aws-sdk-networkfirewall 1.75.0 → 1.77.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-networkfirewall/client.rb +12 -8
- data/lib/aws-sdk-networkfirewall/client_api.rb +2 -0
- data/lib/aws-sdk-networkfirewall/types.rb +18 -4
- data/lib/aws-sdk-networkfirewall.rb +1 -1
- data/sig/client.rbs +6 -4
- data/sig/types.rbs +2 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ede64ef386739ee353b1302c14b192a02b89812a4a8b8259b9a2158ca473001a
|
|
4
|
+
data.tar.gz: 9513247b0b520a6a91543eb03998d3dbaaf58b907f7fabfd196c5f69690b9e26
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 43f5bfe571ffeaa10cbc635fd5debfa40cee2cd42c19004208055fcbf5866bc908dcfbdc6c77e1f2c6a691120231a5c3720680b77c851ddb63f9c2020cd9da56
|
|
7
|
+
data.tar.gz: c24a6fde89ab499fe37f75211426bde470362b23d59280cf9b9c7f903add191e99915168a2c5e02d8c0dea5e54a09d682fb7d9c084811fcefedf0b692506828d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.77.0 (2025-09-25)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Network Firewall now introduces Reject and Alert action support for stateful domain list rule groups, providing customers with more granular control over their network traffic.
|
|
8
|
+
|
|
9
|
+
1.76.0 (2025-09-17)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - Network Firewall now prevents TLS handshakes with the target server until after the Server Name Indication (SNI) has been seen and verified. The monitoring dashboard now provides deeper insights into PrivateLink endpoint candidates and offers filters based on IP addresses and protocol.
|
|
13
|
+
|
|
4
14
|
1.75.0 (2025-08-28)
