npm - @aws-sdk/client-network-firewall - Versions diffs - 3.301.0 → 3.306.0 - Mend

@aws-sdk/client-network-firewall 3.301.0 → 3.306.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -214,11 +214,16 @@ export declare class ThrottlingException extends __BaseException {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum IPAddressType {
-    DUALSTACK = "DUALSTACK",
-    IPV4 = "IPV4"
-}
+export declare const IPAddressType: {
+    readonly DUALSTACK: "DUALSTACK";
+    readonly IPV4: "IPV4";
+};
+/**
+ * @public
+ */
+export type IPAddressType = (typeof IPAddressType)[keyof typeof IPAddressType];
 /**
  * @public
  * <p>The ID for a subnet that you want to associate with the firewall. This is used with
@@ -300,13 +305,18 @@ export declare class InsufficientCapacityException extends __BaseException {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum AttachmentStatus {
-    CREATING = "CREATING",
-    DELETING = "DELETING",
-    READY = "READY",
-    SCALING = "SCALING"
-}
+export declare const AttachmentStatus: {
+    readonly CREATING: "CREATING";
+    readonly DELETING: "DELETING";
+    readonly READY: "READY";
+    readonly SCALING: "SCALING";
+};
+/**
+ * @public
+ */
+export type AttachmentStatus = (typeof AttachmentStatus)[keyof typeof AttachmentStatus];
 /**
  * @public
  * <p>The configuration and status for a single subnet that you've specified for use by the
@@ -378,19 +388,51 @@ export interface CapacityUsageSummary {
 }
 /**
  * @public
+ * <p>Contains metadata about an Certificate Manager certificate.</p>
  */
-export declare enum ConfigurationSyncState {
-    CAPACITY_CONSTRAINED = "CAPACITY_CONSTRAINED",
-    IN_SYNC = "IN_SYNC",
-    PENDING = "PENDING"
+export interface TlsCertificateData {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the certificate.</p>
+     */
+    CertificateArn?: string;
+    /**
+     * <p>The serial number of the certificate.</p>
+     */
+    CertificateSerial?: string;
+    /**
+     * <p>The status of the certificate.</p>
+     */
+    Status?: string;
+    /**
+     * <p>Contains details about the certificate status, including information about certificate errors.</p>
+     */
+    StatusMessage?: string;
 }
 /**
  * @public
+ * @enum
  */
-export declare enum EncryptionType {
-    AWS_OWNED_KMS_KEY = "AWS_OWNED_KMS_KEY",
-    CUSTOMER_KMS = "CUSTOMER_KMS"
-}
+export declare const ConfigurationSyncState: {
+    readonly CAPACITY_CONSTRAINED: "CAPACITY_CONSTRAINED";
+    readonly IN_SYNC: "IN_SYNC";
+    readonly PENDING: "PENDING";
+};
+/**
+ * @public
+ */
+export type ConfigurationSyncState = (typeof ConfigurationSyncState)[keyof typeof ConfigurationSyncState];
+/**
+ * @public
+ * @enum
+ */
+export declare const EncryptionType: {
+    readonly AWS_OWNED_KMS_KEY: "AWS_OWNED_KMS_KEY";
+    readonly CUSTOMER_KMS: "CUSTOMER_KMS";
+};
+/**
+ * @public
+ */
+export type EncryptionType = (typeof EncryptionType)[keyof typeof EncryptionType];
 /**
  * @public
  * <p>A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html">Encryption at rest with Amazon Web Services Key Managment Service</a> in the <i>Network Firewall Developer Guide</i>.</p>
@@ -549,20 +591,30 @@ export interface Firewall {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum FirewallStatusValue {
-    DELETING = "DELETING",
-    PROVISIONING = "PROVISIONING",
-    READY = "READY"
-}
+export declare const FirewallStatusValue: {
+    readonly DELETING: "DELETING";
+    readonly PROVISIONING: "PROVISIONING";
+    readonly READY: "READY";
+};
 /**
  * @public
  */
-export declare enum PerObjectSyncStatus {
-    CAPACITY_CONSTRAINED = "CAPACITY_CONSTRAINED",
-    IN_SYNC = "IN_SYNC",
-    PENDING = "PENDING"
-}
+export type FirewallStatusValue = (typeof FirewallStatusValue)[keyof typeof FirewallStatusValue];
+/**
+ * @public
+ * @enum
+ */
+export declare const PerObjectSyncStatus: {
