aws-sdk-networkfirewall 1.68.0 → 1.70.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -476,6 +476,135 @@ module Aws::NetworkFirewall
 
     # @!group API Operations
 
+    # Accepts a transit gateway attachment request for Network Firewall.
+    # When you accept the attachment request, Network Firewall creates the
+    # necessary routing components to enable traffic flow between the
+    # transit gateway and firewall endpoints.
+    #
+    # You must accept a transit gateway attachment to complete the creation
+    # of a transit gateway-attached firewall, unless auto-accept is enabled
+    # on the transit gateway. After acceptance, use DescribeFirewall to
+    # verify the firewall status.
+    #
+    # To reject an attachment instead of accepting it, use
+    # RejectNetworkFirewallTransitGatewayAttachment.
+    #
+    # <note markdown="1"> It can take several minutes for the attachment acceptance to complete
+    # and the firewall to become available.
+    #
+    #  </note>
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   accept. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #
+    # @return [Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.accept_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AcceptNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload accept_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def accept_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:accept_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
+    # Associates the specified Availability Zones with a transit
+    # gateway-attached firewall. For each Availability Zone, Network
+    # Firewall creates a firewall endpoint to process traffic. You can
+    # specify one or more Availability Zones where you want to deploy the
+    # firewall.
+    #
+    # After adding Availability Zones, you must update your transit gateway
+    # route tables to direct traffic through the new firewall endpoints. Use
+    # DescribeFirewall to monitor the status of the new endpoints.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints. You must specify at least one Availability Zone.
+    #
+    # @return [Types::AssociateAvailabilityZonesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssociateAvailabilityZonesResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::AssociateAvailabilityZonesResponse#firewall_name #firewall_name} => String
+    #   * {Types::AssociateAvailabilityZonesResponse#availability_zone_mappings #availability_zone_mappings} => Array&lt;Types::AvailabilityZoneMapping&gt;
+    #   * {Types::AssociateAvailabilityZonesResponse#update_token #update_token} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.associate_availability_zones({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_mappings: [ # required
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_mappings #=> Array
+    #   resp.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.update_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AssociateAvailabilityZones AWS API Documentation
+    #
+    # @overload associate_availability_zones(params = {})
+    # @param [Hash] params ({})
+    def associate_availability_zones(params = {}, options = {})
+      req = build_request(:associate_availability_zones, params)
+      req.send_request(options)
+    end
+
     # Associates a FirewallPolicy to a Firewall.
     #
     # A firewall policy defines how to monitor and manage your VPC network
@@ -711,6 +840,46 @@ module Aws::NetworkFirewall
     #   An optional setting indicating the specific traffic analysis types to
     #   enable on the firewall.
     #
+    # @option params [String] :transit_gateway_id
+    #   Required when creating a transit gateway-attached firewall. The unique
+    #   identifier of the transit gateway to attach to this firewall. You can
+    #   provide either a transit gateway from your account or one that has
+    #   been shared with you through Resource Access Manager.
+    #
+    #   After creating the firewall, you cannot change the transit gateway
+    #   association. To use a different transit gateway, you must create a new
+    #   firewall.
+    #
+    #   For information about creating firewalls, see CreateFirewall. For
+    #   specific guidance about transit gateway-attached firewalls, see
+    #   [Considerations for transit gateway-attached firewalls][1] in the
+    #   *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tgw-firewall-considerations.html
+    #
+    # @option params [Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints for a transit gateway-attached firewall. You must specify at
+    #   least one Availability Zone. Consider enabling the firewall in every
+    #   Availability Zone where you have workloads to maintain Availability
+    #   Zone independence.
+    #
+    #   You can modify Availability Zones later using
+    #   AssociateAvailabilityZones or DisassociateAvailabilityZones, but this
+    #   may briefly disrupt traffic. The `AvailabilityZoneChangeProtection`
+    #   setting controls whether you can make these modifications.
+    #
+    # @option params [Boolean] :availability_zone_change_protection
+    #   Optional. A setting indicating whether the firewall is protected
+    #   against changes to its Availability Zone configuration. When set to
+    #   `TRUE`, you cannot add or remove Availability Zones without first
+    #   disabling this protection using
+    #   UpdateAvailabilityZoneChangeProtection.
