata)
+    RuleIdList.member = Shapes::ShapeRef.new(shape: CollectionMember_String)
     RuleOption.add_member(:keyword, Shapes::ShapeRef.new(shape: Keyword, required: true, location_name: "Keyword"))
     RuleOption.add_member(:settings, Shapes::ShapeRef.new(shape: Settings, location_name: "Settings"))
     RuleOption.struct_class = Types::RuleOption
@@ -761,6 +783,8 @@ module Aws::NetworkFirewall
     ServerCertificateConfiguration.add_member(:server_certificates, Shapes::ShapeRef.new(shape: ServerCertificates, location_name: "ServerCertificates"))
     ServerCertificateConfiguration.add_member(:scopes, Shapes::ShapeRef.new(shape: ServerCertificateScopes, location_name: "Scopes"))
+    ServerCertificateConfiguration.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "CertificateAuthorityArn"))
+    ServerCertificateConfiguration.add_member(:check_certificate_revocation_status, Shapes::ShapeRef.new(shape: CheckCertificateRevocationStatusActions, location_name: "CheckCertificateRevocationStatus"))
     ServerCertificateConfiguration.struct_class = Types::ServerCertificateConfiguration
     ServerCertificateConfigurations.member = Shapes::ShapeRef.new(shape: ServerCertificateConfiguration)
@@ -865,6 +889,7 @@ module Aws::NetworkFirewall
     TLSInspectionConfigurationResponse.add_member(:number_of_associations, Shapes::ShapeRef.new(shape: NumberOfAssociations, location_name: "NumberOfAssociations"))
     TLSInspectionConfigurationResponse.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     TLSInspectionConfigurationResponse.add_member(:certificates, Shapes::ShapeRef.new(shape: Certificates, location_name: "Certificates"))
+    TLSInspectionConfigurationResponse.add_member(:certificate_authority, Shapes::ShapeRef.new(shape: TlsCertificateData, location_name: "CertificateAuthority"))
     TLSInspectionConfigurationResponse.struct_class = Types::TLSInspectionConfigurationResponse
     TLSInspectionConfigurations.member = Shapes::ShapeRef.new(shape: TLSInspectionConfigurationMetadata)
@@ -984,6 +1009,7 @@ module Aws::NetworkFirewall
     UpdateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     UpdateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     UpdateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    UpdateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     UpdateRuleGroupRequest.struct_class = Types::UpdateRuleGroupRequest
     UpdateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))

data/lib/aws-sdk-networkfirewall/endpoint_provider.rb CHANGED Viewed

@@ -32,7 +32,7 @@ module Aws::NetworkFirewall
             raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
           end
           if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+            if Aws::Endpoints::Matchers.boolean_equals?(Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"), true)
               return Aws::Endpoints::Endpoint.new(url: "https://network-firewall-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
             end
             raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"

data/lib/aws-sdk-networkfirewall/types.rb CHANGED Viewed

@@ -74,6 +74,70 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
+    # The analysis result for Network Firewall's stateless rule group
+    # analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or
+    # DescribeRuleGroup on a stateless rule group, Network Firewall analyzes
+    # the stateless rule groups in your account and identifies the rules
+    # that might adversely effect your firewall's functionality. For
+    # example, if Network Firewall detects a rule that's routing traffic
+    # asymmetrically, which impacts the service's ability to properly
+    # process traffic, the service includes the rule in a list of analysis
+    # results.
+    #
+    # @!attribute [rw] identified_rule_ids
+    #   The priority number of the stateless rules identified in the
+    #   analysis.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] identified_type
+    #   The types of rule configurations that Network Firewall analyzes your
+    #   rule groups for. Network Firewall analyzes stateless rule groups for
+    #   the following types of rule configurations:
+    #
+    #   * `STATELESS_RULE_FORWARDING_ASYMMETRICALLY`
+    #
+    #     Cause: One or more stateless rules with the action `pass` or
+    #     `forward` are forwarding traffic asymmetrically. Specifically, the
+    #     rule's set of source IP addresses or their associated port
+    #     numbers, don't match the set of destination IP addresses or their
+    #     associated port numbers.
+    #
+    #     To mitigate: Make sure that there's an existing return path. For
+    #     example, if the rule allows traffic from source 10.1.0.0/24 to
+    #     destination 20.1.0.0/24, you should allow return traffic from
+    #     source 20.1.0.0/24 to destination 10.1.0.0/24.
+    #
+    #   * `STATELESS_RULE_CONTAINS_TCP_FLAGS`
+    #
+    #     Cause: At least one stateless rule with the action `pass`
+    #     or`forward` contains TCP flags that are inconsistent in the
+    #     forward and return directions.