+    readonly CAPACITY_CONSTRAINED: "CAPACITY_CONSTRAINED";
+    readonly IN_SYNC: "IN_SYNC";
+    readonly PENDING: "PENDING";
+};
+/**
+ * @public
+ */
+export type PerObjectSyncStatus = (typeof PerObjectSyncStatus)[keyof typeof PerObjectSyncStatus];
 /**
  * @public
  * <p>Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall
@@ -682,18 +734,28 @@ export declare class LimitExceededException extends __BaseException {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum RuleOrder {
-    DEFAULT_ACTION_ORDER = "DEFAULT_ACTION_ORDER",
-    STRICT_ORDER = "STRICT_ORDER"
-}
+export declare const RuleOrder: {
+    readonly DEFAULT_ACTION_ORDER: "DEFAULT_ACTION_ORDER";
+    readonly STRICT_ORDER: "STRICT_ORDER";
+};
 /**
  * @public
  */
-export declare enum StreamExceptionPolicy {
-    CONTINUE = "CONTINUE",
-    DROP = "DROP"
-}
+export type RuleOrder = (typeof RuleOrder)[keyof typeof RuleOrder];
+/**
+ * @public
+ * @enum
+ */
+export declare const StreamExceptionPolicy: {
+    readonly CONTINUE: "CONTINUE";
+    readonly DROP: "DROP";
+};
+/**
+ * @public
+ */
+export type StreamExceptionPolicy = (typeof StreamExceptionPolicy)[keyof typeof StreamExceptionPolicy];
 /**
  * @public
  * <p>Configuration settings for the handling of the stateful rule groups in a firewall policy. </p>
@@ -724,10 +786,15 @@ export interface StatefulEngineOptions {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum OverrideAction {
-    DROP_TO_ALERT = "DROP_TO_ALERT"
-}
+export declare const OverrideAction: {
+    readonly DROP_TO_ALERT: "DROP_TO_ALERT";
+};
+/**
+ * @public
+ */
+export type OverrideAction = (typeof OverrideAction)[keyof typeof OverrideAction];
 /**
  * @public
  * <p>The setting that allows the policy owner to change the behavior of the rule group within a policy. </p>
@@ -896,6 +963,10 @@ export interface FirewallPolicy {
      *        rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.</p>
      */
     StatefulEngineOptions?: StatefulEngineOptions;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     */
+    TLSInspectionConfigurationArn?: string;
 }
 /**
  * @public
@@ -933,11 +1004,16 @@ export interface CreateFirewallPolicyRequest {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum ResourceStatus {
-    ACTIVE = "ACTIVE",
-    DELETING = "DELETING"
-}
+export declare const ResourceStatus: {
+    readonly ACTIVE: "ACTIVE";
+    readonly DELETING: "DELETING";
+};
+/**
+ * @public
+ */
+export type ResourceStatus = (typeof ResourceStatus)[keyof typeof ResourceStatus];
 /**
  * @public
  * <p>The high-level properties of a firewall policy. This, along with the <a>FirewallPolicy</a>, define the policy. You can retrieve all objects for a firewall policy by calling <a>DescribeFirewallPolicy</a>. </p>
@@ -1011,9 +1087,9 @@ export interface CreateFirewallPolicyResponse {
 }
 /**
  * @public
- * <p>Configures one or more IP set references for a Suricata-compatible rule group. This is used in <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a>. An IP set reference is a rule variable that references a resource that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the IP set you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references">Using IP set references</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ * <p>Configures one or more IP set references for a Suricata-compatible rule group. This is used in <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a>. An IP set reference is a rule variable that references resources that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the resource you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references">Using IP set references</a> in the <i>Network Firewall Developer Guide</i>.</p>
  *          <p>
- *         Network Firewall currently supports only <a href="https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html">Amazon VPC prefix lists</a> as IP set references.