+    #
+    #   Default value: `FALSE`
+    #
     # @return [Types::CreateFirewallResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateFirewallResponse#firewall #firewall} => Types::Firewall
@@ -743,6 +912,13 @@ module Aws::NetworkFirewall
     #       type: "CUSTOMER_KMS", # required, accepts CUSTOMER_KMS, AWS_OWNED_KMS_KEY
     #     },
     #     enabled_analysis_types: ["TLS_SNI"], # accepts TLS_SNI, HTTP_HOST
+    #     transit_gateway_id: "TransitGatewayId",
+    #     availability_zone_mappings: [
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #     availability_zone_change_protection: false,
     #   })
     #
     # @example Response structure
@@ -767,6 +943,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -781,6 +962,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateFirewall AWS API Documentation
     #
@@ -870,6 +1054,7 @@ module Aws::NetworkFirewall
     #           override: {
     #             action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
     #           },
+    #           deep_threat_inspection: false,
     #         },
     #       ],
     #       stateful_default_actions: ["CollectionMember_String"],
@@ -1054,6 +1239,17 @@ module Aws::NetworkFirewall
     #   the rule group for you. To run the stateless rule group analyzer
     #   without creating the rule group, set `DryRun` to `TRUE`.
     #
+    # @option params [Types::SummaryConfiguration] :summary_configuration
+    #   An object that contains a `RuleOptions` array of strings. You use
+    #   `RuleOptions` to determine which of the following RuleSummary values
+    #   are returned in response to `DescribeRuleGroupSummary`.
+    #
+    #   * `Metadata` - returns
+    #
+    #   * `Msg`
+    #
+    #   * `SID`
+    #
     # @return [Types::CreateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateRuleGroupResponse#update_token #update_token} => String
@@ -1094,7 +1290,7 @@ module Aws::NetworkFirewall
     #           {
     #             action: "PASS", # required, accepts PASS, DROP, ALERT, REJECT
     #             header: { # required
-    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP
+    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP, HTTP2, QUIC
     #               source: "Source", # required
     #               source_port: "Port", # required
     #               direction: "FORWARD", # required, accepts FORWARD, ANY
@@ -1189,6 +1385,9 @@ module Aws::NetworkFirewall
     #       source_update_token: "UpdateToken",
     #     },
     #     analyze_rule_group: false,
+    #     summary_configuration: {
+    #       rule_options: ["SID"], # accepts SID, MSG, METADATA
+    #     },
     #   })
     #
     # @example Response structure
@@ -1217,6 +1416,8 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
     #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
     #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
+    #   resp.rule_group_response.summary_configuration.rule_options #=> Array
+    #   resp.rule_group_response.summary_configuration.rule_options[0] #=> String, one of "SID", "MSG", "METADATA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroup AWS API Documentation
     #
@@ -1544,6 +1745,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -1558,6 +1764,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteFirewall AWS API Documentation
     #
@@ -1618,6 +1827,45 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Deletes a transit gateway attachment from a Network Firewall. Either
+    # the firewall owner or the transit gateway owner can delete the
+    # attachment.
+    #
+    # After you delete a transit gateway attachment, raffic will no longer
+    # flow through the firewall endpoints.
+    #
+    # After you initiate the delete operation, use DescribeFirewall to
+    # monitor the deletion status.
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   delete.
+    #
+    # @return [Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload delete_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def delete_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:delete_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
