RubyGems - aws-sdk-networkfirewall - Versions diffs - 1.35.0 → 1.37.0 - Mend

aws-sdk-networkfirewall 1.35.0 → 1.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/VERSION +1 -1
data/lib/aws-sdk-networkfirewall/client.rb +106 -34
data/lib/aws-sdk-networkfirewall/client_api.rb +26 -0
data/lib/aws-sdk-networkfirewall/endpoint_provider.rb +1 -1
data/lib/aws-sdk-networkfirewall/types.rb +272 -62
data/lib/aws-sdk-networkfirewall.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93f906c49425708a99fefe392ecc65c744ed614c3731a9449151acf53512963b
-  data.tar.gz: cba122ba325f3fc897c5d8303d76244f9b984114ab4ebdde8c6525a0c78bcc96
+  metadata.gz: 1ead7232a47e4248e5f8e27ffea9f25c2440d542fc0bfa6578c81b9486b7b07b
+  data.tar.gz: c85889a00b03ab03b4b4497d90bc5d43b820a91ed2138c8794e65bd58f5eba3e
 SHA512:
-  metadata.gz: 43149af37997bf292ad1d3da81402f90a52e89f512b437300bd5778529a93413a02716ee61b0523da651d9af9909e402671124ecdc17753dfabe4e82b23a43fb
-  data.tar.gz: 29ff4749347cae6fa3d96730e7aab182271168077a16b8da3e9b4f27a9edaa89ebbc4a13c359f3079da293f1b0f0bae8ac6d2ab35e3f8bc2e6aa7d15f090b9da
+  metadata.gz: 0f9693651148e310a4006394e3381083ef03f7eff5d883e8cf5e9ac9957d55ec79b1cce56c4251feca36e702c1136804a58740568ccd3b7088a321edad22af15
+  data.tar.gz: dfc2ed10eb6ad18b5191eddc9c48ce7d233239c5fe911503882d981891d126e7a0c6ae6e2c189ee1ce8344051a4b8dfc3b44a7396a7cd5c97c878027e8831fbe

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
+1.37.0 (2023-11-02)
+------------------
+* Feature - This release introduces the stateless rule analyzer, which enables you to analyze your stateless rules for asymmetric routing.
+1.36.0 (2023-10-26)
+------------------
+* Feature - Network Firewall now supports inspection of outbound SSL/TLS traffic.
 1.35.0 (2023-09-27)
 ------------------

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.35.0
1	+ 1.37.0

data/lib/aws-sdk-networkfirewall/client.rb CHANGED Viewed

@@ -818,7 +818,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -955,6 +955,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then creates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without creating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::CreateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateRuleGroupResponse#update_token #update_token} => String
@@ -1089,6 +1096,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1100,7 +1108,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1112,6 +1120,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroup AWS API Documentation
     #
@@ -1123,12 +1136,13 @@ module Aws::NetworkFirewall
     end
     # Creates an Network Firewall TLS inspection configuration. A TLS
-    # inspection configuration contains the Certificate Manager certificate
-    # references that Network Firewall uses to decrypt and re-encrypt
-    # inbound traffic.
+    # inspection configuration contains Certificate Manager certificate
+    # associations between and the scope configurations that Network
+    # Firewall uses to decrypt and re-encrypt traffic traveling through your
+    # firewall.
     #
-    # After you create a TLS inspection configuration, you associate it with
-    # a new firewall policy.
+    # After you create a TLS inspection configuration, you can associate it
+    # with a new firewall policy.
     #
     # To update the settings for a TLS inspection configuration, use
     # UpdateTLSInspectionConfiguration.
@@ -1142,7 +1156,7 @@ module Aws::NetworkFirewall
     # DescribeTLSInspectionConfiguration.
     #
     # For more information about TLS inspection configurations, see
-    # [Decrypting SSL/TLS traffic with TLS inspection configurations][1] in
+    # [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
     # the *Network Firewall Developer Guide*.
     #
     #
@@ -1166,12 +1180,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information about
-    #   using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    #   with TLS inspection configurations][1] in the *Network Firewall
-    #   Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    #   the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1242,6 +1256,11 @@ module Aws::NetworkFirewall
     #               protocols: [1],
     #             },
     #           ],
+    #           certificate_authority_arn: "ResourceArn",
+    #           check_certificate_revocation_status: {
+    #             revoked_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #             unknown_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #           },
     #         },
     #       ],
     #     },
@@ -1264,7 +1283,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -1278,6 +1297,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateTLSInspectionConfiguration AWS API Documentation
     #
@@ -1400,7 +1423,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -1487,7 +1510,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1499,6 +1522,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteRuleGroup AWS API Documentation
     #
@@ -1538,7 +1566,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -1552,6 +1580,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteTLSInspectionConfiguration AWS API Documentation
     #
@@ -1665,7 +1697,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -1804,6 +1836,11 @@ module Aws::NetworkFirewall
     #
     #    </note>
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis.