+ *         Network Firewall currently supports <a href="https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html">Amazon VPC prefix lists</a> and <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references.html#rule-groups-referencing-resource-groups">resource groups</a> in IP set references.
  *       </p>
  */
 export interface IPSetReference {
@@ -1034,18 +1110,28 @@ export interface ReferenceSets {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum GeneratedRulesType {
-    ALLOWLIST = "ALLOWLIST",
-    DENYLIST = "DENYLIST"
-}
+export declare const GeneratedRulesType: {
+    readonly ALLOWLIST: "ALLOWLIST";
+    readonly DENYLIST: "DENYLIST";
+};
 /**
  * @public
  */
-export declare enum TargetType {
-    HTTP_HOST = "HTTP_HOST",
-    TLS_SNI = "TLS_SNI"
-}
+export type GeneratedRulesType = (typeof GeneratedRulesType)[keyof typeof GeneratedRulesType];
+/**
+ * @public
+ * @enum
+ */
+export declare const TargetType: {
+    readonly HTTP_HOST: "HTTP_HOST";
+    readonly TLS_SNI: "TLS_SNI";
+};
+/**
+ * @public
+ */
+export type TargetType = (typeof TargetType)[keyof typeof TargetType];
 /**
  * @public
  * <p>Stateful inspection criteria for a domain list rule group. </p>
@@ -1076,44 +1162,59 @@ export interface RulesSourceList {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum StatefulAction {
-    ALERT = "ALERT",
-    DROP = "DROP",
-    PASS = "PASS",
-    REJECT = "REJECT"
-}
+export declare const StatefulAction: {
+    readonly ALERT: "ALERT";
+    readonly DROP: "DROP";
+    readonly PASS: "PASS";
+    readonly REJECT: "REJECT";
+};
 /**
  * @public
  */
-export declare enum StatefulRuleDirection {
-    ANY = "ANY",
-    FORWARD = "FORWARD"
-}
+export type StatefulAction = (typeof StatefulAction)[keyof typeof StatefulAction];
 /**
  * @public
+ * @enum
  */
-export declare enum StatefulRuleProtocol {
-    ANY = "IP",
-    DCERPC = "DCERPC",
-    DHCP = "DHCP",
-    DNS = "DNS",
-    FTP = "FTP",
-    HTTP = "HTTP",
-    ICMP = "ICMP",
-    IKEV2 = "IKEV2",
-    IMAP = "IMAP",
-    KRB5 = "KRB5",
-    MSN = "MSN",
-    NTP = "NTP",
-    SMB = "SMB",
-    SMTP = "SMTP",
-    SSH = "SSH",
-    TCP = "TCP",
-    TFTP = "TFTP",
-    TLS = "TLS",
-    UDP = "UDP"
-}
+export declare const StatefulRuleDirection: {
+    readonly ANY: "ANY";
+    readonly FORWARD: "FORWARD";
+};
+/**
+ * @public
+ */
+export type StatefulRuleDirection = (typeof StatefulRuleDirection)[keyof typeof StatefulRuleDirection];
+/**
+ * @public
+ * @enum
+ */
+export declare const StatefulRuleProtocol: {
+    readonly ANY: "IP";
+    readonly DCERPC: "DCERPC";
+    readonly DHCP: "DHCP";
+    readonly DNS: "DNS";
+    readonly FTP: "FTP";
+    readonly HTTP: "HTTP";
+    readonly ICMP: "ICMP";
+    readonly IKEV2: "IKEV2";
+    readonly IMAP: "IMAP";
+    readonly KRB5: "KRB5";
+    readonly MSN: "MSN";
+    readonly NTP: "NTP";
+    readonly SMB: "SMB";
+    readonly SMTP: "SMTP";
+    readonly SSH: "SSH";
+    readonly TCP: "TCP";
+    readonly TFTP: "TFTP";
+    readonly TLS: "TLS";
+    readonly UDP: "UDP";
+};
+/**
+ * @public
+ */
+export type StatefulRuleProtocol = (typeof StatefulRuleProtocol)[keyof typeof StatefulRuleProtocol];
 /**
  * @public
  * <p>The basic rule criteria for Network Firewall to use to inspect packet headers in stateful
@@ -1281,17 +1382,22 @@ export interface PortRange {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum TCPFlag {
-    ACK = "ACK",
-    CWR = "CWR",
-    ECE = "ECE",
-    FIN = "FIN",
-    PSH = "PSH",
-    RST = "RST",
-    SYN = "SYN",
-    URG = "URG"
-}
+export declare const TCPFlag: {
+    readonly ACK: "ACK";
+    readonly CWR: "CWR";
+    readonly ECE: "ECE";
+    readonly FIN: "FIN";
+    readonly PSH: "PSH";
+    readonly RST: "RST";
+    readonly SYN: "SYN";
+    readonly URG: "URG";
+};
+/**
+ * @public
+ */
+export type TCPFlag = (typeof TCPFlag)[keyof typeof TCPFlag];
 /**
  * @public
  * <p>TCP flags and masks to inspect packets for, used in stateless rules <a>MatchAttributes</a> settings.</p>
@@ -1581,11 +1687,16 @@ export interface SourceMetadata {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum RuleGroupType {