     # Deletes a resource policy that you created in a PutResourcePolicy
     # request.
     #
@@ -1702,6 +1950,8 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
     #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
     #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
+    #   resp.rule_group_response.summary_configuration.rule_options #=> Array
+    #   resp.rule_group_response.summary_configuration.rule_options[0] #=> String, one of "SID", "MSG", "METADATA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteRuleGroup AWS API Documentation
     #
@@ -1871,6 +2121,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -1885,6 +2140,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewall AWS API Documentation
     #
@@ -1908,6 +2166,7 @@ module Aws::NetworkFirewall
     #   * {Types::DescribeFirewallMetadataResponse#description #description} => String
     #   * {Types::DescribeFirewallMetadataResponse#status #status} => String
     #   * {Types::DescribeFirewallMetadataResponse#supported_availability_zones #supported_availability_zones} => Hash&lt;String,Types::AvailabilityZoneMetadata&gt;
+    #   * {Types::DescribeFirewallMetadataResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
     #
     # @example Request syntax with placeholder values
     #
@@ -1923,6 +2182,7 @@ module Aws::NetworkFirewall
     #   resp.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.supported_availability_zones #=> Hash
     #   resp.supported_availability_zones["AvailabilityZone"].ip_address_type #=> String, one of "DUALSTACK", "IPV4", "IPV6"
+    #   resp.transit_gateway_attachment_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallMetadata AWS API Documentation
     #
@@ -1991,6 +2251,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy.stateful_rule_group_references[0].resource_arn #=> String
     #   resp.firewall_policy.stateful_rule_group_references[0].priority #=> Integer
     #   resp.firewall_policy.stateful_rule_group_references[0].override.action #=> String, one of "DROP_TO_ALERT"
+    #   resp.firewall_policy.stateful_rule_group_references[0].deep_threat_inspection #=> Boolean
     #   resp.firewall_policy.stateful_default_actions #=> Array
     #   resp.firewall_policy.stateful_default_actions[0] #=> String
     #   resp.firewall_policy.stateful_engine_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
@@ -2223,7 +2484,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group.rules_source.rules_source_list.generated_rules_type #=> String, one of "ALLOWLIST", "DENYLIST"
     #   resp.rule_group.rules_source.stateful_rules #=> Array
     #   resp.rule_group.rules_source.stateful_rules[0].action #=> String, one of "PASS", "DROP", "ALERT", "REJECT"
-    #   resp.rule_group.rules_source.stateful_rules[0].header.protocol #=> String, one of "IP", "TCP", "UDP", "ICMP", "HTTP", "FTP", "TLS", "SMB", "DNS", "DCERPC", "SSH", "SMTP", "IMAP", "MSN", "KRB5", "IKEV2", "TFTP", "NTP", "DHCP"
+    #   resp.rule_group.rules_source.stateful_rules[0].header.protocol #=> String, one of "IP", "TCP", "UDP", "ICMP", "HTTP", "FTP", "TLS", "SMB", "DNS", "DCERPC", "SSH", "SMTP", "IMAP", "MSN", "KRB5", "IKEV2", "TFTP", "NTP", "DHCP", "HTTP2", "QUIC"
     #   resp.rule_group.rules_source.stateful_rules[0].header.source #=> String
     #   resp.rule_group.rules_source.stateful_rules[0].header.source_port #=> String
     #   resp.rule_group.rules_source.stateful_rules[0].header.direction #=> String, one of "FORWARD", "ANY"
@@ -2282,6 +2543,8 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
     #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
     #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
+    #   resp.rule_group_response.summary_configuration.rule_options #=> Array
+    #   resp.rule_group_response.summary_configuration.rule_options[0] #=> String, one of "SID", "MSG", "METADATA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroup AWS API Documentation
     #
@@ -2356,6 +2619,69 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Returns detailed information for a stateful rule group.
+    #
+    # For active threat defense Amazon Web Services managed rule groups,
+    # this operation provides insight into the protections enabled by the
+    # rule group, based on Suricata rule metadata fields. Summaries are
+    # available for rule groups you manage and for active threat defense
+    # Amazon Web Services managed rule groups.
+    #
+    # To modify how threat information appears in summaries, use the
+    # `SummaryConfiguration` parameter in UpdateRuleGroup.
+    #
+    # @option params [String] :rule_group_name
+    #   The descriptive name of the rule group. You can't change the name of
+    #   a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :rule_group_arn
+    #   Required. The Amazon Resource Name (ARN) of the rule group.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :type
+    #   The type of rule group you want a summary for. This is a required
+    #   field.
+    #
+    #   Valid value: `STATEFUL`
+    #
+    #   Note that `STATELESS` exists but is not currently supported. If you
+    #   provide `STATELESS`, an exception is returned.