+    #
     # @return [Types::DescribeRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeRuleGroupResponse#update_token #update_token} => String
@@ -1816,6 +1853,7 @@ module Aws::NetworkFirewall
     #     rule_group_name: "ResourceName",
     #     rule_group_arn: "ResourceArn",
     #     type: "STATELESS", # accepts STATELESS, STATEFUL
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1879,7 +1917,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -1891,6 +1929,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroup AWS API Documentation
     #
@@ -2011,10 +2054,13 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].destination_ports[0].to_port #=> Integer
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].protocols #=> Array
     #   resp.tls_inspection_configuration.server_certificate_configurations[0].scopes[0].protocols[0] #=> Integer
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].certificate_authority_arn #=> String
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].check_certificate_revocation_status.revoked_status_action #=> String, one of "PASS", "DROP", "REJECT"
+    #   resp.tls_inspection_configuration.server_certificate_configurations[0].check_certificate_revocation_status.unknown_status_action #=> String, one of "PASS", "DROP", "REJECT"
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -2028,6 +2074,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeTLSInspectionConfiguration AWS API Documentation
     #
@@ -2880,7 +2930,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy_response.firewall_policy_arn #=> String
     #   resp.firewall_policy_response.firewall_policy_id #=> String
     #   resp.firewall_policy_response.description #=> String
-    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.firewall_policy_response.firewall_policy_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.firewall_policy_response.tags #=> Array
     #   resp.firewall_policy_response.tags[0].key #=> String
     #   resp.firewall_policy_response.tags[0].value #=> String
@@ -3149,6 +3199,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then updates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without updating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::UpdateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateRuleGroupResponse#update_token #update_token} => String
@@ -3278,6 +3335,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -3289,7 +3347,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.description #=> String
     #   resp.rule_group_response.type #=> String, one of "STATELESS", "STATEFUL"
     #   resp.rule_group_response.capacity #=> Integer
-    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.rule_group_response.rule_group_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.rule_group_response.tags #=> Array
     #   resp.rule_group_response.tags[0].key #=> String
     #   resp.rule_group_response.tags[0].value #=> String
@@ -3301,6 +3359,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroup AWS API Documentation
     #
@@ -3382,9 +3445,9 @@ module Aws::NetworkFirewall
     # Updates the TLS inspection configuration settings for the specified
     # TLS inspection configuration. You use a TLS inspection configuration
-    # by reference in one or more firewall policies. When you modify a TLS
-    # inspection configuration, you modify all firewall policies that use
-    # the TLS inspection configuration.
+    # by referencing it in one or more firewall policies. When you modify a
+    # TLS inspection configuration, you modify all firewall policies that
+    # use the TLS inspection configuration.
     #
     # To update a TLS inspection configuration, first call
     # DescribeTLSInspectionConfiguration to retrieve the current
@@ -3411,12 +3474,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information about
-    #   using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    #   with TLS inspection configurations][1] in the *Network Firewall
-    #   Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    #   the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3489,6 +3552,11 @@ module Aws::NetworkFirewall
     #               protocols: [1],
     #             },
     #           ],
+    #           certificate_authority_arn: "ResourceArn",
+    #           check_certificate_revocation_status: {
+    #             revoked_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #             unknown_status_action: "PASS", # accepts PASS, DROP, REJECT
+    #           },
     #         },
     #       ],
     #     },
@@ -3506,7 +3574,7 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_arn #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_name #=> String
     #   resp.tls_inspection_configuration_response.tls_inspection_configuration_id #=> String
-    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING"
+    #   resp.tls_inspection_configuration_response.tls_inspection_configuration_status #=> String, one of "ACTIVE", "DELETING", "ERROR"