-    STATEFUL = "STATEFUL",
-    STATELESS = "STATELESS"
-}
+export declare const RuleGroupType: {
+    readonly STATEFUL: "STATEFUL";
+    readonly STATELESS: "STATELESS";
+};
+/**
+ * @public
+ */
+export type RuleGroupType = (typeof RuleGroupType)[keyof typeof RuleGroupType];
 /**
  * @public
  */
@@ -1775,6 +1886,165 @@ export interface CreateRuleGroupResponse {
      */
     RuleGroupResponse: RuleGroupResponse | undefined;
 }
+/**
+ * @public
+ * <p>Settings that define the Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic that Network Firewall should decrypt for inspection by the stateful rule engine.</p>
+ */
+export interface ServerCertificateScope {
+    /**
+     * <p>The source IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this
+     * matches with any source address.</p>
+     */
+    Sources?: Address[];
+    /**
+     * <p>The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this
+     * matches with any destination address.</p>
+     */
+    Destinations?: Address[];
+    /**
+     * <p>The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any source port.</p>
+     *          <p>You can specify individual ports, for example <code>1994</code>, and you can specify port ranges, such as <code>1990:1994</code>.</p>
+     */
+    SourcePorts?: PortRange[];
+    /**
+     * <p>The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any destination port.</p>
+     *          <p>You can specify individual ports, for example <code>1994</code>, and you can specify port ranges, such as <code>1990:1994</code>.</p>
+     */
+    DestinationPorts?: PortRange[];
+    /**
+     * <p>The protocols to decrypt for inspection, specified using each protocol's assigned internet protocol number
+     * (IANA). Network Firewall currently supports only TCP.</p>
+     */
+    Protocols?: number[];
+}
+/**
+ * @public
+ * <p>Any Certificate Manager Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a <a>ServerCertificateConfiguration</a> used in a <a>TLSInspectionConfiguration</a>. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in Certificate Manager, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html">Request a public certificate </a> or <a href="https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html">Importing certificates</a> in the <i>Certificate Manager User Guide</i>.</p>
+ */
+export interface ServerCertificate {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS server certificate.</p>
+     */
+    ResourceArn?: string;
+}
+/**
+ * @public
+ * <p>Configures the associated Certificate Manager Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificates and scope settings Network Firewall uses to decrypt traffic in a <a>TLSInspectionConfiguration</a>. For information about working with SSL/TLS certificates for TLS inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html"> Requirements for using SSL/TLS server certficiates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ *          <note>
+ *             <p>If a server certificate that's associated with your <a>TLSInspectionConfiguration</a> is revoked, deleted, or expired it can result in client-side TLS errors.</p>
+ *          </note>
+ */
+export interface ServerCertificateConfiguration {
+    /**
+     * <p>The list of a server certificate configuration's Certificate Manager SSL/TLS certificates.</p>
+     */
+    ServerCertificates?: ServerCertificate[];
+    /**
+     * <p>A list of a server certificate configuration's scopes.</p>
+     */
+    Scopes?: ServerCertificateScope[];
+}
+/**
+ * @public
+ * <p>The object that defines a TLS inspection configuration. This, along with <a>TLSInspectionConfigurationResponse</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+ *          <p>Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.</p>
+ *          <p>To use a TLS inspection configuration, you add it to a Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect inbound traffic. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html">Decrypting SSL/TLS traffic with TLS
+ * inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ */
+export interface TLSInspectionConfiguration {
+    /**
+     * <p>Lists the server certificate configurations that are associated with the TLS configuration.</p>
+     */
+    ServerCertificateConfigurations?: ServerCertificateConfiguration[];
+}
+/**
+ * @public
+ */
+export interface CreateTLSInspectionConfigurationRequest {
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     */
+    TLSInspectionConfigurationName: string | undefined;
+    /**
+     * <p>The object that defines a TLS inspection configuration. This, along with <a>TLSInspectionConfigurationResponse</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     *          <p>Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.</p>
+     *          <p>To use a TLS inspection configuration, you add it to a Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect inbound traffic. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html">Decrypting SSL/TLS traffic with TLS
+     * inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     */
+    TLSInspectionConfiguration: TLSInspectionConfiguration | undefined;
+    /**
+     * <p>A description of the TLS inspection configuration. </p>
+     */
+    Description?: string;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     */
+    Tags?: Tag[];
+    /**
+     * <p>A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html">Encryption at rest with Amazon Web Services Key Managment Service</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     */
+    EncryptionConfiguration?: EncryptionConfiguration;
+}
+/**
+ * @public
+ * <p>The high-level properties of a TLS inspection configuration. This, along with the <code>TLSInspectionConfiguration</code>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <code>DescribeTLSInspectionConfiguration</code>.</p>
+ */
+export interface TLSInspectionConfigurationResponse {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     */
+    TLSInspectionConfigurationArn: string | undefined;
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     */
+    TLSInspectionConfigurationName: string | undefined;
+    /**
+     * <p>A unique identifier for the TLS inspection configuration. This ID is returned in the responses to create and list commands. You provide it to operations such as update and delete.</p>
+     */
+    TLSInspectionConfigurationId: string | undefined;
+    /**
+     * <p>Detailed information about the current status of a <a>TLSInspectionConfiguration</a>. You can retrieve this for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a> and providing the TLS inspection configuration name and ARN.</p>
+     */
+    TLSInspectionConfigurationStatus?: ResourceStatus | string;
+    /**
+     * <p>A description of the TLS inspection configuration. </p>
+     */
+    Description?: string;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     */
+    Tags?: Tag[];
+    /**
+     * <p>The last time that the TLS inspection configuration was changed.</p>
+     */
+    LastModifiedTime?: Date;
+    /**
+     * <p>The number of firewall policies that use this TLS inspection configuration.</p>
+     */
+    NumberOfAssociations?: number;
+    /**
+     * <p>A complex type that contains the Amazon Web Services KMS encryption configuration settings for your TLS inspection configuration.</p>
+     */
+    EncryptionConfiguration?: EncryptionConfiguration;
+    /**
+     * <p>A list of the certificates associated with the TLS inspection configuration.</p>
+     */
+    Certificates?: TlsCertificateData[];
+}
+/**
+ * @public
+ */
+export interface CreateTLSInspectionConfigurationResponse {
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. </p>
+     *          <p>To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     */
+    UpdateToken: string | undefined;
+    /**
+     * <p>The high-level properties of a TLS inspection configuration. This, along with the <a>TLSInspectionConfiguration</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     */
+    TLSInspectionConfigurationResponse: TLSInspectionConfigurationResponse | undefined;