+    #
+    # @return [Types::DescribeRuleGroupSummaryResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeRuleGroupSummaryResponse#rule_group_name #rule_group_name} => String
+    #   * {Types::DescribeRuleGroupSummaryResponse#description #description} => String
+    #   * {Types::DescribeRuleGroupSummaryResponse#summary #summary} => Types::Summary
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_rule_group_summary({
+    #     rule_group_name: "ResourceName",
+    #     rule_group_arn: "ResourceArn",
+    #     type: "STATELESS", # accepts STATELESS, STATEFUL
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.rule_group_name #=> String
+    #   resp.description #=> String
+    #   resp.summary.rule_summaries #=> Array
+    #   resp.summary.rule_summaries[0].sid #=> String
+    #   resp.summary.rule_summaries[0].msg #=> String
+    #   resp.summary.rule_summaries[0].metadata #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupSummary AWS API Documentation
+    #
+    # @overload describe_rule_group_summary(params = {})
+    # @param [Hash] params ({})
+    def describe_rule_group_summary(params = {}, options = {})
+      req = build_request(:describe_rule_group_summary, params)
+      req.send_request(options)
+    end
+
     # Returns the data objects for the specified TLS inspection
     # configuration.
     #
@@ -2480,6 +2806,91 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Removes the specified Availability Zone associations from a transit
+    # gateway-attached firewall. This removes the firewall endpoints from
+    # these Availability Zones and stops traffic filtering in those zones.
+    # Before removing an Availability Zone, ensure you've updated your
+    # transit gateway route tables to redirect traffic appropriately.
+    #
+    # <note markdown="1"> If `AvailabilityZoneChangeProtection` is enabled, you must first
+    # disable it using UpdateAvailabilityZoneChangeProtection.
+    #
+    #  </note>
+    #
+    # To verify the status of your Availability Zone changes, use
+    # DescribeFirewall.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones to remove from the firewall's
+    #   configuration.
+    #
+    # @return [Types::DisassociateAvailabilityZonesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DisassociateAvailabilityZonesResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::DisassociateAvailabilityZonesResponse#firewall_name #firewall_name} => String
+    #   * {Types::DisassociateAvailabilityZonesResponse#availability_zone_mappings #availability_zone_mappings} => Array&lt;Types::AvailabilityZoneMapping&gt;
+    #   * {Types::DisassociateAvailabilityZonesResponse#update_token #update_token} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.disassociate_availability_zones({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_mappings: [ # required
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_mappings #=> Array
+    #   resp.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.update_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DisassociateAvailabilityZones AWS API Documentation
+    #
+    # @overload disassociate_availability_zones(params = {})
+    # @param [Hash] params ({})
+    def disassociate_availability_zones(params = {}, options = {})
+      req = build_request(:disassociate_availability_zones, params)
+      req.send_request(options)
+    end
+
     # Removes the specified subnet associations from the firewall. This
     # removes the firewall endpoints from the subnets and removes any
     # network filtering protections that the endpoints were providing.
@@ -2785,6 +3196,7 @@ module Aws::NetworkFirewall
     #   resp.firewalls #=> Array
     #   resp.firewalls[0].firewall_name #=> String
     #   resp.firewalls[0].firewall_arn #=> String
+    #   resp.firewalls[0].transit_gateway_attachment_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListFirewalls AWS API Documentation
     #
@@ -3025,7 +3437,7 @@ module Aws::NetworkFirewall
     #     next_token: "PaginationToken",
     #     max_results: 1,
     #     scope: "MANAGED", # accepts MANAGED, ACCOUNT
-    #     managed_type: "AWS_MANAGED_THREAT_SIGNATURES", # accepts AWS_MANAGED_THREAT_SIGNATURES, AWS_MANAGED_DOMAIN_LISTS
+    #     managed_type: "AWS_MANAGED_THREAT_SIGNATURES", # accepts AWS_MANAGED_THREAT_SIGNATURES, AWS_MANAGED_DOMAIN_LISTS, ACTIVE_THREAT_DEFENSE
     #     type: "STATELESS", # accepts STATELESS, STATEFUL
     #   })
     #
@@ -3298,6 +3710,53 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Rejects a transit gateway attachment request for Network Firewall.
+    # When you reject the attachment request, Network Firewall cancels the
+    # creation of routing components between the transit gateway and
+    # firewall endpoints.
+    #
+    # Only the firewall owner can reject the attachment. After rejection, no
+    # traffic will flow through the firewall endpoints for this attachment.
