aws-sdk-route53resolver 1.72.0 → 1.73.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd4e17fff46d9739ec59f74a16f9fa2150f1cfa9e17a57589cf730d5b83d4d24
-  data.tar.gz: 074d36c340a94cd665d2698d466746f2d43f5c7b30b960ec638046387b4c7c0b
+  metadata.gz: 6b52fca6223281d438eb705b809e3df5858a0f90d8de563f60ce8d845d1b435c
+  data.tar.gz: d91066c8dfa0e8789b64499e15b9f23dc47f5c646138ceb4727b78ca88e84111
 SHA512:
-  metadata.gz: 541029bc85dfd56e78b9de050cc185bd41536a8850b6fe786a6b92135438f728878e20003d692315739587a1c4c8d456add16337c4f4418d3fad0e8d7c2d891f
-  data.tar.gz: f176ab577f2763b23cd9e20f60bacb80fecdf4e2b717a9e4eaf1cc986f0ba99f9cac1d6d5452fdf745cd34806eb3b8d61d931a6bf803074aac5572544eddfa85
+  metadata.gz: 69db2cd9346f1c06b7da716f1a272c11255013f09bb5d11e01c98c090c08a40f042c596688ba460e1f085eef640fbc330870823c0034605eb1ba0b4f8cf36565
+  data.tar.gz: a0fdf4df9ad3695094a00566f082d6d0ff73ebe00dffebcd5f24b7767526e2bbb0332b1aeee0d285cfb0af4111f25f379b572ff72637366ae157f06cc25f4a3f

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.73.0 (2024-11-15)
+------------------
+
+* Feature - Route 53 Resolver DNS Firewall Advanced Rules allows you to monitor and block suspicious DNS traffic based on anomalies detected in the queries, such as DNS tunneling and Domain Generation Algorithms (DGAs).
+
 1.72.0 (2024-10-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.72.0
+1.73.0