+}
 /**
  * @public
  */
@@ -1903,6 +2173,30 @@ export interface DeleteRuleGroupResponse {
      */
     RuleGroupResponse: RuleGroupResponse | undefined;
 }
+/**
+ * @public
+ */
+export interface DeleteTLSInspectionConfigurationRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     */
+    TLSInspectionConfigurationArn?: string;
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     */
+    TLSInspectionConfigurationName?: string;
+}
+/**
+ * @public
+ */
+export interface DeleteTLSInspectionConfigurationResponse {
+    /**
+     * <p>The high-level properties of a TLS inspection configuration. This, along with the <a>TLSInspectionConfiguration</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     */
+    TLSInspectionConfigurationResponse: TLSInspectionConfigurationResponse | undefined;
+}
 /**
  * @public
  */
@@ -1987,19 +2281,29 @@ export interface DescribeLoggingConfigurationRequest {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum LogDestinationType {
-    CLOUDWATCH_LOGS = "CloudWatchLogs",
-    KINESIS_DATA_FIREHOSE = "KinesisDataFirehose",
-    S3 = "S3"
-}
+export declare const LogDestinationType: {
+    readonly CLOUDWATCH_LOGS: "CloudWatchLogs";
+    readonly KINESIS_DATA_FIREHOSE: "KinesisDataFirehose";
+    readonly S3: "S3";
+};
 /**
  * @public
  */
-export declare enum LogType {
-    ALERT = "ALERT",
-    FLOW = "FLOW"
-}
+export type LogDestinationType = (typeof LogDestinationType)[keyof typeof LogDestinationType];
+/**
+ * @public
+ * @enum
+ */
+export declare const LogType: {
+    readonly ALERT: "ALERT";
+    readonly FLOW: "FLOW";
+};
+/**
+ * @public
+ */
+export type LogType = (typeof LogType)[keyof typeof LogType];
 /**
  * @public
  * <p>Defines where Network Firewall sends logs for the firewall for one log type. This is used
@@ -2210,6 +2514,42 @@ export interface DescribeRuleGroupMetadataResponse {
      */
     LastModifiedTime?: Date;
 }
+/**
+ * @public
+ */
+export interface DescribeTLSInspectionConfigurationRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     */
+    TLSInspectionConfigurationArn?: string;
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     */
+    TLSInspectionConfigurationName?: string;
+}
+/**
+ * @public
+ */
+export interface DescribeTLSInspectionConfigurationResponse {
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. </p>
+     *          <p>To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     */
+    UpdateToken: string | undefined;
+    /**
+     * <p>The object that defines a TLS inspection configuration. This, along with <a>TLSInspectionConfigurationResponse</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     *          <p>Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.</p>
+     *          <p>To use a TLS inspection configuration, you add it to a Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect inbound traffic. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html">Decrypting SSL/TLS traffic with TLS
+     * inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     */
+    TLSInspectionConfiguration?: TLSInspectionConfiguration;
+    /**
+     * <p>The high-level properties of a TLS inspection configuration. This, along with the <a>TLSInspectionConfiguration</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     */
+    TLSInspectionConfigurationResponse: TLSInspectionConfigurationResponse | undefined;
+}
 /**
  * @public
  */
@@ -2364,18 +2704,28 @@ export interface ListFirewallsResponse {
 }
 /**
  * @public
+ * @enum
  */
-export declare enum ResourceManagedType {
-    AWS_MANAGED_DOMAIN_LISTS = "AWS_MANAGED_DOMAIN_LISTS",
-    AWS_MANAGED_THREAT_SIGNATURES = "AWS_MANAGED_THREAT_SIGNATURES"
-}
+export declare const ResourceManagedType: {
+    readonly AWS_MANAGED_DOMAIN_LISTS: "AWS_MANAGED_DOMAIN_LISTS";
+    readonly AWS_MANAGED_THREAT_SIGNATURES: "AWS_MANAGED_THREAT_SIGNATURES";
+};
 /**
  * @public
  */
-export declare enum ResourceManagedStatus {
-    ACCOUNT = "ACCOUNT",
-    MANAGED = "MANAGED"
-}
+export type ResourceManagedType = (typeof ResourceManagedType)[keyof typeof ResourceManagedType];