|
|
5
15
|
------------------
|
|
6
16
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.77.0
|
|
@@ -871,7 +871,7 @@ module Aws::NetworkFirewall
|
|
|
871
871
|
# endpoints for a transit gateway-attached firewall. You must specify at
|
|
872
872
|
# least one Availability Zone. Consider enabling the firewall in every
|
|
873
873
|
# Availability Zone where you have workloads to maintain Availability
|
|
874
|
-
# Zone
|
|
874
|
+
# Zone isolation.
|
|
875
875
|
#
|
|
876
876
|
# You can modify Availability Zones later using
|
|
877
877
|
# AssociateAvailabilityZones or DisassociateAvailabilityZones, but this
|
|
@@ -1080,6 +1080,7 @@ module Aws::NetworkFirewall
|
|
|
1080
1080
|
# },
|
|
1081
1081
|
# },
|
|
1082
1082
|
# },
|
|
1083
|
+
# enable_tls_session_holding: false,
|
|
1083
1084
|
# },
|
|
1084
1085
|
# description: "Description",
|
|
1085
1086
|
# tags: [
|
|
@@ -1291,7 +1292,7 @@ module Aws::NetworkFirewall
|
|
|
1291
1292
|
# rules_source_list: {
|
|
1292
1293
|
# targets: ["CollectionMember_String"], # required
|
|
1293
1294
|
# target_types: ["TLS_SNI"], # required, accepts TLS_SNI, HTTP_HOST
|
|
1294
|
-
# generated_rules_type: "ALLOWLIST", # required, accepts ALLOWLIST, DENYLIST
|
|
1295
|
+
# generated_rules_type: "ALLOWLIST", # required, accepts ALLOWLIST, DENYLIST, REJECTLIST, ALERTLIST
|
|
1295
1296
|
# },
|
|
1296
1297
|
# stateful_rules: [
|
|
1297
1298
|
# {
|
|
@@ -1838,7 +1839,7 @@ module Aws::NetworkFirewall
|
|
|
1838
1839
|
# the firewall owner or the transit gateway owner can delete the
|
|
1839
1840
|
# attachment.
|
|
1840
1841
|
#
|
|
1841
|
-
# After you delete a transit gateway attachment,
|
|
1842
|
+
# After you delete a transit gateway attachment, traffic will no longer
|
|
1842
1843
|
# flow through the firewall endpoints.
|
|
1843
1844
|
#
|
|
1844
1845
|
# After you initiate the delete operation, use DescribeFirewall to
|
|
@@ -2268,6 +2269,7 @@ module Aws::NetworkFirewall
|
|
|
2268
2269
|
# resp.firewall_policy.policy_variables.rule_variables #=> Hash
|
|
2269
2270
|
# resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition #=> Array
|
|
2270
2271
|
# resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition[0] #=> String
|
|
2272
|
+
# resp.firewall_policy.enable_tls_session_holding #=> Boolean
|
|
2271
2273
|
#
|
|
2272
2274
|
# @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallPolicy AWS API Documentation
|
|
2273
2275
|
#
|
|
@@ -2488,7 +2490,7 @@ module Aws::NetworkFirewall
|
|
|
2488
2490
|
# resp.rule_group.rules_source.rules_source_list.targets[0] #=> String
|
|
2489
2491
|
# resp.rule_group.rules_source.rules_source_list.target_types #=> Array
|
|
2490
2492
|
# resp.rule_group.rules_source.rules_source_list.target_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
|
|
2491
|
-
# resp.rule_group.rules_source.rules_source_list.generated_rules_type #=> String, one of "ALLOWLIST", "DENYLIST"
|
|
2493
|
+
# resp.rule_group.rules_source.rules_source_list.generated_rules_type #=> String, one of "ALLOWLIST", "DENYLIST", "REJECTLIST", "ALERTLIST"
|
|
2492
2494
|
# resp.rule_group.rules_source.stateful_rules #=> Array
|
|
2493
2495
|
# resp.rule_group.rules_source.stateful_rules[0].action #=> String, one of "PASS", "DROP", "ALERT", "REJECT"
|
|
2494
2496
|
# resp.rule_group.rules_source.stateful_rules[0].header.protocol #=> String, one of "IP", "TCP", "UDP", "ICMP", "HTTP", "FTP", "TLS", "SMB", "DNS", "DCERPC", "SSH", "SMTP", "IMAP", "MSN", "KRB5", "IKEV2", "TFTP", "NTP", "DHCP", "HTTP2", "QUIC"
|
|
@@ -3722,8 +3724,9 @@ module Aws::NetworkFirewall
|
|
|
3722
3724
|
# creation of routing components between the transit gateway and
|
|
3723
3725
|
# firewall endpoints.
|
|
3724
3726
|
#
|
|
3725
|
-
# Only the
|
|
3726
|
-
# traffic will flow through the firewall endpoints for
|
|
3727
|
+
# Only the transit gateway owner can reject the attachment. After
|
|
3728
|
+
# rejection, no traffic will flow through the firewall endpoints for
|
|
3729
|
+
# this attachment.
|
|
3727
3730
|
#
|
|
3728
3731
|
# Use DescribeFirewall to monitor the rejection status. To accept the
|
|
3729
3732
|
# attachment instead of rejecting it, use
|
|
@@ -4541,6 +4544,7 @@ module Aws::NetworkFirewall
|
|
|
4541
4544
|
# },
|
|
4542
4545
|
# },
|
|
4543
4546
|
# },
|
|
4547
|
+
# enable_tls_session_holding: false,
|
|
4544
4548
|
# },
|
|
4545
4549
|
# description: "Description",
|
|
4546
4550
|
# dry_run: false,
|
|
@@ -4890,7 +4894,7 @@ module Aws::NetworkFirewall
|
|
|
4890
4894
|
# rules_source_list: {
|
|
4891
4895
|
# targets: ["CollectionMember_String"], # required
|
|
4892
4896
|
# target_types: ["TLS_SNI"], # required, accepts TLS_SNI, HTTP_HOST
|
|
4893
|
-
# generated_rules_type: "ALLOWLIST", # required, accepts ALLOWLIST, DENYLIST
|
|
4897
|
+
# generated_rules_type: "ALLOWLIST", # required, accepts ALLOWLIST, DENYLIST, REJECTLIST, ALERTLIST
|
|
4894
4898
|
# },
|
|
4895
4899
|
# stateful_rules: [
|
|
4896
4900
|
# {
|
|
@@ -5273,7 +5277,7 @@ module Aws::NetworkFirewall
|
|
|
5273
5277
|
tracer: tracer
|
|
5274
5278
|
)
|
|
5275
5279
|
context[:gem_name] = 'aws-sdk-networkfirewall'
|
|
5276
|
-
context[:gem_version] = '1.