     #   resp.tls_inspection_configuration_response.description #=> String
     #   resp.tls_inspection_configuration_response.tags #=> Array
     #   resp.tls_inspection_configuration_response.tags[0].key #=> String
@@ -3520,6 +3588,10 @@ module Aws::NetworkFirewall
     #   resp.tls_inspection_configuration_response.certificates[0].certificate_serial #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status #=> String
     #   resp.tls_inspection_configuration_response.certificates[0].status_message #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_arn #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.certificate_serial #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status #=> String
+    #   resp.tls_inspection_configuration_response.certificate_authority.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateTLSInspectionConfiguration AWS API Documentation
     #
@@ -3543,7 +3615,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.35.0'
+      context[:gem_version] = '1.37.0'
       Seahorse::Client::Request.new(handlers, context)
     end

data/lib/aws-sdk-networkfirewall/client_api.rb CHANGED Viewed

@@ -18,6 +18,8 @@ module Aws::NetworkFirewall
     Address = Shapes::StructureShape.new(name: 'Address')
     AddressDefinition = Shapes::StringShape.new(name: 'AddressDefinition')
     Addresses = Shapes::ListShape.new(name: 'Addresses')
+    AnalysisResult = Shapes::StructureShape.new(name: 'AnalysisResult')
+    AnalysisResultList = Shapes::ListShape.new(name: 'AnalysisResultList')
     AssociateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyRequest')
     AssociateFirewallPolicyResponse = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyResponse')
     AssociateSubnetsRequest = Shapes::StructureShape.new(name: 'AssociateSubnetsRequest')
@@ -32,6 +34,7 @@ module Aws::NetworkFirewall
     CIDRSummary = Shapes::StructureShape.new(name: 'CIDRSummary')
     CapacityUsageSummary = Shapes::StructureShape.new(name: 'CapacityUsageSummary')
     Certificates = Shapes::ListShape.new(name: 'Certificates')
+    CheckCertificateRevocationStatusActions = Shapes::StructureShape.new(name: 'CheckCertificateRevocationStatusActions')
     CollectionMember_String = Shapes::StringShape.new(name: 'CollectionMember_String')
     ConfigurationSyncState = Shapes::StringShape.new(name: 'ConfigurationSyncState')
     CreateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'CreateFirewallPolicyRequest')
@@ -102,6 +105,7 @@ module Aws::NetworkFirewall
     IPSetReferenceMap = Shapes::MapShape.new(name: 'IPSetReferenceMap')
     IPSetReferenceName = Shapes::StringShape.new(name: 'IPSetReferenceName')
     IPSets = Shapes::MapShape.new(name: 'IPSets')
+    IdentifiedType = Shapes::StringShape.new(name: 'IdentifiedType')
     InsufficientCapacityException = Shapes::StructureShape.new(name: 'InsufficientCapacityException')
     InternalServerError = Shapes::StructureShape.new(name: 'InternalServerError')
     InvalidOperationException = Shapes::StructureShape.new(name: 'InvalidOperationException')
@@ -159,6 +163,7 @@ module Aws::NetworkFirewall
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceOwnerCheckException = Shapes::StructureShape.new(name: 'ResourceOwnerCheckException')
     ResourceStatus = Shapes::StringShape.new(name: 'ResourceStatus')
+    RevocationCheckAction = Shapes::StringShape.new(name: 'RevocationCheckAction')
     RuleCapacity = Shapes::IntegerShape.new(name: 'RuleCapacity')
     RuleDefinition = Shapes::StructureShape.new(name: 'RuleDefinition')
     RuleGroup = Shapes::StructureShape.new(name: 'RuleGroup')
@@ -166,6 +171,7 @@ module Aws::NetworkFirewall
     RuleGroupResponse = Shapes::StructureShape.new(name: 'RuleGroupResponse')
     RuleGroupType = Shapes::StringShape.new(name: 'RuleGroupType')
     RuleGroups = Shapes::ListShape.new(name: 'RuleGroups')
+    RuleIdList = Shapes::ListShape.new(name: 'RuleIdList')
     RuleOption = Shapes::StructureShape.new(name: 'RuleOption')
     RuleOptions = Shapes::ListShape.new(name: 'RuleOptions')
     RuleOrder = Shapes::StringShape.new(name: 'RuleOrder')
@@ -264,6 +270,13 @@ module Aws::NetworkFirewall
     Addresses.member = Shapes::ShapeRef.new(shape: Address)
+    AnalysisResult.add_member(:identified_rule_ids, Shapes::ShapeRef.new(shape: RuleIdList, location_name: "IdentifiedRuleIds"))
+    AnalysisResult.add_member(:identified_type, Shapes::ShapeRef.new(shape: IdentifiedType, location_name: "IdentifiedType"))
+    AnalysisResult.add_member(:analysis_detail, Shapes::ShapeRef.new(shape: CollectionMember_String, location_name: "AnalysisDetail"))
+    AnalysisResult.struct_class = Types::AnalysisResult
+    AnalysisResultList.member = Shapes::ShapeRef.new(shape: AnalysisResult)
     AssociateFirewallPolicyRequest.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
     AssociateFirewallPolicyRequest.add_member(:firewall_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "FirewallArn"))