+    #
+    #     To mitigate: Prevent asymmetric routing issues caused by TCP flags
+    #     by following these actions:
+    #
+    #     * Remove unnecessary TCP flag inspections from the rules.
+    #
+    #     * If you need to inspect TCP flags, check that the rules correctly
+    #       account for changes in TCP flags throughout the TCP connection
+    #       cycle, for example `SYN` and `ACK` flags used in a 3-way TCP
+    #       handshake.
+    #   @return [String]
+    #
+    # @!attribute [rw] analysis_detail
+    #   Provides analysis details for the identified rule.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AnalysisResult AWS API Documentation
+    #
+    class AnalysisResult < Struct.new(
+      :identified_rule_ids,
+      :identified_type,
+      :analysis_detail)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @!attribute [rw] update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -355,6 +419,55 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
+    # Defines the actions to take on the SSL/TLS connection if the
+    # certificate presented by the server in the connection has a revoked or
+    # unknown status.
+    #
+    # @!attribute [rw] revoked_status_action
+    #   Configures how Network Firewall processes traffic when it determines
+    #   that the certificate presented by the server in the SSL/TLS
+    #   connection has a revoked status.
+    #
+    #   * **PASS** - Allow the connection to continue, and pass subsequent
+    #     packets to the stateful engine for inspection.
+    #
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
+    #
+    #   * **REJECT** - Network Firewall sends a TCP reject packet back to
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
+    #   @return [String]
+    #
+    # @!attribute [rw] unknown_status_action
+    #   Configures how Network Firewall processes traffic when it determines
+    #   that the certificate presented by the server in the SSL/TLS
+    #   connection has an unknown status, or a status that cannot be
+    #   determined for any other reason, including when the service is
+    #   unable to connect to the OCSP and CRL endpoints for the certificate.
+    #
+    #   * **PASS** - Allow the connection to continue, and pass subsequent
+    #     packets to the stateful engine for inspection.
+    #
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
+    #
+    #   * **REJECT** - Network Firewall sends a TCP reject packet back to
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CheckCertificateRevocationStatusActions AWS API Documentation
+    #
+    class CheckCertificateRevocationStatusActions < Struct.new(
+      :revoked_status_action,
+      :unknown_status_action)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @!attribute [rw] firewall_policy_name
     #   The descriptive name of the firewall policy. You can't change the
     #   name of a firewall policy after you create it.
@@ -655,6 +768,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then creates the rule group for you. To run the stateless rule group
+    #   analyzer without creating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroupRequest AWS API Documentation
     #
     class CreateRuleGroupRequest < Struct.new(
@@ -667,7 +788,8 @@ module Aws::NetworkFirewall
       :tags,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -720,12 +842,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1333,12 +1455,19 @@ module Aws::NetworkFirewall
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupRequest AWS API Documentation
     #
     class DescribeRuleGroupRequest < Struct.new(
       :rule_group_name,
       :rule_group_arn,
-      :type)
+      :type,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1441,12 +1570,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -2210,7 +2339,7 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Your request is valid, but Network Firewall couldn’t perform the
+    # Your request is valid, but Network Firewall couldn't perform the
     # operation because of a system problem. Retry your request.
     #
     # @!attribute [rw] message
@@ -2984,7 +3113,12 @@ module Aws::NetworkFirewall
     #   Additional options governing how Network Firewall handles stateful
     #   rules. The policies where you use your stateful rule group must have
     #   stateful rule options settings that are compatible with these
-    #   settings.
+    #   settings. Some limitations apply; for more information, see [Strict
+    #   evaluation order][1] in the *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
     #   @return [Types::StatefulRuleOptions]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroup AWS API Documentation
@@ -3110,6 +3244,17 @@ module Aws::NetworkFirewall
     #   The last time that the rule group was changed.
     #   @return [Time]
     #
+    # @!attribute [rw] analysis_results
+    #   The list of analysis results for `AnalyzeRuleGroup`. If you set
+    #   `AnalyzeRuleGroup` to `TRUE` in CreateRuleGroup, UpdateRuleGroup, or
+    #   DescribeRuleGroup, Network Firewall analyzes the rule group and
+    #   identifies the rules that might adversely effect your firewall's
+    #   functionality. For example, if Network Firewall detects a rule
+    #   that's routing traffic asymmetrically, which impacts the service's
+    #   ability to properly process traffic, the service includes the rule
+    #   in the list of analysis results.