data/lib/aws-sdk-route53resolver/client.rb

@@ -805,8 +805,9 @@ module Aws::Route53Resolver
     #   The unique identifier of the firewall rule group where you want to
     #   create the rule.
     #
-    # @option params [required, String] :firewall_domain_list_id
-    #   The ID of the domain list that you want to use in the rule.
+    # @option params [String] :firewall_domain_list_id
+    #   The ID of the domain list that you want to use in the rule. Can't be
+    #   used together with `DnsThreatProtecton`.
     #
     # @option params [required, Integer] :priority
     #   The setting that determines the processing order of the rule in the
@@ -820,9 +821,11 @@ module Aws::Route53Resolver
     #
     # @option params [required, String] :action
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat in
+    #   a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not available for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request and send metrics and logs to Cloud
     #     Watch.
@@ -873,11 +876,11 @@ module Aws::Route53Resolver
     #   How you want the the rule to evaluate DNS redirection in the DNS
     #   redirection chain, such as CNAME or DNAME.
     #
-    #   `Inspect_Redirection_Domain `(Default) inspects all domains in the
+    #   `INSPECT_REDIRECTION_DOMAIN`: (Default) inspects all domains in the
     #   redirection chain. The individual domains in the redirection chain
     #   must be added to the domain list.
     #
-    #   `Trust_Redirection_Domain ` inspects only the first domain in the
+    #   `TRUST_REDIRECTION_DOMAIN`: Inspects only the first domain in the
     #   redirection chain. You don't need to add the subsequent domains in
     #   the domain in the redirection list to the domain list.
     #
@@ -921,6 +924,23 @@ module Aws::Route53Resolver
     #
     #   [1]: https://en.wikipedia.org/wiki/List_of_DNS_record_types
     #
+    # @option params [String] :dns_threat_protection
+    #   Use to create a DNS Firewall Advanced rule.
+    #
+    # @option params [String] :confidence_threshold
+    #   The confidence threshold for DNS Firewall Advanced. You must provide
+    #   this value when you create a DNS Firewall Advanced rule. The
+    #   confidence level values mean:
+    #
+    #   * `LOW`: Provides the highest detection rate for threats, but also
+    #     increases false positives.
+    #
+    #   * `MEDIUM`: Provides a balance between detecting threats and false
+    #     positives.
+    #
+    #   * `HIGH`: Detects only the most well corroborated threats with a low
+    #     rate of false positives.
+    #
     # @return [Types::CreateFirewallRuleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateFirewallRuleResponse#firewall_rule #firewall_rule} => Types::FirewallRule
@@ -930,7 +950,7 @@ module Aws::Route53Resolver
     #   resp = client.create_firewall_rule({
     #     creator_request_id: "CreatorRequestId", # required
     #     firewall_rule_group_id: "ResourceId", # required
-    #     firewall_domain_list_id: "ResourceId", # required
+    #     firewall_domain_list_id: "ResourceId",
     #     priority: 1, # required
     #     action: "ALLOW", # required, accepts ALLOW, BLOCK, ALERT
     #     block_response: "NODATA", # accepts NODATA, NXDOMAIN, OVERRIDE
@@ -940,12 +960,15 @@ module Aws::Route53Resolver
     #     name: "Name", # required
     #     firewall_domain_redirection_action: "INSPECT_REDIRECTION_DOMAIN", # accepts INSPECT_REDIRECTION_DOMAIN, TRUST_REDIRECTION_DOMAIN
     #     qtype: "Qtype",
+    #     dns_threat_protection: "DGA", # accepts DGA, DNS_TUNNELING
+    #     confidence_threshold: "LOW", # accepts LOW, MEDIUM, HIGH
     #   })
     #
     # @example Response structure
     #
     #   resp.firewall_rule.firewall_rule_group_id #=> String
     #   resp.firewall_rule.firewall_domain_list_id #=> String
+    #   resp.firewall_rule.firewall_threat_protection_id #=> String
     #   resp.firewall_rule.name #=> String
     #   resp.firewall_rule.priority #=> Integer
     #   resp.firewall_rule.action #=> String, one of "ALLOW", "BLOCK", "ALERT"
@@ -958,6 +981,8 @@ module Aws::Route53Resolver
     #   resp.firewall_rule.modification_time #=> String
     #   resp.firewall_rule.firewall_domain_redirection_action #=> String, one of "INSPECT_REDIRECTION_DOMAIN", "TRUST_REDIRECTION_DOMAIN"
     #   resp.firewall_rule.qtype #=> String
+    #   resp.firewall_rule.dns_threat_protection #=> String, one of "DGA", "DNS_TUNNELING"
+    #   resp.firewall_rule.confidence_threshold #=> String, one of "LOW", "MEDIUM", "HIGH"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRule AWS API Documentation
     #
@@ -1518,9 +1543,12 @@ module Aws::Route53Resolver
     #   The unique identifier of the firewall rule group that you want to
     #   delete the rule from.
     #
-    # @option params [required, String] :firewall_domain_list_id
+    # @option params [String] :firewall_domain_list_id
     #   The ID of the domain list that's used in the rule.
     #
+    # @option params [String] :firewall_threat_protection_id
+    #   The ID that is created for a DNS Firewall Advanced rule.
+    #
     # @option params [String] :qtype
     #   The DNS query type that the rule you are deleting evaluates. Allowed
     #   values are;
@@ -1570,7 +1598,8 @@ module Aws::Route53Resolver
     #
     #   resp = client.delete_firewall_rule({
     #     firewall_rule_group_id: "ResourceId", # required
-    #     firewall_domain_list_id: "ResourceId", # required
+    #     firewall_domain_list_id: "ResourceId",
+    #     firewall_threat_protection_id: "ResourceId",
     #     qtype: "Qtype",
     #   })
     #
@@ -1578,6 +1607,7 @@ module Aws::Route53Resolver
     #
     #   resp.firewall_rule.firewall_rule_group_id #=> String
     #   resp.firewall_rule.firewall_domain_list_id #=> String
+    #   resp.firewall_rule.firewall_threat_protection_id #=> String
     #   resp.firewall_rule.name #=> String
     #   resp.firewall_rule.priority #=> Integer
     #   resp.firewall_rule.action #=> String, one of "ALLOW", "BLOCK", "ALERT"
@@ -1590,6 +1620,8 @@ module Aws::Route53Resolver
     #   resp.firewall_rule.modification_time #=> String
     #   resp.firewall_rule.firewall_domain_redirection_action #=> String, one of "INSPECT_REDIRECTION_DOMAIN", "TRUST_REDIRECTION_DOMAIN"
     #   resp.firewall_rule.qtype #=> String
+    #   resp.firewall_rule.dns_threat_protection #=> String, one of "DGA", "DNS_TUNNELING"
+    #   resp.firewall_rule.confidence_threshold #=> String, one of "LOW", "MEDIUM", "HIGH"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/DeleteFirewallRule AWS API Documentation
     #
@@ -3009,9 +3041,11 @@ module Aws::Route53Resolver
     #   Optional additional filter for the rules to retrieve.
     #
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat in
+    #   a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not availabe for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request to go through but send an alert to the
     #     logs.
@@ -3061,6 +3095,7 @@ module Aws::Route53Resolver
     #   resp.firewall_rules #=> Array
     #   resp.firewall_rules[0].firewall_rule_group_id #=> String
     #   resp.firewall_rules[0].firewall_domain_list_id #=> String
+    #   resp.firewall_rules[0].firewall_threat_protection_id #=> String
     #   resp.firewall_rules[0].name #=> String
     #   resp.firewall_rules[0].priority #=> Integer
     #   resp.firewall_rules[0].action #=> String, one of "ALLOW", "BLOCK", "ALERT"
@@ -3073,6 +3108,8 @@ module Aws::Route53Resolver
     #   resp.firewall_rules[0].modification_time #=> String
     #   resp.firewall_rules[0].firewall_domain_redirection_action #=> String, one of "INSPECT_REDIRECTION_DOMAIN", "TRUST_REDIRECTION_DOMAIN"
     #   resp.firewall_rules[0].qtype #=> String
+    #   resp.firewall_rules[0].dns_threat_protection #=> String, one of "DGA", "DNS_TUNNELING"
+    #   resp.firewall_rules[0].confidence_threshold #=> String, one of "LOW", "MEDIUM", "HIGH"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/ListFirewallRules AWS API Documentation
     #
@@ -4243,9 +4280,12 @@ module Aws::Route53Resolver
     # @option params [required, String] :firewall_rule_group_id
     #   The unique identifier of the firewall rule group for the rule.
     #
-    # @option params [required, String] :firewall_domain_list_id
+    # @option params [String] :firewall_domain_list_id
     #   The ID of the domain list to use in the rule.
     #
+    # @option params [String] :firewall_threat_protection_id
+    #   The DNS Firewall Advanced rule ID.
+    #
     # @option params [Integer] :priority
     #   The setting that determines the processing order of the rule in the
     #   rule group. DNS Firewall processes the rules in a rule group by order
@@ -4258,9 +4298,11 @@ module Aws::Route53Resolver
     #
     # @option params [String] :action
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat in
+    #   a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not available for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request to go through but send an alert to the
     #     logs.
@@ -4303,11 +4345,11 @@ module Aws::Route53Resolver
     #   How you want the the rule to evaluate DNS redirection in the DNS
     #   redirection chain, such as CNAME or DNAME.
     #
-    #   `Inspect_Redirection_Domain `(Default) inspects all domains in the
+    #   `INSPECT_REDIRECTION_DOMAIN`: (Default) inspects all domains in the
     #   redirection chain. The individual domains in the redirection chain
     #   must be added to the domain list.
     #
-    #   `Trust_Redirection_Domain ` inspects only the first domain in the
+    #   `TRUST_REDIRECTION_DOMAIN`: Inspects only the first domain in the
     #   redirection chain. You don't need to add the subsequent domains in
     #   the domain in the redirection list to the domain list.
     #
@@ -4357,6 +4399,31 @@ module Aws::Route53Resolver
     #
     #   [1]: https://en.wikipedia.org/wiki/List_of_DNS_record_types
     #
+    # @option params [String] :dns_threat_protection
+    #   The type of the DNS Firewall Advanced rule. Valid values are:
+    #
+    #   * `DGA`: Domain generation algorithms detection. DGAs are used by
+    #     attackers to generate a large number of domains to to launch malware
+    #     attacks.
+    #
+    #   * `DNS_TUNNELING`: DNS tunneling detection. DNS tunneling is used by
+    #     attackers to exfiltrate data from the client by using the DNS tunnel
+    #     without making a network connection to the client.
+    #
+    # @option params [String] :confidence_threshold
+    #   The confidence threshold for DNS Firewall Advanced. You must provide
+    #   this value when you create a DNS Firewall Advanced rule. The
+    #   confidence level values mean:
+    #
+    #   * `LOW`: Provides the highest detection rate for threats, but also
+    #     increases false positives.
+    #
+    #   * `MEDIUM`: Provides a balance between detecting threats and false
+    #     positives.
+    #
+    #   * `HIGH`: Detects only the most well corroborated threats with a low
+    #     rate of false positives.
+    #
     # @return [Types::UpdateFirewallRuleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateFirewallRuleResponse#firewall_rule #firewall_rule} => Types::FirewallRule
@@ -4365,7 +4432,8 @@ module Aws::Route53Resolver
     #
     #   resp = client.update_firewall_rule({
     #     firewall_rule_group_id: "ResourceId", # required
-    #     firewall_domain_list_id: "ResourceId", # required
+    #     firewall_domain_list_id: "ResourceId",
+    #     firewall_threat_protection_id: "ResourceId",
     #     priority: 1,
     #     action: "ALLOW", # accepts ALLOW, BLOCK, ALERT
     #     block_response: "NODATA", # accepts NODATA, NXDOMAIN, OVERRIDE
@@ -4375,12 +4443,15 @@ module Aws::Route53Resolver
     #     name: "Name",
     #     firewall_domain_redirection_action: "INSPECT_REDIRECTION_DOMAIN", # accepts INSPECT_REDIRECTION_DOMAIN, TRUST_REDIRECTION_DOMAIN
     #     qtype: "Qtype",
+    #     dns_threat_protection: "DGA", # accepts DGA, DNS_TUNNELING
+    #     confidence_threshold: "LOW", # accepts LOW, MEDIUM, HIGH
     #   })
     #
     # @example Response structure
     #
     #   resp.firewall_rule.firewall_rule_group_id #=> String
     #   resp.firewall_rule.firewall_domain_list_id #=> String
+    #   resp.firewall_rule.firewall_threat_protection_id #=> String
     #   resp.firewall_rule.name #=> String
     #   resp.firewall_rule.priority #=> Integer
     #   resp.firewall_rule.action #=> String, one of "ALLOW", "BLOCK", "ALERT"
@@ -4393,6 +4464,8 @@ module Aws::Route53Resolver
     #   resp.firewall_rule.modification_time #=> String
     #   resp.firewall_rule.firewall_domain_redirection_action #=> String, one of "INSPECT_REDIRECTION_DOMAIN", "TRUST_REDIRECTION_DOMAIN"
     #   resp.firewall_rule.qtype #=> String
+    #   resp.firewall_rule.dns_threat_protection #=> String, one of "DGA", "DNS_TUNNELING"
+    #   resp.firewall_rule.confidence_threshold #=> String, one of "LOW", "MEDIUM", "HIGH"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRule AWS API Documentation
     #
@@ -4802,7 +4875,7 @@ module Aws::Route53Resolver
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-route53resolver'
-      context[:gem_version] = '1.72.0'
+      context[:gem_version] = '1.73.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-route53resolver/client_api.rb

