aws-cdk-lib 2.162.0__py3-none-any.whl → 2.163.0__py3-none-any.whl

aws_cdk/aws_fms/__init__.py

@@ -300,7 +300,48 @@ class CfnPolicy(
                 # the properties below are optional
                 managed_service_data="managedServiceData",
                 policy_option=fms.CfnPolicy.PolicyOptionProperty(
-                    network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(),
+                    network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(
+                        network_acl_entry_set=fms.CfnPolicy.NetworkAclEntrySetProperty(
+                            force_remediate_for_first_entries=False,
+                            force_remediate_for_last_entries=False,
+        
+                            # the properties below are optional
+                            first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                egress=False,
+                                protocol="protocol",
+                                rule_action="ruleAction",
+        
+                                # the properties below are optional
+                                cidr_block="cidrBlock",
+                                icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                    code=123,
+                                    type=123
+                                ),
+                                ipv6_cidr_block="ipv6CidrBlock",
+                                port_range=fms.CfnPolicy.PortRangeProperty(
+                                    from=123,
+                                    to=123
+                                )
+                            )],
+                            last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                egress=False,
+                                protocol="protocol",
+                                rule_action="ruleAction",
+        
+                                # the properties below are optional
+                                cidr_block="cidrBlock",
+                                icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                    code=123,
+                                    type=123
+                                ),
+                                ipv6_cidr_block="ipv6CidrBlock",
+                                port_range=fms.CfnPolicy.PortRangeProperty(
+                                    from=123,
+                                    to=123
+                                )
+                            )]
+                        )
+                    ),
                     network_firewall_policy=fms.CfnPolicy.NetworkFirewallPolicyProperty(
                         firewall_deployment_model="firewallDeploymentModel"
                     ),
@@ -770,19 +811,91 @@ class CfnPolicy(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.IcmpTypeCodeProperty",
+        jsii_struct_bases=[],
+        name_mapping={"code": "code", "type": "type"},
+    )
+    class IcmpTypeCodeProperty:
+        def __init__(self, *, code: jsii.Number, type: jsii.Number) -> None:
+            '''ICMP protocol: The ICMP type and code.
+
+            :param code: ICMP code.
+            :param type: ICMP type.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-icmptypecode.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_fms as fms
+                
+                icmp_type_code_property = fms.CfnPolicy.IcmpTypeCodeProperty(
+                    code=123,
+                    type=123
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__65b9cc6166ca508cd4c5ab4d066ea459564143dea548a99b579d93e51f574165)
+                check_type(argname="argument code", value=code, expected_type=type_hints["code"])
+                check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "code": code,
+                "type": type,
+            }
+
+        @builtins.property
+        def code(self) -> jsii.Number:
+            '''ICMP code.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-icmptypecode.html#cfn-fms-policy-icmptypecode-code
+            '''
+            result = self._values.get("code")
+            assert result is not None, "Required property 'code' is missing"
+            return typing.cast(jsii.Number, result)
+
+        @builtins.property
+        def type(self) -> jsii.Number:
+            '''ICMP type.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-icmptypecode.html#cfn-fms-policy-icmptypecode-type
+            '''
+            result = self._values.get("type")
+            assert result is not None, "Required property 'type' is missing"
+            return typing.cast(jsii.Number, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "IcmpTypeCodeProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.NetworkAclCommonPolicyProperty",
         jsii_struct_bases=[],
-        name_mapping={},
+        name_mapping={"network_acl_entry_set": "networkAclEntrySet"},
     )
     class NetworkAclCommonPolicyProperty:
-        def __init__(self) -> None:
+        def __init__(
+            self,
+            *,
+            network_acl_entry_set: typing.Union[_IResolvable_da3f097b, typing.Union["CfnPolicy.NetworkAclEntrySetProperty", typing.Dict[builtins.str, typing.Any]]],
+        ) -> None:
             '''Defines a Firewall Manager network ACL policy.
 
             This is used in the ``PolicyOption`` of a ``SecurityServicePolicyData`` for a ``Policy`` , when the ``SecurityServicePolicyData`` type is set to ``NETWORK_ACL_COMMON`` .
 
             For information about network ACLs, see `Control traffic to subnets using network ACLs <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html>`_ in the *Amazon Virtual Private Cloud User Guide* .
 
+            :param network_acl_entry_set: The definition of the first and last rules for the network ACL policy.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclcommonpolicy.html
             :exampleMetadata: fixture=_generated
 
@@ -792,9 +905,67 @@ class CfnPolicy(
                 # The values are placeholders you should change.
                 from aws_cdk import aws_fms as fms
                 