+    #   @return [Array<Types::AnalysisResult>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroupResponse AWS API Documentation
     #
     class RuleGroupResponse < Struct.new(
@@ -3126,7 +3271,8 @@ module Aws::NetworkFirewall
       :encryption_configuration,
       :source_metadata,
       :sns_topic,
-      :last_modified_time)
+      :last_modified_time,
+      :analysis_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3190,14 +3336,18 @@ module Aws::NetworkFirewall
     # instance of this for either stateless rules or stateful rules.
     #
     # @!attribute [rw] rules_string
-    #   Stateful inspection criteria, provided in Suricata compatible
-    #   intrusion prevention system (IPS) rules. Suricata is an open-source
-    #   network IPS that includes a standard rule-based language for network
-    #   traffic inspection.
+    #   Stateful inspection criteria, provided in Suricata compatible rules.
+    #   Suricata is an open-source threat detection framework that includes
+    #   a standard rule-based language for network traffic inspection.
     #
     #   These rules contain the inspection criteria and the action to take
     #   for traffic that matches the criteria, so this type of rule group
     #   doesn't have a separate action setting.
+    #
+    #   <note markdown="1"> You can't use the `priority` keyword if the `RuleOrder` option in
+    #   StatefulRuleOptions is set to `STRICT_ORDER`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] rules_source_list
@@ -3281,13 +3431,14 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Any Certificate Manager Secure Sockets Layer/Transport Layer Security
-    # (SSL/TLS) server certificate that's associated with a
-    # ServerCertificateConfiguration used in a TLSInspectionConfiguration.
-    # You must request or import a SSL/TLS certificate into ACM for each
-    # domain Network Firewall needs to decrypt and inspect. Network Firewall
-    # uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS
-    # traffic going to your firewall. For information about working with
+    # Any Certificate Manager (ACM) Secure Sockets Layer/Transport Layer
+    # Security (SSL/TLS) server certificate that's associated with a
+    # ServerCertificateConfiguration. Used in a TLSInspectionConfiguration
+    # for inspection of inbound traffic to your firewall. You must request
+    # or import a SSL/TLS certificate into ACM for each domain Network
+    # Firewall needs to decrypt and inspect. Network Firewall uses the
+    # SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic
+    # going to your firewall. For information about working with
     # certificates in Certificate Manager, see [Request a public certificate
     # ][1] or [Importing certificates][2] in the *Certificate Manager User
     # Guide*.
@@ -3299,7 +3450,7 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] resource_arn
     #   The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS
-    #   server certificate.
+    #   server certificate that's used for inbound SSL/TLS inspection.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificate AWS API Documentation
@@ -3310,13 +3461,14 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Configures the associated Certificate Manager Secure Sockets
-    # Layer/Transport Layer Security (SSL/TLS) server certificates and scope
-    # settings Network Firewall uses to decrypt traffic in a
-    # TLSInspectionConfiguration. For information about working with SSL/TLS
-    # certificates for TLS inspection, see [ Requirements for using SSL/TLS
-    # server certficiates with TLS inspection configurations][1] in the
-    # *Network Firewall Developer Guide*.
+    # Configures the Certificate Manager certificates and scope that Network
+    # Firewall uses to decrypt and re-encrypt traffic using a
+    # TLSInspectionConfiguration. You can configure `ServerCertificates` for
+    # inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound
+    # SSL/TLS inspection, or both. For information about working with
+    # certificates for TLS inspection, see [ Using SSL/TLS server
+    # certficiates with TLS inspection configurations][1] in the *Network
+    # Firewall Developer Guide*.
     #
     # <note markdown="1"> If a server certificate that's associated with your
     # TLSInspectionConfiguration is revoked, deleted, or expired it can
@@ -3329,19 +3481,58 @@ module Aws::NetworkFirewall
     # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
     #
     # @!attribute [rw] server_certificates
-    #   The list of a server certificate configuration's Certificate
-    #   Manager SSL/TLS certificates.
+    #   The list of server certificates to use for inbound SSL/TLS
+    #   inspection.
     #   @return [Array<Types::ServerCertificate>]
     #
     # @!attribute [rw] scopes
-    #   A list of a server certificate configuration's scopes.
+    #   A list of scopes.
     #   @return [Array<Types::ServerCertificateScope>]
     #
+    # @!attribute [rw] certificate_authority_arn
+    #   The Amazon Resource Name (ARN) of the imported certificate authority
+    #   (CA) certificate within Certificate Manager (ACM) to use for
+    #   outbound SSL/TLS inspection.
+    #
+    #   The following limitations apply:
+    #
+    #   * You can use CA certificates that you imported into ACM, but you
+    #     can't generate CA certificates with ACM.
+    #
+    #   * You can't use certificates issued by Private Certificate
+    #     Authority.
+    #
+    #   For more information about configuring certificates for outbound
+    #   inspection, see [Using SSL/TLS certificates with certificates with
+    #   TLS inspection configurations][1] in the *Network Firewall Developer
+    #   Guide*.