@@ -32,6 +32,7 @@ module Aws::Route53Resolver
     BlockOverrideTtl = Shapes::IntegerShape.new(name: 'BlockOverrideTtl')
     BlockResponse = Shapes::StringShape.new(name: 'BlockResponse')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
+    ConfidenceThreshold = Shapes::StringShape.new(name: 'ConfidenceThreshold')
     ConflictException = Shapes::StructureShape.new(name: 'ConflictException')
     Count = Shapes::IntegerShape.new(name: 'Count')
     CreateFirewallDomainListRequest = Shapes::StructureShape.new(name: 'CreateFirewallDomainListRequest')
@@ -72,6 +73,7 @@ module Aws::Route53Resolver
     DisassociateResolverQueryLogConfigResponse = Shapes::StructureShape.new(name: 'DisassociateResolverQueryLogConfigResponse')
     DisassociateResolverRuleRequest = Shapes::StructureShape.new(name: 'DisassociateResolverRuleRequest')
     DisassociateResolverRuleResponse = Shapes::StructureShape.new(name: 'DisassociateResolverRuleResponse')
+    DnsThreatProtection = Shapes::StringShape.new(name: 'DnsThreatProtection')
     DomainListFileUrl = Shapes::StringShape.new(name: 'DomainListFileUrl')
     DomainName = Shapes::StringShape.new(name: 'DomainName')
     ExceptionMessage = Shapes::StringShape.new(name: 'ExceptionMessage')
@@ -349,7 +351,7 @@ module Aws::Route53Resolver
 