+    #
+    # Use DescribeFirewall to monitor the rejection status. To accept the
+    # attachment instead of rejecting it, use
+    # AcceptNetworkFirewallTransitGatewayAttachment.
+    #
+    # <note markdown="1"> Once rejected, you cannot reverse this action. To establish
+    # connectivity, you must create a new transit gateway-attached firewall.
+    #
+    #  </note>
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   reject. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #
+    # @return [Types::RejectNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::RejectNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::RejectNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.reject_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RejectNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload reject_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def reject_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:reject_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
     # Generates a traffic analysis report for the timeframe and traffic type
     # you specify.
     #
@@ -3588,6 +4047,85 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Modifies the `AvailabilityZoneChangeProtection` setting for a transit
+    # gateway-attached firewall. When enabled, this setting prevents
+    # accidental changes to the firewall's Availability Zone configuration.
+    # This helps protect against disrupting traffic flow in production
+    # environments.
+    #
+    # When enabled, you must disable this protection before using
+    # AssociateAvailabilityZones or DisassociateAvailabilityZones to modify
+    # the firewall's Availability Zone configuration.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Boolean] :availability_zone_change_protection
+    #   A setting indicating whether the firewall is protected against changes
+    #   to the subnet associations. Use this setting to protect against
+    #   accidentally modifying the subnet associations for a firewall that is
+    #   in use. When you create a firewall, the operation initializes this
+    #   setting to `TRUE`.
+    #
+    # @return [Types::UpdateAvailabilityZoneChangeProtectionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#update_token #update_token} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#firewall_name #firewall_name} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#availability_zone_change_protection #availability_zone_change_protection} => Boolean
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.update_availability_zone_change_protection({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_change_protection: false, # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.update_token #=> String
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_change_protection #=> Boolean
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateAvailabilityZoneChangeProtection AWS API Documentation
+    #
+    # @overload update_availability_zone_change_protection(params = {})
+    # @param [Hash] params ({})
+    def update_availability_zone_change_protection(params = {}, options = {})
+      req = build_request(:update_availability_zone_change_protection, params)
+      req.send_request(options)
+    end
+
     # Enables specific types of firewall analysis on a specific firewall you
     # define.
     #
@@ -3977,6 +4515,7 @@ module Aws::NetworkFirewall
     #           override: {
     #             action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
     #           },
+    #           deep_threat_inspection: false,
     #         },
     #       ],
     #       stateful_default_actions: ["CollectionMember_String"],
@@ -4303,6 +4842,11 @@ module Aws::NetworkFirewall
     #   the rule group for you. To run the stateless rule group analyzer
     #   without updating the rule group, set `DryRun` to `TRUE`.
     #
+    # @option params [Types::SummaryConfiguration] :summary_configuration
+    #   Updates the selected summary configuration for a rule group.
+    #
+    #   Changes affect subsequent responses from DescribeRuleGroupSummary.
+    #
     # @return [Types::UpdateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateRuleGroupResponse#update_token #update_token} => String
@@ -4345,7 +4889,7 @@ module Aws::NetworkFirewall
     #           {
     #             action: "PASS", # required, accepts PASS, DROP, ALERT, REJECT
     #             header: { # required
-    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP
+    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP, HTTP2, QUIC
     #               source: "Source", # required
     #               source_port: "Port", # required
     #               direction: "FORWARD", # required, accepts FORWARD, ANY
@@ -4433,6 +4977,9 @@ module Aws::NetworkFirewall
     #       source_update_token: "UpdateToken",
     #     },
     #     analyze_rule_group: false,
+    #     summary_configuration: {
+    #       rule_options: ["SID"], # accepts SID, MSG, METADATA
+    #     },
     #   })
     #
     # @example Response structure
@@ -4461,6 +5008,8 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
     #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
     #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
+    #   resp.rule_group_response.summary_configuration.rule_options #=> Array
+    #   resp.rule_group_response.summary_configuration.rule_options[0] #=> String, one of "SID", "MSG", "METADATA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroup AWS API Documentation
     #
@@ -4717,7 +5266,7 @@ module Aws::NetworkFirewall
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.68.0'
+      context[:gem_version] = '1.70.0'
       Seahorse::Client::Request.new(handlers, context)
     end