+    #
+    #   For information about working with certificates in ACM, see
+    #   [Importing certificates][2] in the *Certificate Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
+    #   [2]: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
+    #   @return [String]
+    #
+    # @!attribute [rw] check_certificate_revocation_status
+    #   When enabled, Network Firewall checks if the server certificate
+    #   presented by the server in the SSL/TLS connection has a revoked or
+    #   unkown status. If the certificate has an unknown or revoked status,
+    #   you must specify the actions that Network Firewall takes on outbound
+    #   traffic. To check the certificate revocation status, you must also
+    #   specify a `CertificateAuthorityArn` in
+    #   ServerCertificateConfiguration.
+    #   @return [Types::CheckCertificateRevocationStatusActions]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificateConfiguration AWS API Documentation
     #
     class ServerCertificateConfiguration < Struct.new(
       :server_certificates,
-      :scopes)
+      :scopes,
+      :certificate_authority_arn,
+      :check_certificate_revocation_status)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3436,11 +3627,17 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
-    #   rules are provided to the rule engine as Suricata compatible
-    #   strings, and Suricata evaluates them based on certain settings. For
-    #   more information, see [Evaluation order for stateful rules][1] in
-    #   the *Network Firewall Developer Guide*.
+    #   the policy. `STRICT_ORDER` is the default and recommended option.
+    #   With `STRICT_ORDER`, provide your rules in the order that you want
+    #   them to be evaluated. You can then choose one or more default
+    #   actions for packets that don't match any rules. Choose
+    #   `STRICT_ORDER` to have the stateful rules engine determine the
+    #   evaluation order of your rules. The default action for this rule
+    #   order is `PASS`, followed by `DROP`, `REJECT`, and `ALERT` actions.
+    #   Stateful rules are provided to the rule engine as Suricata
+    #   compatible strings, and Suricata evaluates them based on your
+    #   settings. For more information, see [Evaluation order for stateful
+    #   rules][1] in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3507,9 +3704,8 @@ module Aws::NetworkFirewall
     #     destination and sends an alert log message, if alert logging is
     #     configured in the Firewall LoggingConfiguration.
     #
-    #   * **ALERT** - Permits the packets to go to the intended destination
-    #     and sends an alert log message, if alert logging is configured in
-    #     the Firewall LoggingConfiguration.
+    #   * **ALERT** - Sends an alert log message, if alert logging is
+    #     configured in the Firewall LoggingConfiguration.
     #
     #     You can use this action to test a rule that you intend to use to
     #     drop traffic. You can enable the rule with `ALERT` action, verify
@@ -3812,12 +4008,12 @@ module Aws::NetworkFirewall
     # To use a TLS inspection configuration, you add it to a new Network
     # Firewall firewall policy, then you apply the firewall policy to a
     # firewall. Network Firewall acts as a proxy service to decrypt and
-    # inspect inbound traffic. You can reference a TLS inspection
-    # configuration from more than one firewall policy, and you can use a
-    # firewall policy in more than one firewall. For more information about
-    # using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    # with TLS inspection configurations][1] in the *Network Firewall
-    # Developer Guide*.
+    # inspect the traffic traveling through your firewalls. You can
+    # reference a TLS inspection configuration from more than one firewall
+    # policy, and you can use a firewall policy in more than one firewall.
+    # For more information about using TLS inspection configurations, see
+    # [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    # the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3915,6 +4111,10 @@ module Aws::NetworkFirewall
     #   configuration.
     #   @return [Array<Types::TlsCertificateData>]
     #
+    # @!attribute [rw] certificate_authority
+    #   Contains metadata about an Certificate Manager certificate.
+    #   @return [Types::TlsCertificateData]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/TLSInspectionConfigurationResponse AWS API Documentation
     #
     class TLSInspectionConfigurationResponse < Struct.new(
@@ -3927,7 +4127,8 @@ module Aws::NetworkFirewall
       :last_modified_time,
       :number_of_associations,
       :encryption_configuration,
-      :certificates)
+      :certificates,
+      :certificate_authority)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4709,6 +4910,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then updates the rule group for you. To run the stateless rule group
+    #   analyzer without updating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroupRequest AWS API Documentation
     #
     class UpdateRuleGroupRequest < Struct.new(
@@ -4721,7 +4930,8 @@ module Aws::NetworkFirewall
       :description,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4878,12 +5088,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #

data/lib/aws-sdk-networkfirewall.rb CHANGED Viewed

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
-  GEM_VERSION = '1.35.0'
+  GEM_VERSION = '1.37.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.35.0
+  version: 1.37.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-27 00:00:00.000000000 Z
+date: 2023-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core