-                network_acl_common_policy_property = fms.CfnPolicy.NetworkAclCommonPolicyProperty()
+                network_acl_common_policy_property = fms.CfnPolicy.NetworkAclCommonPolicyProperty(
+                    network_acl_entry_set=fms.CfnPolicy.NetworkAclEntrySetProperty(
+                        force_remediate_for_first_entries=False,
+                        force_remediate_for_last_entries=False,
+                
+                        # the properties below are optional
+                        first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                            egress=False,
+                            protocol="protocol",
+                            rule_action="ruleAction",
+                
+                            # the properties below are optional
+                            cidr_block="cidrBlock",
+                            icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                code=123,
+                                type=123
+                            ),
+                            ipv6_cidr_block="ipv6CidrBlock",
+                            port_range=fms.CfnPolicy.PortRangeProperty(
+                                from=123,
+                                to=123
+                            )
+                        )],
+                        last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                            egress=False,
+                            protocol="protocol",
+                            rule_action="ruleAction",
+                
+                            # the properties below are optional
+                            cidr_block="cidrBlock",
+                            icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                code=123,
+                                type=123
+                            ),
+                            ipv6_cidr_block="ipv6CidrBlock",
+                            port_range=fms.CfnPolicy.PortRangeProperty(
+                                from=123,
+                                to=123
+                            )
+                        )]
+                    )
+                )
             '''
-            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__6dfc57cc41dc1d1b1ebbc44d2e08c4db8913dbb8d25d9bff92c2c760de2fdc82)
+                check_type(argname="argument network_acl_entry_set", value=network_acl_entry_set, expected_type=type_hints["network_acl_entry_set"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "network_acl_entry_set": network_acl_entry_set,
+            }
+
+        @builtins.property
+        def network_acl_entry_set(
+            self,
+        ) -> typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntrySetProperty"]:
+            '''The definition of the first and last rules for the network ACL policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclcommonpolicy.html#cfn-fms-policy-networkaclcommonpolicy-networkaclentryset
+            '''
+            result = self._values.get("network_acl_entry_set")
+            assert result is not None, "Required property 'network_acl_entry_set' is missing"
+            return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntrySetProperty"], result)
 