     CreateFirewallRuleRequest.add_member(:creator_request_id, Shapes::ShapeRef.new(shape: CreatorRequestId, required: true, location_name: "CreatorRequestId", metadata: {"idempotencyToken"=>true}))
     CreateFirewallRuleRequest.add_member(:firewall_rule_group_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallRuleGroupId"))
-    CreateFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallDomainListId"))
+    CreateFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallDomainListId", metadata: {"box"=>true}))
     CreateFirewallRuleRequest.add_member(:priority, Shapes::ShapeRef.new(shape: Priority, required: true, location_name: "Priority"))
     CreateFirewallRuleRequest.add_member(:action, Shapes::ShapeRef.new(shape: Action, required: true, location_name: "Action"))
     CreateFirewallRuleRequest.add_member(:block_response, Shapes::ShapeRef.new(shape: BlockResponse, location_name: "BlockResponse", metadata: {"box"=>true}))
@@ -359,6 +361,8 @@ module Aws::Route53Resolver
     CreateFirewallRuleRequest.add_member(:name, Shapes::ShapeRef.new(shape: Name, required: true, location_name: "Name"))
     CreateFirewallRuleRequest.add_member(:firewall_domain_redirection_action, Shapes::ShapeRef.new(shape: FirewallDomainRedirectionAction, location_name: "FirewallDomainRedirectionAction", metadata: {"box"=>true}))
     CreateFirewallRuleRequest.add_member(:qtype, Shapes::ShapeRef.new(shape: Qtype, location_name: "Qtype", metadata: {"box"=>true}))
+    CreateFirewallRuleRequest.add_member(:dns_threat_protection, Shapes::ShapeRef.new(shape: DnsThreatProtection, location_name: "DnsThreatProtection", metadata: {"box"=>true}))
+    CreateFirewallRuleRequest.add_member(:confidence_threshold, Shapes::ShapeRef.new(shape: ConfidenceThreshold, location_name: "ConfidenceThreshold", metadata: {"box"=>true}))
     CreateFirewallRuleRequest.struct_class = Types::CreateFirewallRuleRequest
 
     CreateFirewallRuleResponse.add_member(:firewall_rule, Shapes::ShapeRef.new(shape: FirewallRule, location_name: "FirewallRule"))
@@ -424,7 +428,8 @@ module Aws::Route53Resolver
     DeleteFirewallRuleGroupResponse.struct_class = Types::DeleteFirewallRuleGroupResponse
 
     DeleteFirewallRuleRequest.add_member(:firewall_rule_group_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallRuleGroupId"))
-    DeleteFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallDomainListId"))
+    DeleteFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallDomainListId", metadata: {"box"=>true}))
+    DeleteFirewallRuleRequest.add_member(:firewall_threat_protection_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallThreatProtectionId", metadata: {"box"=>true}))
     DeleteFirewallRuleRequest.add_member(:qtype, Shapes::ShapeRef.new(shape: Qtype, location_name: "Qtype"))
     DeleteFirewallRuleRequest.struct_class = Types::DeleteFirewallRuleRequest
 
@@ -523,6 +528,7 @@ module Aws::Route53Resolver
 
     FirewallRule.add_member(:firewall_rule_group_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallRuleGroupId"))
     FirewallRule.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallDomainListId"))
+    FirewallRule.add_member(:firewall_threat_protection_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallThreatProtectionId"))
     FirewallRule.add_member(:name, Shapes::ShapeRef.new(shape: Name, location_name: "Name"))
     FirewallRule.add_member(:priority, Shapes::ShapeRef.new(shape: Priority, location_name: "Priority"))
     FirewallRule.add_member(:action, Shapes::ShapeRef.new(shape: Action, location_name: "Action"))
@@ -535,6 +541,8 @@ module Aws::Route53Resolver
     FirewallRule.add_member(:modification_time, Shapes::ShapeRef.new(shape: Rfc3339TimeString, location_name: "ModificationTime"))
     FirewallRule.add_member(:firewall_domain_redirection_action, Shapes::ShapeRef.new(shape: FirewallDomainRedirectionAction, location_name: "FirewallDomainRedirectionAction"))
     FirewallRule.add_member(:qtype, Shapes::ShapeRef.new(shape: Qtype, location_name: "Qtype"))
+    FirewallRule.add_member(:dns_threat_protection, Shapes::ShapeRef.new(shape: DnsThreatProtection, location_name: "DnsThreatProtection"))
+    FirewallRule.add_member(:confidence_threshold, Shapes::ShapeRef.new(shape: ConfidenceThreshold, location_name: "ConfidenceThreshold"))
     FirewallRule.struct_class = Types::FirewallRule
 