+/**
+ * @public
+ * @enum
+ */
+export declare const ResourceManagedStatus: {
+    readonly ACCOUNT: "ACCOUNT";
+    readonly MANAGED: "MANAGED";
+};
+/**
+ * @public
+ */
+export type ResourceManagedStatus = (typeof ResourceManagedStatus)[keyof typeof ResourceManagedStatus];
 /**
  * @public
  */
@@ -2475,6 +2825,52 @@ export interface ListTagsForResourceResponse {
      */
     Tags?: Tag[];
 }
+/**
+ * @public
+ */
+export interface ListTLSInspectionConfigurationsRequest {
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     */
+    NextToken?: string;
+    /**
+     * <p>The maximum number of objects that you want Network Firewall to return for this request. If more
+     *           objects are available, in the response, Network Firewall provides a
+     *          <code>NextToken</code> value that you can use in a subsequent call to get the next batch of objects.</p>
+     */
+    MaxResults?: number;
+}
+/**
+ * @public
+ * <p>High-level information about a TLS inspection configuration, returned by <code>ListTLSInspectionConfigurations</code>. You can use the information provided in the metadata to retrieve and manage a TLS configuration.</p>
+ */
+export interface TLSInspectionConfigurationMetadata {
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     */
+    Name?: string;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     */
+    Arn?: string;
+}
+/**
+ * @public
+ */
+export interface ListTLSInspectionConfigurationsResponse {
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     */
+    NextToken?: string;
+    /**
+     * <p>The TLS inspection configuration metadata objects that you've defined. Depending on your setting for max results and the number of TLS inspection configurations, this might not be the full list.</p>
+     */
+    TLSInspectionConfigurations?: TLSInspectionConfigurationMetadata[];
+}
 /**
  * @public
  * <p>Unable to send logs to a configured logging destination. </p>
@@ -3007,3 +3403,50 @@ export interface UpdateSubnetChangeProtectionResponse {
      */
     SubnetChangeProtection?: boolean;
 }
+/**
+ * @public
+ */
+export interface UpdateTLSInspectionConfigurationRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the TLS inspection configuration.</p>
+     */
+    TLSInspectionConfigurationArn?: string;
+    /**
+     * <p>The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.</p>
+     */
+    TLSInspectionConfigurationName?: string;
+    /**
+     * <p>The object that defines a TLS inspection configuration. This, along with <a>TLSInspectionConfigurationResponse</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     *          <p>Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.</p>
+     *          <p>To use a TLS inspection configuration, you add it to a Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect inbound traffic. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html">Decrypting SSL/TLS traffic with TLS
+     * inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     */
+    TLSInspectionConfiguration: TLSInspectionConfiguration | undefined;
+    /**
+     * <p>A description of the TLS inspection configuration. </p>
+     */
+    Description?: string;
+    /**
+     * <p>A complex type that contains the Amazon Web Services KMS encryption configuration settings for your TLS inspection configuration.</p>
+     */
+    EncryptionConfiguration?: EncryptionConfiguration;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. </p>
+     *          <p>To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateTLSInspectionConfigurationResponse {
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. </p>
+     *          <p>To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     */
+    UpdateToken: string | undefined;
+    /**
+     * <p>The high-level properties of a TLS inspection configuration. This, along with the <a>TLSInspectionConfiguration</a>, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling <a>DescribeTLSInspectionConfiguration</a>. </p>
+     */
+    TLSInspectionConfigurationResponse: TLSInspectionConfigurationResponse | undefined;
+}