     AssociateFirewallPolicyRequest.add_member(:firewall_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "FirewallName"))
@@ -306,6 +319,10 @@ module Aws::NetworkFirewall
     Certificates.member = Shapes::ShapeRef.new(shape: TlsCertificateData)
+    CheckCertificateRevocationStatusActions.add_member(:revoked_status_action, Shapes::ShapeRef.new(shape: RevocationCheckAction, location_name: "RevokedStatusAction"))
+    CheckCertificateRevocationStatusActions.add_member(:unknown_status_action, Shapes::ShapeRef.new(shape: RevocationCheckAction, location_name: "UnknownStatusAction"))
+    CheckCertificateRevocationStatusActions.struct_class = Types::CheckCertificateRevocationStatusActions
     CreateFirewallPolicyRequest.add_member(:firewall_policy_name, Shapes::ShapeRef.new(shape: ResourceName, required: true, location_name: "FirewallPolicyName"))
     CreateFirewallPolicyRequest.add_member(:firewall_policy, Shapes::ShapeRef.new(shape: FirewallPolicy, required: true, location_name: "FirewallPolicy"))
     CreateFirewallPolicyRequest.add_member(:description, Shapes::ShapeRef.new(shape: Description, location_name: "Description"))
@@ -344,6 +361,7 @@ module Aws::NetworkFirewall
     CreateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     CreateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     CreateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    CreateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     CreateRuleGroupRequest.struct_class = Types::CreateRuleGroupRequest
     CreateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -451,6 +469,7 @@ module Aws::NetworkFirewall
     DescribeRuleGroupRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
     DescribeRuleGroupRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
     DescribeRuleGroupRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
+    DescribeRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     DescribeRuleGroupRequest.struct_class = Types::DescribeRuleGroupRequest
     DescribeRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -729,10 +748,13 @@ module Aws::NetworkFirewall
     RuleGroupResponse.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
     RuleGroupResponse.add_member(:sns_topic, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "SnsTopic"))
     RuleGroupResponse.add_member(:last_modified_time, Shapes::ShapeRef.new(shape: LastUpdateTime, location_name: "LastModifiedTime"))
+    RuleGroupResponse.add_member(:analysis_results, Shapes::ShapeRef.new(shape: AnalysisResultList, location_name: "AnalysisResults"))
     RuleGroupResponse.struct_class = Types::RuleGroupResponse
     RuleGroups.member = Shapes::ShapeRef.new(shape: RuleGroupMetadata)
+    RuleIdList.member = Shapes::ShapeRef.new(shape: CollectionMember_String)
     RuleOption.add_member(:keyword, Shapes::ShapeRef.new(shape: Keyword, required: true, location_name: "Keyword"))
     RuleOption.add_member(:settings, Shapes::ShapeRef.new(shape: Settings, location_name: "Settings"))
     RuleOption.struct_class = Types::RuleOption
@@ -761,6 +783,8 @@ module Aws::NetworkFirewall
     ServerCertificateConfiguration.add_member(:server_certificates, Shapes::ShapeRef.new(shape: ServerCertificates, location_name: "ServerCertificates"))
     ServerCertificateConfiguration.add_member(:scopes, Shapes::ShapeRef.new(shape: ServerCertificateScopes, location_name: "Scopes"))
+    ServerCertificateConfiguration.add_member(:certificate_authority_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "CertificateAuthorityArn"))
+    ServerCertificateConfiguration.add_member(:check_certificate_revocation_status, Shapes::ShapeRef.new(shape: CheckCertificateRevocationStatusActions, location_name: "CheckCertificateRevocationStatus"))
     ServerCertificateConfiguration.struct_class = Types::ServerCertificateConfiguration
     ServerCertificateConfigurations.member = Shapes::ShapeRef.new(shape: ServerCertificateConfiguration)
@@ -865,6 +889,7 @@ module Aws::NetworkFirewall
     TLSInspectionConfigurationResponse.add_member(:number_of_associations, Shapes::ShapeRef.new(shape: NumberOfAssociations, location_name: "NumberOfAssociations"))
     TLSInspectionConfigurationResponse.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     TLSInspectionConfigurationResponse.add_member(:certificates, Shapes::ShapeRef.new(shape: Certificates, location_name: "Certificates"))
+    TLSInspectionConfigurationResponse.add_member(:certificate_authority, Shapes::ShapeRef.new(shape: TlsCertificateData, location_name: "CertificateAuthority"))
     TLSInspectionConfigurationResponse.struct_class = Types::TLSInspectionConfigurationResponse
     TLSInspectionConfigurations.member = Shapes::ShapeRef.new(shape: TLSInspectionConfigurationMetadata)
@@ -984,6 +1009,7 @@ module Aws::NetworkFirewall
     UpdateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     UpdateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     UpdateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    UpdateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     UpdateRuleGroupRequest.struct_class = Types::UpdateRuleGroupRequest
     UpdateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))

data/lib/aws-sdk-networkfirewall/endpoint_provider.rb CHANGED Viewed

@@ -32,7 +32,7 @@ module Aws::NetworkFirewall
             raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
           end
           if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+            if Aws::Endpoints::Matchers.boolean_equals?(Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"), true)
               return Aws::Endpoints::Endpoint.new(url: "https://network-firewall-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
             end
             raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"

data/lib/aws-sdk-networkfirewall/types.rb CHANGED Viewed

@@ -74,6 +74,70 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
+    # The analysis result for Network Firewall's stateless rule group
+    # analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or
+    # DescribeRuleGroup on a stateless rule group, Network Firewall analyzes
+    # the stateless rule groups in your account and identifies the rules
+    # that might adversely effect your firewall's functionality. For
+    # example, if Network Firewall detects a rule that's routing traffic
+    # asymmetrically, which impacts the service's ability to properly
+    # process traffic, the service includes the rule in a list of analysis
+    # results.
+    #
+    # @!attribute [rw] identified_rule_ids
+    #   The priority number of the stateless rules identified in the
+    #   analysis.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] identified_type
+    #   The types of rule configurations that Network Firewall analyzes your
+    #   rule groups for. Network Firewall analyzes stateless rule groups for
+    #   the following types of rule configurations:
+    #
+    #   * `STATELESS_RULE_FORWARDING_ASYMMETRICALLY`
+    #
+    #     Cause: One or more stateless rules with the action `pass` or
+    #     `forward` are forwarding traffic asymmetrically. Specifically, the
+    #     rule's set of source IP addresses or their associated port
+    #     numbers, don't match the set of destination IP addresses or their
+    #     associated port numbers.
+    #
+    #     To mitigate: Make sure that there's an existing return path. For
+    #     example, if the rule allows traffic from source 10.1.0.0/24 to
+    #     destination 20.1.0.0/24, you should allow return traffic from
+    #     source 20.1.0.0/24 to destination 10.1.0.0/24.
+    #
+    #   * `STATELESS_RULE_CONTAINS_TCP_FLAGS`
+    #
+    #     Cause: At least one stateless rule with the action `pass`
+    #     or`forward` contains TCP flags that are inconsistent in the
+    #     forward and return directions.
+    #
+    #     To mitigate: Prevent asymmetric routing issues caused by TCP flags
+    #     by following these actions:
+    #
+    #     * Remove unnecessary TCP flag inspections from the rules.
+    #
+    #     * If you need to inspect TCP flags, check that the rules correctly
+    #       account for changes in TCP flags throughout the TCP connection
+    #       cycle, for example `SYN` and `ACK` flags used in a 3-way TCP
+    #       handshake.
+    #   @return [String]
+    #
+    # @!attribute [rw] analysis_detail
+    #   Provides analysis details for the identified rule.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AnalysisResult AWS API Documentation
+    #
+    class AnalysisResult < Struct.new(
+      :identified_rule_ids,
+      :identified_type,
+      :analysis_detail)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @!attribute [rw] update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -355,6 +419,55 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
+    # Defines the actions to take on the SSL/TLS connection if the
+    # certificate presented by the server in the connection has a revoked or
+    # unknown status.
+    #
+    # @!attribute [rw] revoked_status_action
+    #   Configures how Network Firewall processes traffic when it determines
+    #   that the certificate presented by the server in the SSL/TLS
+    #   connection has a revoked status.
+    #
+    #   * **PASS** - Allow the connection to continue, and pass subsequent
+    #     packets to the stateful engine for inspection.
+    #
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
+    #
+    #   * **REJECT** - Network Firewall sends a TCP reject packet back to
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
+    #   @return [String]
+    #
+    # @!attribute [rw] unknown_status_action
+    #   Configures how Network Firewall processes traffic when it determines
+    #   that the certificate presented by the server in the SSL/TLS
+    #   connection has an unknown status, or a status that cannot be
+    #   determined for any other reason, including when the service is
+    #   unable to connect to the OCSP and CRL endpoints for the certificate.