     FirewallRuleGroup.add_member(:id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "Id"))
@@ -1101,7 +1109,8 @@ module Aws::Route53Resolver
     UpdateFirewallRuleGroupAssociationResponse.struct_class = Types::UpdateFirewallRuleGroupAssociationResponse
 
     UpdateFirewallRuleRequest.add_member(:firewall_rule_group_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallRuleGroupId"))
-    UpdateFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, required: true, location_name: "FirewallDomainListId"))
+    UpdateFirewallRuleRequest.add_member(:firewall_domain_list_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallDomainListId", metadata: {"box"=>true}))
+    UpdateFirewallRuleRequest.add_member(:firewall_threat_protection_id, Shapes::ShapeRef.new(shape: ResourceId, location_name: "FirewallThreatProtectionId", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.add_member(:priority, Shapes::ShapeRef.new(shape: Priority, location_name: "Priority", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.add_member(:action, Shapes::ShapeRef.new(shape: Action, location_name: "Action", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.add_member(:block_response, Shapes::ShapeRef.new(shape: BlockResponse, location_name: "BlockResponse", metadata: {"box"=>true}))
@@ -1111,6 +1120,8 @@ module Aws::Route53Resolver
     UpdateFirewallRuleRequest.add_member(:name, Shapes::ShapeRef.new(shape: Name, location_name: "Name", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.add_member(:firewall_domain_redirection_action, Shapes::ShapeRef.new(shape: FirewallDomainRedirectionAction, location_name: "FirewallDomainRedirectionAction", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.add_member(:qtype, Shapes::ShapeRef.new(shape: Qtype, location_name: "Qtype"))
+    UpdateFirewallRuleRequest.add_member(:dns_threat_protection, Shapes::ShapeRef.new(shape: DnsThreatProtection, location_name: "DnsThreatProtection", metadata: {"box"=>true}))
+    UpdateFirewallRuleRequest.add_member(:confidence_threshold, Shapes::ShapeRef.new(shape: ConfidenceThreshold, location_name: "ConfidenceThreshold", metadata: {"box"=>true}))
     UpdateFirewallRuleRequest.struct_class = Types::UpdateFirewallRuleRequest
 
     UpdateFirewallRuleResponse.add_member(:firewall_rule, Shapes::ShapeRef.new(shape: FirewallRule, location_name: "FirewallRule"))
@@ -1373,6 +1384,7 @@ module Aws::Route53Resolver
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
         o.errors << Shapes::ShapeRef.new(shape: InternalServiceErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
         o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
       end)
 