|
|
5280
|
+
context[:gem_version] = '1.77.0'
|
|
5277
5281
|
Seahorse::Client::Request.new(handlers, context)
|
|
5278
5282
|
end
|
|
5279
5283
|
|
|
@@ -119,6 +119,7 @@ module Aws::NetworkFirewall
|
|
|
119
119
|
DisassociateSubnetsResponse = Shapes::StructureShape.new(name: 'DisassociateSubnetsResponse')
|
|
120
120
|
Domain = Shapes::StringShape.new(name: 'Domain')
|
|
121
121
|
EnableMonitoringDashboard = Shapes::BooleanShape.new(name: 'EnableMonitoringDashboard')
|
|
122
|
+
EnableTLSSessionHolding = Shapes::BooleanShape.new(name: 'EnableTLSSessionHolding')
|
|
122
123
|
EnabledAnalysisType = Shapes::StringShape.new(name: 'EnabledAnalysisType')
|
|
123
124
|
EnabledAnalysisTypes = Shapes::ListShape.new(name: 'EnabledAnalysisTypes')
|
|
124
125
|
EncryptionConfiguration = Shapes::StructureShape.new(name: 'EncryptionConfiguration')
|
|
@@ -792,6 +793,7 @@ module Aws::NetworkFirewall
|
|
|
792
793
|
FirewallPolicy.add_member(:stateful_engine_options, Shapes::ShapeRef.new(shape: StatefulEngineOptions, location_name: "StatefulEngineOptions"))
|
|
793
794
|
FirewallPolicy.add_member(:tls_inspection_configuration_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "TLSInspectionConfigurationArn"))
|
|
794
795
|
FirewallPolicy.add_member(:policy_variables, Shapes::ShapeRef.new(shape: PolicyVariables, location_name: "PolicyVariables"))
|
|
796
|
+
FirewallPolicy.add_member(:enable_tls_session_holding, Shapes::ShapeRef.new(shape: EnableTLSSessionHolding, location_name: "EnableTLSSessionHolding"))
|
|
795
797
|
FirewallPolicy.struct_class = Types::FirewallPolicy
|
|
796
798
|
|
|
797
799
|
FirewallPolicyMetadata.add_member(:name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "Name"))
|
|
@@ -949,7 +949,7 @@ module Aws::NetworkFirewall
|
|
|
949
949
|
# endpoints for a transit gateway-attached firewall. You must specify
|
|
950
950
|
# at least one Availability Zone. Consider enabling the firewall in
|
|
951
951
|
# every Availability Zone where you have workloads to maintain
|
|
952
|
-
# Availability Zone
|
|
952
|
+
# Availability Zone isolation.
|
|
953
953
|
#
|
|
954
954
|
# You can modify Availability Zones later using
|
|
955
955
|
# AssociateAvailabilityZones or DisassociateAvailabilityZones, but
|
|
@@ -2969,6 +2969,12 @@ module Aws::NetworkFirewall
|
|
|
2969
2969
|
# settings in your firewall policy.
|
|
2970
2970
|
# @return [Types::PolicyVariables]
|
|
2971
2971
|
#
|
|
2972
|
+
# @!attribute [rw] enable_tls_session_holding
|
|
2973
|
+
# When true, prevents TCP and TLS packets from reaching destination
|
|
2974
|
+
# servers until TLS Inspection has evaluated Server Name Indication
|
|
2975
|
+
# (SNI) rules. Requires an associated TLS Inspection configuration.
|
|
2976
|
+
# @return [Boolean]
|
|
2977
|
+
#
|
|
2972
2978
|
# @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallPolicy AWS API Documentation
|
|
2973
2979
|
#
|
|
2974
2980
|
class FirewallPolicy < Struct.new(
|
|
@@ -2980,7 +2986,8 @@ module Aws::NetworkFirewall
|
|
|
2980
2986
|
:stateful_default_actions,
|
|
2981
2987
|
:stateful_engine_options,
|
|
2982
2988
|
:tls_inspection_configuration_arn,
|
|
2983
|
-
:policy_variables
|
|
2989
|
+
:policy_variables,
|
|
2990
|
+
:enable_tls_session_holding)
|
|
2984
2991
|
SENSITIVE = []