+    #
+    #   * **PASS** - Allow the connection to continue, and pass subsequent
+    #     packets to the stateful engine for inspection.
+    #
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
+    #
+    #   * **REJECT** - Network Firewall sends a TCP reject packet back to
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CheckCertificateRevocationStatusActions AWS API Documentation
+    #
+    class CheckCertificateRevocationStatusActions < Struct.new(
+      :revoked_status_action,
+      :unknown_status_action)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @!attribute [rw] firewall_policy_name
     #   The descriptive name of the firewall policy. You can't change the
     #   name of a firewall policy after you create it.
@@ -655,6 +768,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then creates the rule group for you. To run the stateless rule group
+    #   analyzer without creating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroupRequest AWS API Documentation
     #
     class CreateRuleGroupRequest < Struct.new(
@@ -667,7 +788,8 @@ module Aws::NetworkFirewall
       :tags,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -720,12 +842,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1333,12 +1455,19 @@ module Aws::NetworkFirewall
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupRequest AWS API Documentation
     #
     class DescribeRuleGroupRequest < Struct.new(
       :rule_group_name,
       :rule_group_arn,
-      :type)
+      :type,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1441,12 +1570,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -2210,7 +2339,7 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Your request is valid, but Network Firewall couldn’t perform the
+    # Your request is valid, but Network Firewall couldn't perform the
     # operation because of a system problem. Retry your request.
     #
     # @!attribute [rw] message
@@ -2984,7 +3113,12 @@ module Aws::NetworkFirewall
     #   Additional options governing how Network Firewall handles stateful
     #   rules. The policies where you use your stateful rule group must have
     #   stateful rule options settings that are compatible with these
-    #   settings.
+    #   settings. Some limitations apply; for more information, see [Strict
+    #   evaluation order][1] in the *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
     #   @return [Types::StatefulRuleOptions]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroup AWS API Documentation
@@ -3110,6 +3244,17 @@ module Aws::NetworkFirewall
     #   The last time that the rule group was changed.
     #   @return [Time]
     #
+    # @!attribute [rw] analysis_results
+    #   The list of analysis results for `AnalyzeRuleGroup`. If you set
+    #   `AnalyzeRuleGroup` to `TRUE` in CreateRuleGroup, UpdateRuleGroup, or
+    #   DescribeRuleGroup, Network Firewall analyzes the rule group and
+    #   identifies the rules that might adversely effect your firewall's
+    #   functionality. For example, if Network Firewall detects a rule
+    #   that's routing traffic asymmetrically, which impacts the service's
+    #   ability to properly process traffic, the service includes the rule
+    #   in the list of analysis results.
+    #   @return [Array<Types::AnalysisResult>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroupResponse AWS API Documentation
     #
     class RuleGroupResponse < Struct.new(
@@ -3126,7 +3271,8 @@ module Aws::NetworkFirewall
       :encryption_configuration,
       :source_metadata,
       :sns_topic,
-      :last_modified_time)
+      :last_modified_time,
+      :analysis_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3190,14 +3336,18 @@ module Aws::NetworkFirewall
     # instance of this for either stateless rules or stateful rules.
     #
     # @!attribute [rw] rules_string
-    #   Stateful inspection criteria, provided in Suricata compatible
-    #   intrusion prevention system (IPS) rules. Suricata is an open-source
-    #   network IPS that includes a standard rule-based language for network
-    #   traffic inspection.
+    #   Stateful inspection criteria, provided in Suricata compatible rules.
+    #   Suricata is an open-source threat detection framework that includes
+    #   a standard rule-based language for network traffic inspection.
     #
     #   These rules contain the inspection criteria and the action to take
     #   for traffic that matches the criteria, so this type of rule group
     #   doesn't have a separate action setting.
+    #
+    #   <note markdown="1"> You can't use the `priority` keyword if the `RuleOrder` option in
+    #   StatefulRuleOptions is set to `STRICT_ORDER`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] rules_source_list
@@ -3281,13 +3431,14 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Any Certificate Manager Secure Sockets Layer/Transport Layer Security
-    # (SSL/TLS) server certificate that's associated with a
-    # ServerCertificateConfiguration used in a TLSInspectionConfiguration.