data/lib/aws-sdk-route53resolver/types.rb

@@ -329,7 +329,8 @@ module Aws::Route53Resolver
     #   @return [String]
     #
     # @!attribute [rw] firewall_domain_list_id
-    #   The ID of the domain list that you want to use in the rule.
+    #   The ID of the domain list that you want to use in the rule. Can't
+    #   be used together with `DnsThreatProtecton`.
     #   @return [String]
     #
     # @!attribute [rw] priority
@@ -345,9 +346,11 @@ module Aws::Route53Resolver
     #
     # @!attribute [rw] action
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat
+    #   in a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not available for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request and send metrics and logs to Cloud
     #     Watch.
@@ -408,11 +411,11 @@ module Aws::Route53Resolver
     #   How you want the the rule to evaluate DNS redirection in the DNS
     #   redirection chain, such as CNAME or DNAME.
     #
-    #   `Inspect_Redirection_Domain `(Default) inspects all domains in the
+    #   `INSPECT_REDIRECTION_DOMAIN`: (Default) inspects all domains in the
     #   redirection chain. The individual domains in the redirection chain
     #   must be added to the domain list.
     #
-    #   `Trust_Redirection_Domain ` inspects only the first domain in the
+    #   `TRUST_REDIRECTION_DOMAIN`: Inspects only the first domain in the
     #   redirection chain. You don't need to add the subsequent domains in
     #   the domain in the redirection list to the domain list.
     #   @return [String]
@@ -459,6 +462,25 @@ module Aws::Route53Resolver
     #   [1]: https://en.wikipedia.org/wiki/List_of_DNS_record_types
     #   @return [String]
     #
+    # @!attribute [rw] dns_threat_protection
+    #   Use to create a DNS Firewall Advanced rule.
+    #   @return [String]
+    #
+    # @!attribute [rw] confidence_threshold
+    #   The confidence threshold for DNS Firewall Advanced. You must provide
+    #   this value when you create a DNS Firewall Advanced rule. The
+    #   confidence level values mean:
+    #
+    #   * `LOW`: Provides the highest detection rate for threats, but also
+    #     increases false positives.
+    #
+    #   * `MEDIUM`: Provides a balance between detecting threats and false
+    #     positives.
+    #
+    #   * `HIGH`: Detects only the most well corroborated threats with a low
+    #     rate of false positives.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/CreateFirewallRuleRequest AWS API Documentation
     #
     class CreateFirewallRuleRequest < Struct.new(
@@ -473,7 +495,9 @@ module Aws::Route53Resolver
       :block_override_ttl,
       :name,
       :firewall_domain_redirection_action,
-      :qtype)
+      :qtype,
+      :dns_threat_protection,
+      :confidence_threshold)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -894,6 +918,10 @@ module Aws::Route53Resolver
     #   The ID of the domain list that's used in the rule.
     #   @return [String]
     #
+    # @!attribute [rw] firewall_threat_protection_id
+    #   The ID that is created for a DNS Firewall Advanced rule.
+    #   @return [String]
+    #
     # @!attribute [rw] qtype
     #   The DNS query type that the rule you are deleting evaluates. Allowed
     #   values are;
@@ -941,6 +969,7 @@ module Aws::Route53Resolver
     class DeleteFirewallRuleRequest < Struct.new(
       :firewall_rule_group_id,
       :firewall_domain_list_id,
+      :firewall_threat_protection_id,
       :qtype)
       SENSITIVE = []
       include Aws::Structure
@@ -1561,13 +1590,17 @@ module Aws::Route53Resolver
     # A single firewall rule in a rule group.
     #
     # @!attribute [rw] firewall_rule_group_id
-    #   The unique identifier of the firewall rule group of the rule.
+    #   The unique identifier of the Firewall rule group of the rule.
     #   @return [String]
     #
     # @!attribute [rw] firewall_domain_list_id
     #   The ID of the domain list that's used in the rule.
     #   @return [String]
     #
+    # @!attribute [rw] firewall_threat_protection_id
+    #   ID of the DNS Firewall Advanced rule.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the rule.
     #   @return [String]
@@ -1580,9 +1613,11 @@ module Aws::Route53Resolver
     #
     # @!attribute [rw] action
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat
+    #   in a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not available for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request to go through but send an alert to
     #     the logs.
@@ -1646,11 +1681,11 @@ module Aws::Route53Resolver
     #   How you want the the rule to evaluate DNS redirection in the DNS
     #   redirection chain, such as CNAME or DNAME.
     #
-    #   `Inspect_Redirection_Domain `(Default) inspects all domains in the
+    #   `INSPECT_REDIRECTION_DOMAIN`: (Default) inspects all domains in the
     #   redirection chain. The individual domains in the redirection chain
     #   must be added to the domain list.
     #
-    #   `Trust_Redirection_Domain ` inspects only the first domain in the
+    #   `TRUST_REDIRECTION_DOMAIN`: Inspects only the first domain in the
     #   redirection chain. You don't need to add the subsequent domains in
     #   the domain in the redirection list to the domain list.
     #   @return [String]
@@ -1697,11 +1732,39 @@ module Aws::Route53Resolver
     #   [1]: https://en.wikipedia.org/wiki/List_of_DNS_record_types
     #   @return [String]
     #
+    # @!attribute [rw] dns_threat_protection
+    #   The type of the DNS Firewall Advanced rule. Valid values are:
+    #
+    #   * `DGA`: Domain generation algorithms detection. DGAs are used by
+    #     attackers to generate a large number of domains to to launch
+    #     malware attacks.
+    #
+    #   * `DNS_TUNNELING`: DNS tunneling detection. DNS tunneling is used by
+    #     attackers to exfiltrate data from the client by using the DNS
+    #     tunnel without making a network connection to the client.
+    #   @return [String]
+    #
+    # @!attribute [rw] confidence_threshold
+    #   The confidence threshold for DNS Firewall Advanced. You must provide
+    #   this value when you create a DNS Firewall Advanced rule. The
+    #   confidence level values mean:
+    #
+    #   * `LOW`: Provides the highest detection rate for threats, but also
+    #     increases false positives.
+    #
+    #   * `MEDIUM`: Provides a balance between detecting threats and false
+    #     positives.
+    #
+    #   * `HIGH`: Detects only the most well corroborated threats with a low
+    #     rate of false positives.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/FirewallRule AWS API Documentation
     #
     class FirewallRule < Struct.new(
       :firewall_rule_group_id,
       :firewall_domain_list_id,
+      :firewall_threat_protection_id,
       :name,
       :priority,
       :action,
@@ -1713,7 +1776,9 @@ module Aws::Route53Resolver
       :creation_time,
       :modification_time,
       :firewall_domain_redirection_action,
-      :qtype)
+      :qtype,
+      :dns_threat_protection,
+      :confidence_threshold)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2920,9 +2985,11 @@ module Aws::Route53Resolver
     #   Optional additional filter for the rules to retrieve.
     #
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat
+    #   in a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not availabe for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request to go through but send an alert to
     #     the logs.
@@ -4361,7 +4428,7 @@ module Aws::Route53Resolver
     #   * `CREATING`: Resolver is creating an association between an Amazon
     #     VPC and a query logging configuration.
     #
-    #   * `CREATED`: The association between an Amazon VPC and a query
+    #   * `ACTIVE`: The association between an Amazon VPC and a query
     #     logging configuration was successfully created. Resolver is
     #     logging queries that originate in the specified VPC.
     #
@@ -4801,32 +4868,8 @@ module Aws::Route53Resolver
     #   @return [String]
     #
     # @!attribute [rw] protocol
-    #   The protocols for the Resolver endpoints. DoH-FIPS is applicable for
-    #   inbound endpoints only.
-    #
-    #   For an inbound endpoint you can apply the protocols as follows:
-    #
-    #   * Do53 and DoH in combination.
-    #
-    #   * Do53 and DoH-FIPS in combination.
-    #
-    #   * Do53 alone.
-    #
-    #   * DoH alone.
-    #
-    #   * DoH-FIPS alone.
-    #
-    #   * None, which is treated as Do53.
-    #
-    #   For an outbound endpoint you can apply the protocols as follows:
-    #
-    #   * Do53 and DoH in combination.
-    #
-    #   * Do53 alone.
-    #
-    #   * DoH alone.
-    #
-    #   * None, which is treated as Do53.
+    #   The protocols for the target address. The protocol you choose needs
+    #   to be supported by the outbound endpoint of the Resolver rule.
     #   @return [String]
     #
     # @!attribute [rw] server_name_indication
@@ -5090,6 +5133,10 @@ module Aws::Route53Resolver
     #   The ID of the domain list to use in the rule.
     #   @return [String]
     #
+    # @!attribute [rw] firewall_threat_protection_id
+    #   The DNS Firewall Advanced rule ID.
+    #   @return [String]
+    #
     # @!attribute [rw] priority
     #   The setting that determines the processing order of the rule in the
     #   rule group. DNS Firewall processes the rules in a rule group by
@@ -5103,9 +5150,11 @@ module Aws::Route53Resolver
     #
     # @!attribute [rw] action
     #   The action that DNS Firewall should take on a DNS query when it
-    #   matches one of the domains in the rule's domain list:
+    #   matches one of the domains in the rule's domain list, or a threat
+    #   in a DNS Firewall Advanced rule:
     #
-    #   * `ALLOW` - Permit the request to go through.
+    #   * `ALLOW` - Permit the request to go through. Not available for DNS
+    #     Firewall Advanced rules.
     #
     #   * `ALERT` - Permit the request to go through but send an alert to
     #     the logs.
@@ -5155,11 +5204,11 @@ module Aws::Route53Resolver
     #   How you want the the rule to evaluate DNS redirection in the DNS
     #   redirection chain, such as CNAME or DNAME.
     #
-    #   `Inspect_Redirection_Domain `(Default) inspects all domains in the
+    #   `INSPECT_REDIRECTION_DOMAIN`: (Default) inspects all domains in the
     #   redirection chain. The individual domains in the redirection chain
     #   must be added to the domain list.
     #
-    #   `Trust_Redirection_Domain ` inspects only the first domain in the
+    #   `TRUST_REDIRECTION_DOMAIN`: Inspects only the first domain in the
     #   redirection chain. You don't need to add the subsequent domains in
     #   the domain in the redirection list to the domain list.
     #   @return [String]
@@ -5212,11 +5261,39 @@ module Aws::Route53Resolver
     #   [1]: https://en.wikipedia.org/wiki/List_of_DNS_record_types
     #   @return [String]
     #
+    # @!attribute [rw] dns_threat_protection
+    #   The type of the DNS Firewall Advanced rule. Valid values are:
+    #
+    #   * `DGA`: Domain generation algorithms detection. DGAs are used by
+    #     attackers to generate a large number of domains to to launch
+    #     malware attacks.
+    #
+    #   * `DNS_TUNNELING`: DNS tunneling detection. DNS tunneling is used by
+    #     attackers to exfiltrate data from the client by using the DNS
+    #     tunnel without making a network connection to the client.
+    #   @return [String]
+    #
+    # @!attribute [rw] confidence_threshold
+    #   The confidence threshold for DNS Firewall Advanced. You must provide
+    #   this value when you create a DNS Firewall Advanced rule. The
+    #   confidence level values mean:
+    #
+    #   * `LOW`: Provides the highest detection rate for threats, but also
+    #     increases false positives.
+    #
+    #   * `MEDIUM`: Provides a balance between detecting threats and false
+    #     positives.
+    #
+    #   * `HIGH`: Detects only the most well corroborated threats with a low
+    #     rate of false positives.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/route53resolver-2018-04-01/UpdateFirewallRuleRequest AWS API Documentation
     #
     class UpdateFirewallRuleRequest < Struct.new(
       :firewall_rule_group_id,
       :firewall_domain_list_id,
+      :firewall_threat_protection_id,
       :priority,
       :action,
       :block_response,
@@ -5225,7 +5302,9 @@ module Aws::Route53Resolver
       :block_override_ttl,
       :name,
       :firewall_domain_redirection_action,
-      :qtype)
+      :qtype,
+      :dns_threat_protection,
+      :confidence_threshold)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-route53resolver.rb