|
|
2985
2992
|
include Aws::Structure
|
|
2986
2993
|
end
|
|
@@ -5198,8 +5205,15 @@ module Aws::NetworkFirewall
|
|
|
5198
5205
|
# @return [Array<String>]
|
|
5199
5206
|
#
|
|
5200
5207
|
# @!attribute [rw] generated_rules_type
|
|
5201
|
-
# Whether you want to allow or
|
|
5202
|
-
# target list.
|
|
5208
|
+
# Whether you want to apply allow, reject, alert, or drop behavior to
|
|
5209
|
+
# the domains in your target list.
|
|
5210
|
+
#
|
|
5211
|
+
# <note markdown="1"> When logging is enabled and you choose Alert, traffic that matches
|
|
5212
|
+
# the domain specifications generates an alert in the firewall's
|
|
5213
|
+
# logs. Then, traffic either passes, is rejected, or drops based on
|
|
5214
|
+
# other rules in the firewall policy.
|
|
5215
|
+
#
|
|
5216
|
+
# </note>
|
|
5203
5217
|
# @return [String]
|
|
5204
5218
|
#
|
|
5205
5219
|
# @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RulesSourceList AWS API Documentation
|
data/sig/client.rbs
CHANGED
|
@@ -242,7 +242,8 @@ module Aws
|
|
|
242
242
|
rule_variables: Hash[::String, {
|
|
243
243
|
definition: Array[::String]
|
|
244
244
|
}]?
|
|
245
|
-
}
|
|
245
|
+
}?,
|
|
246
|
+
enable_tls_session_holding: bool?
|
|
246
247
|
},
|
|
247
248
|
?description: ::String,
|
|
248
249
|
?tags: Array[
|
|
@@ -286,7 +287,7 @@ module Aws
|
|
|
286
287
|
rules_source_list: {
|
|
287
288
|
targets: Array[::String],
|
|
288
289
|
target_types: Array[("TLS_SNI" | "HTTP_HOST")],
|
|
289
|
-
generated_rules_type: ("ALLOWLIST" | "DENYLIST")
|
|
290
|
+
generated_rules_type: ("ALLOWLIST" | "DENYLIST" | "REJECTLIST" | "ALERTLIST")
|
|
290
291
|
}?,
|
|
291
292
|
stateful_rules: Array[
|
|
292
293
|
{
|
|
@@ -1161,7 +1162,8 @@ module Aws
|
|
|
1161
1162
|
rule_variables: Hash[::String, {
|
|
1162
1163
|
definition: Array[::String]
|
|
1163
1164
|
}]?
|
|
1164
|
-
}
|
|
1165
|
+
}?,
|
|
1166
|
+
enable_tls_session_holding: bool?
|
|
1165
1167
|
},
|
|
1166
1168
|
?description: ::String,
|
|
1167
1169
|
?dry_run: bool,
|
|
@@ -1241,7 +1243,7 @@ module Aws
|
|
|
1241
1243
|
rules_source_list: {
|
|
1242
1244
|
targets: Array[::String],
|
|
1243
1245
|
target_types: Array[("TLS_SNI" | "HTTP_HOST")],
|
|
1244
|
-
generated_rules_type: ("ALLOWLIST" | "DENYLIST")
|
|
1246
|
+
generated_rules_type: ("ALLOWLIST" | "DENYLIST" | "REJECTLIST" | "ALERTLIST")
|
|
1245
1247
|
}?,
|
|
1246
1248
|
stateful_rules: Array[
|
|
1247
1249
|
{
|
data/sig/types.rbs
CHANGED
|
@@ -557,6 +557,7 @@ module Aws::NetworkFirewall
|
|
|
557
557
|
attr_accessor stateful_engine_options: Types::StatefulEngineOptions
|
|
558
558
|
attr_accessor tls_inspection_configuration_arn: ::String
|
|
559
559
|
attr_accessor policy_variables: Types::PolicyVariables
|
|
560
|
+
attr_accessor enable_tls_session_holding: bool
|
|
560
561
|
SENSITIVE: []
|
|
561
562
|
end
|
|
562
563
|
|
|
@@ -1008,7 +1009,7 @@ module Aws::NetworkFirewall
|
|
|
1008
1009
|
class RulesSourceList
|
|
1009
1010
|
attr_accessor targets: ::Array[::String]
|
|
1010
1011
|
attr_accessor target_types: ::Array[("TLS_SNI" | "HTTP_HOST")]
|
|
1011
|
-
attr_accessor generated_rules_type: ("ALLOWLIST" | "DENYLIST")
|
|
1012
|
+
attr_accessor generated_rules_type: ("ALLOWLIST" | "DENYLIST" | "REJECTLIST" | "ALERTLIST")
|
|
1012
1013
|
SENSITIVE: []
|
|
1013
1014
|
end
|
|
1014
1015
|
|