-    # You must request or import a SSL/TLS certificate into ACM for each
-    # domain Network Firewall needs to decrypt and inspect. Network Firewall
-    # uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS
-    # traffic going to your firewall. For information about working with
+    # Any Certificate Manager (ACM) Secure Sockets Layer/Transport Layer
+    # Security (SSL/TLS) server certificate that's associated with a
+    # ServerCertificateConfiguration. Used in a TLSInspectionConfiguration
+    # for inspection of inbound traffic to your firewall. You must request
+    # or import a SSL/TLS certificate into ACM for each domain Network
+    # Firewall needs to decrypt and inspect. Network Firewall uses the
+    # SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic
+    # going to your firewall. For information about working with
     # certificates in Certificate Manager, see [Request a public certificate
     # ][1] or [Importing certificates][2] in the *Certificate Manager User
     # Guide*.
@@ -3299,7 +3450,7 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] resource_arn
     #   The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS
-    #   server certificate.
+    #   server certificate that's used for inbound SSL/TLS inspection.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificate AWS API Documentation
@@ -3310,13 +3461,14 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
-    # Configures the associated Certificate Manager Secure Sockets
-    # Layer/Transport Layer Security (SSL/TLS) server certificates and scope
-    # settings Network Firewall uses to decrypt traffic in a
-    # TLSInspectionConfiguration. For information about working with SSL/TLS
-    # certificates for TLS inspection, see [ Requirements for using SSL/TLS
-    # server certficiates with TLS inspection configurations][1] in the
-    # *Network Firewall Developer Guide*.
+    # Configures the Certificate Manager certificates and scope that Network
+    # Firewall uses to decrypt and re-encrypt traffic using a
+    # TLSInspectionConfiguration. You can configure `ServerCertificates` for
+    # inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound
+    # SSL/TLS inspection, or both. For information about working with
+    # certificates for TLS inspection, see [ Using SSL/TLS server
+    # certficiates with TLS inspection configurations][1] in the *Network
+    # Firewall Developer Guide*.
     #
     # <note markdown="1"> If a server certificate that's associated with your
     # TLSInspectionConfiguration is revoked, deleted, or expired it can
@@ -3329,19 +3481,58 @@ module Aws::NetworkFirewall
     # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
     #
     # @!attribute [rw] server_certificates
-    #   The list of a server certificate configuration's Certificate
-    #   Manager SSL/TLS certificates.
+    #   The list of server certificates to use for inbound SSL/TLS
+    #   inspection.
     #   @return [Array<Types::ServerCertificate>]
     #
     # @!attribute [rw] scopes
-    #   A list of a server certificate configuration's scopes.
+    #   A list of scopes.
     #   @return [Array<Types::ServerCertificateScope>]
     #
+    # @!attribute [rw] certificate_authority_arn
+    #   The Amazon Resource Name (ARN) of the imported certificate authority
+    #   (CA) certificate within Certificate Manager (ACM) to use for
+    #   outbound SSL/TLS inspection.
+    #
+    #   The following limitations apply:
+    #
+    #   * You can use CA certificates that you imported into ACM, but you
+    #     can't generate CA certificates with ACM.
+    #
+    #   * You can't use certificates issued by Private Certificate
+    #     Authority.
+    #
+    #   For more information about configuring certificates for outbound
+    #   inspection, see [Using SSL/TLS certificates with certificates with
+    #   TLS inspection configurations][1] in the *Network Firewall Developer
+    #   Guide*.
+    #
+    #   For information about working with certificates in ACM, see
+    #   [Importing certificates][2] in the *Certificate Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
+    #   [2]: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
+    #   @return [String]
+    #
+    # @!attribute [rw] check_certificate_revocation_status
+    #   When enabled, Network Firewall checks if the server certificate
+    #   presented by the server in the SSL/TLS connection has a revoked or
+    #   unkown status. If the certificate has an unknown or revoked status,
+    #   you must specify the actions that Network Firewall takes on outbound
+    #   traffic. To check the certificate revocation status, you must also
+    #   specify a `CertificateAuthorityArn` in
+    #   ServerCertificateConfiguration.
+    #   @return [Types::CheckCertificateRevocationStatusActions]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificateConfiguration AWS API Documentation
     #
     class ServerCertificateConfiguration < Struct.new(
       :server_certificates,
-      :scopes)
+      :scopes,
+      :certificate_authority_arn,
+      :check_certificate_revocation_status)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3436,11 +3627,17 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
-    #   rules are provided to the rule engine as Suricata compatible
-    #   strings, and Suricata evaluates them based on certain settings. For
-    #   more information, see [Evaluation order for stateful rules][1] in
-    #   the *Network Firewall Developer Guide*.