@@ -54,7 +54,7 @@ module Aws::Route53Resolver
   autoload :EndpointProvider, 'aws-sdk-route53resolver/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-route53resolver/endpoints'
 
-  GEM_VERSION = '1.72.0'
+  GEM_VERSION = '1.73.0'
 
 end
 

data/sig/client.rbs

@@ -161,7 +161,7 @@ module Aws
       def create_firewall_rule: (
                                   creator_request_id: ::String,
                                   firewall_rule_group_id: ::String,
-                                  firewall_domain_list_id: ::String,
+                                  ?firewall_domain_list_id: ::String,
                                   priority: ::Integer,
                                   action: ("ALLOW" | "BLOCK" | "ALERT"),
                                   ?block_response: ("NODATA" | "NXDOMAIN" | "OVERRIDE"),
@@ -170,7 +170,9 @@ module Aws
                                   ?block_override_ttl: ::Integer,
                                   name: ::String,
                                   ?firewall_domain_redirection_action: ("INSPECT_REDIRECTION_DOMAIN" | "TRUST_REDIRECTION_DOMAIN"),
-                                  ?qtype: ::String
+                                  ?qtype: ::String,
+                                  ?dns_threat_protection: ("DGA" | "DNS_TUNNELING"),
+                                  ?confidence_threshold: ("LOW" | "MEDIUM" | "HIGH")
                                 ) -> _CreateFirewallRuleResponseSuccess
                               | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreateFirewallRuleResponseSuccess
 