+    #   the policy. `STRICT_ORDER` is the default and recommended option.
+    #   With `STRICT_ORDER`, provide your rules in the order that you want
+    #   them to be evaluated. You can then choose one or more default
+    #   actions for packets that don't match any rules. Choose
+    #   `STRICT_ORDER` to have the stateful rules engine determine the
+    #   evaluation order of your rules. The default action for this rule
+    #   order is `PASS`, followed by `DROP`, `REJECT`, and `ALERT` actions.
+    #   Stateful rules are provided to the rule engine as Suricata
+    #   compatible strings, and Suricata evaluates them based on your
+    #   settings. For more information, see [Evaluation order for stateful
+    #   rules][1] in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3507,9 +3704,8 @@ module Aws::NetworkFirewall
     #     destination and sends an alert log message, if alert logging is
     #     configured in the Firewall LoggingConfiguration.
     #
-    #   * **ALERT** - Permits the packets to go to the intended destination
-    #     and sends an alert log message, if alert logging is configured in
-    #     the Firewall LoggingConfiguration.
+    #   * **ALERT** - Sends an alert log message, if alert logging is
+    #     configured in the Firewall LoggingConfiguration.
     #
     #     You can use this action to test a rule that you intend to use to
     #     drop traffic. You can enable the rule with `ALERT` action, verify
@@ -3812,12 +4008,12 @@ module Aws::NetworkFirewall
     # To use a TLS inspection configuration, you add it to a new Network
     # Firewall firewall policy, then you apply the firewall policy to a
     # firewall. Network Firewall acts as a proxy service to decrypt and
-    # inspect inbound traffic. You can reference a TLS inspection
-    # configuration from more than one firewall policy, and you can use a
-    # firewall policy in more than one firewall. For more information about
-    # using TLS inspection configurations, see [Decrypting SSL/TLS traffic
-    # with TLS inspection configurations][1] in the *Network Firewall
-    # Developer Guide*.
+    # inspect the traffic traveling through your firewalls. You can
+    # reference a TLS inspection configuration from more than one firewall
+    # policy, and you can use a firewall policy in more than one firewall.
+    # For more information about using TLS inspection configurations, see
+    # [Inspecting SSL/TLS traffic with TLS inspection configurations][1] in
+    # the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3915,6 +4111,10 @@ module Aws::NetworkFirewall
     #   configuration.
     #   @return [Array<Types::TlsCertificateData>]
     #
+    # @!attribute [rw] certificate_authority
+    #   Contains metadata about an Certificate Manager certificate.
+    #   @return [Types::TlsCertificateData]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/TLSInspectionConfigurationResponse AWS API Documentation
     #
     class TLSInspectionConfigurationResponse < Struct.new(
@@ -3927,7 +4127,8 @@ module Aws::NetworkFirewall
       :last_modified_time,
       :number_of_associations,
       :encryption_configuration,
-      :certificates)
+      :certificates,
+      :certificate_authority)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4709,6 +4910,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then updates the rule group for you. To run the stateless rule group
+    #   analyzer without updating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroupRequest AWS API Documentation
     #
     class UpdateRuleGroupRequest < Struct.new(
@@ -4721,7 +4930,8 @@ module Aws::NetworkFirewall
       :description,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4878,12 +5088,12 @@ module Aws::NetworkFirewall
     #   To use a TLS inspection configuration, you add it to a new Network
     #   Firewall firewall policy, then you apply the firewall policy to a
     #   firewall. Network Firewall acts as a proxy service to decrypt and
-    #   inspect inbound traffic. You can reference a TLS inspection
-    #   configuration from more than one firewall policy, and you can use a
-    #   firewall policy in more than one firewall. For more information
-    #   about using TLS inspection configurations, see [Decrypting SSL/TLS
-    #   traffic with TLS inspection configurations][1] in the *Network
-    #   Firewall Developer Guide*.
+    #   inspect the traffic traveling through your firewalls. You can
+    #   reference a TLS inspection configuration from more than one firewall
+    #   policy, and you can use a firewall policy in more than one firewall.
+    #   For more information about using TLS inspection configurations, see
+    #   [Inspecting SSL/TLS traffic with TLS inspection configurations][1]
+    #   in the *Network Firewall Developer Guide*.
     #
     #
     #

data/lib/aws-sdk-networkfirewall.rb CHANGED Viewed

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
-  GEM_VERSION = '1.35.0'
+  GEM_VERSION = '1.37.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.35.0
+  version: 1.37.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-27 00:00:00.000000000 Z
+date: 2023-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core