@@ -305,7 +307,8 @@ module Aws
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Route53Resolver/Client.html#delete_firewall_rule-instance_method
       def delete_firewall_rule: (
                                   firewall_rule_group_id: ::String,
-                                  firewall_domain_list_id: ::String,
+                                  ?firewall_domain_list_id: ::String,
+                                  ?firewall_threat_protection_id: ::String,
                                   ?qtype: ::String
                                 ) -> _DeleteFirewallRuleResponseSuccess
                               | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _DeleteFirewallRuleResponseSuccess
@@ -915,7 +918,8 @@ module Aws
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Route53Resolver/Client.html#update_firewall_rule-instance_method
       def update_firewall_rule: (
                                   firewall_rule_group_id: ::String,
-                                  firewall_domain_list_id: ::String,
+                                  ?firewall_domain_list_id: ::String,
+                                  ?firewall_threat_protection_id: ::String,
                                   ?priority: ::Integer,
                                   ?action: ("ALLOW" | "BLOCK" | "ALERT"),
                                   ?block_response: ("NODATA" | "NXDOMAIN" | "OVERRIDE"),
@@ -924,7 +928,9 @@ module Aws
                                   ?block_override_ttl: ::Integer,
                                   ?name: ::String,
                                   ?firewall_domain_redirection_action: ("INSPECT_REDIRECTION_DOMAIN" | "TRUST_REDIRECTION_DOMAIN"),
-                                  ?qtype: ::String
+                                  ?qtype: ::String,
+                                  ?dns_threat_protection: ("DGA" | "DNS_TUNNELING"),
+                                  ?confidence_threshold: ("LOW" | "MEDIUM" | "HIGH")
                                 ) -> _UpdateFirewallRuleResponseSuccess
                               | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UpdateFirewallRuleResponseSuccess
 

data/sig/types.rbs

@@ -105,6 +105,8 @@ module Aws::Route53Resolver
       attr_accessor name: ::String
       attr_accessor firewall_domain_redirection_action: ("INSPECT_REDIRECTION_DOMAIN" | "TRUST_REDIRECTION_DOMAIN")
       attr_accessor qtype: ::String
+      attr_accessor dns_threat_protection: ("DGA" | "DNS_TUNNELING")
+      attr_accessor confidence_threshold: ("LOW" | "MEDIUM" | "HIGH")
       SENSITIVE: []
     end
 
@@ -199,6 +201,7 @@ module Aws::Route53Resolver
     class DeleteFirewallRuleRequest
       attr_accessor firewall_rule_group_id: ::String
       attr_accessor firewall_domain_list_id: ::String
+      attr_accessor firewall_threat_protection_id: ::String
       attr_accessor qtype: ::String
       SENSITIVE: []
     end
@@ -331,6 +334,7 @@ module Aws::Route53Resolver
     class FirewallRule
       attr_accessor firewall_rule_group_id: ::String
       attr_accessor firewall_domain_list_id: ::String
+      attr_accessor firewall_threat_protection_id: ::String
       attr_accessor name: ::String
       attr_accessor priority: ::Integer
       attr_accessor action: ("ALLOW" | "BLOCK" | "ALERT")
@@ -343,6 +347,8 @@ module Aws::Route53Resolver
       attr_accessor modification_time: ::String
       attr_accessor firewall_domain_redirection_action: ("INSPECT_REDIRECTION_DOMAIN" | "TRUST_REDIRECTION_DOMAIN")
       attr_accessor qtype: ::String
+      attr_accessor dns_threat_protection: ("DGA" | "DNS_TUNNELING")
+      attr_accessor confidence_threshold: ("LOW" | "MEDIUM" | "HIGH")
       SENSITIVE: []
     end
 
@@ -1096,6 +1102,7 @@ module Aws::Route53Resolver
     class UpdateFirewallRuleRequest
       attr_accessor firewall_rule_group_id: ::String
       attr_accessor firewall_domain_list_id: ::String
+      attr_accessor firewall_threat_protection_id: ::String
       attr_accessor priority: ::Integer
       attr_accessor action: ("ALLOW" | "BLOCK" | "ALERT")
       attr_accessor block_response: ("NODATA" | "NXDOMAIN" | "OVERRIDE")
@@ -1105,6 +1112,8 @@ module Aws::Route53Resolver
       attr_accessor name: ::String
       attr_accessor firewall_domain_redirection_action: ("INSPECT_REDIRECTION_DOMAIN" | "TRUST_REDIRECTION_DOMAIN")
       attr_accessor qtype: ::String
+      attr_accessor dns_threat_protection: ("DGA" | "DNS_TUNNELING")
+      attr_accessor confidence_threshold: ("LOW" | "MEDIUM" | "HIGH")
       SENSITIVE: []
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-route53resolver
 version: !ruby/object:Gem::Version
-  version: 1.72.0
+  version: 1.73.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-18 00:00:00.000000000 Z
+date: 2024-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core