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -807,6 +978,349 @@ class CfnPolicy(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.NetworkAclEntryProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "egress": "egress",
+            "protocol": "protocol",
+            "rule_action": "ruleAction",
+            "cidr_block": "cidrBlock",
+            "icmp_type_code": "icmpTypeCode",
+            "ipv6_cidr_block": "ipv6CidrBlock",
+            "port_range": "portRange",
+        },
+    )
+    class NetworkAclEntryProperty:
+        def __init__(
+            self,
+            *,
+            egress: typing.Union[builtins.bool, _IResolvable_da3f097b],
+            protocol: builtins.str,
+            rule_action: builtins.str,
+            cidr_block: typing.Optional[builtins.str] = None,
+            icmp_type_code: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPolicy.IcmpTypeCodeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            ipv6_cidr_block: typing.Optional[builtins.str] = None,
+            port_range: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPolicy.PortRangeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Describes a rule in a network ACL.
+
+            Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining
+            whether a packet should be allowed in or out of a subnet associated with the network ACL, AWS processes the entries in the network ACL according to the rule numbers, in ascending order.
+
+            When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
+
+            :param egress: Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet). If it's not an egress rule, then it's an ingress, or inbound, rule.
+            :param protocol: The protocol number. A value of "-1" means all protocols.
+            :param rule_action: Indicates whether to allow or deny the traffic that matches the rule.
+            :param cidr_block: The IPv4 network range to allow or deny, in CIDR notation.
+            :param icmp_type_code: ICMP protocol: The ICMP type and code.
+            :param ipv6_cidr_block: The IPv6 network range to allow or deny, in CIDR notation.
+            :param port_range: TCP or UDP protocols: The range of ports the rule applies to.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_fms as fms
+                
+                network_acl_entry_property = fms.CfnPolicy.NetworkAclEntryProperty(
+                    egress=False,
+                    protocol="protocol",
+                    rule_action="ruleAction",
+                
+                    # the properties below are optional
+                    cidr_block="cidrBlock",
+                    icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                        code=123,
+                        type=123
+                    ),
+                    ipv6_cidr_block="ipv6CidrBlock",
+                    port_range=fms.CfnPolicy.PortRangeProperty(
+                        from=123,
+                        to=123
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__7a315c8565b94dd4f1c73bc5bb6afd0ade3bc8461a7c74c1098d0d7f66076bf4)
+                check_type(argname="argument egress", value=egress, expected_type=type_hints["egress"])
+                check_type(argname="argument protocol", value=protocol, expected_type=type_hints["protocol"])
+                check_type(argname="argument rule_action", value=rule_action, expected_type=type_hints["rule_action"])
+                check_type(argname="argument cidr_block", value=cidr_block, expected_type=type_hints["cidr_block"])
+                check_type(argname="argument icmp_type_code", value=icmp_type_code, expected_type=type_hints["icmp_type_code"])
+                check_type(argname="argument ipv6_cidr_block", value=ipv6_cidr_block, expected_type=type_hints["ipv6_cidr_block"])
+                check_type(argname="argument port_range", value=port_range, expected_type=type_hints["port_range"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "egress": egress,
+                "protocol": protocol,
+                "rule_action": rule_action,
+            }
+            if cidr_block is not None:
+                self._values["cidr_block"] = cidr_block
+            if icmp_type_code is not None:
+                self._values["icmp_type_code"] = icmp_type_code
+            if ipv6_cidr_block is not None:
+                self._values["ipv6_cidr_block"] = ipv6_cidr_block
+            if port_range is not None:
+                self._values["port_range"] = port_range
+
+        @builtins.property
+        def egress(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+            '''Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet).
+
+            If it's not an egress rule, then it's an ingress, or inbound, rule.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-egress
+            '''
+            result = self._values.get("egress")
+            assert result is not None, "Required property 'egress' is missing"
+            return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], result)
+
+        @builtins.property
+        def protocol(self) -> builtins.str:
+            '''The protocol number.
+
+            A value of "-1" means all protocols.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-protocol
+            '''
+            result = self._values.get("protocol")
+            assert result is not None, "Required property 'protocol' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def rule_action(self) -> builtins.str:
+            '''Indicates whether to allow or deny the traffic that matches the rule.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-ruleaction
+            '''
+            result = self._values.get("rule_action")
+            assert result is not None, "Required property 'rule_action' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def cidr_block(self) -> typing.Optional[builtins.str]:
+            '''The IPv4 network range to allow or deny, in CIDR notation.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-cidrblock
+            '''
+            result = self._values.get("cidr_block")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def icmp_type_code(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicy.IcmpTypeCodeProperty"]]:
+            '''ICMP protocol: The ICMP type and code.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-icmptypecode
+            '''
+            result = self._values.get("icmp_type_code")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicy.IcmpTypeCodeProperty"]], result)
+
+        @builtins.property
+        def ipv6_cidr_block(self) -> typing.Optional[builtins.str]:
+            '''The IPv6 network range to allow or deny, in CIDR notation.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-ipv6cidrblock
+            '''
+            result = self._values.get("ipv6_cidr_block")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def port_range(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicy.PortRangeProperty"]]:
+            '''TCP or UDP protocols: The range of ports the rule applies to.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentry.html#cfn-fms-policy-networkaclentry-portrange
+            '''
+            result = self._values.get("port_range")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnPolicy.PortRangeProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "NetworkAclEntryProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.NetworkAclEntrySetProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "force_remediate_for_first_entries": "forceRemediateForFirstEntries",
+            "force_remediate_for_last_entries": "forceRemediateForLastEntries",
+            "first_entries": "firstEntries",
+            "last_entries": "lastEntries",
+        },
+    )
+    class NetworkAclEntrySetProperty:
+        def __init__(
+            self,
+            *,
+            force_remediate_for_first_entries: typing.Union[builtins.bool, _IResolvable_da3f097b],
+            force_remediate_for_last_entries: typing.Union[builtins.bool, _IResolvable_da3f097b],
+            first_entries: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPolicy.NetworkAclEntryProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            last_entries: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPolicy.NetworkAclEntryProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        ) -> None:
+            '''The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
+
+            :param force_remediate_for_first_entries: Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see `Remediation for managed network ACLs <https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation>`_ in the *AWS Firewall Manager Developer Guide* .
+            :param force_remediate_for_last_entries: Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see `Remediation for managed network ACLs <https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation>`_ in the *AWS Firewall Manager Developer Guide* .
+            :param first_entries: The rules that you want to run first in the Firewall Manager managed network ACLs. .. epigraph:: Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. You must specify at least one first entry or one last entry in any network ACL policy.
+            :param last_entries: The rules that you want to run last in the Firewall Manager managed network ACLs. .. epigraph:: Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. You must specify at least one first entry or one last entry in any network ACL policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentryset.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_fms as fms
+                
+                network_acl_entry_set_property = fms.CfnPolicy.NetworkAclEntrySetProperty(
+                    force_remediate_for_first_entries=False,
+                    force_remediate_for_last_entries=False,
+                
+                    # the properties below are optional
+                    first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                        egress=False,
+                        protocol="protocol",
+                        rule_action="ruleAction",
+                
+                        # the properties below are optional
+                        cidr_block="cidrBlock",
+                        icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                            code=123,
+                            type=123
+                        ),
+                        ipv6_cidr_block="ipv6CidrBlock",
+                        port_range=fms.CfnPolicy.PortRangeProperty(
+                            from=123,
+                            to=123
+                        )
+                    )],
+                    last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                        egress=False,
+                        protocol="protocol",
+                        rule_action="ruleAction",
+                
+                        # the properties below are optional
+                        cidr_block="cidrBlock",
+                        icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                            code=123,
+                            type=123
+                        ),
+                        ipv6_cidr_block="ipv6CidrBlock",
+                        port_range=fms.CfnPolicy.PortRangeProperty(
+                            from=123,
+                            to=123
+                        )
+                    )]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__b2907f7090b00fafcfa0eb4f641b098a7fa37436ba6c4ffff2dafc1595c81a6e)
+                check_type(argname="argument force_remediate_for_first_entries", value=force_remediate_for_first_entries, expected_type=type_hints["force_remediate_for_first_entries"])
+                check_type(argname="argument force_remediate_for_last_entries", value=force_remediate_for_last_entries, expected_type=type_hints["force_remediate_for_last_entries"])
+                check_type(argname="argument first_entries", value=first_entries, expected_type=type_hints["first_entries"])
+                check_type(argname="argument last_entries", value=last_entries, expected_type=type_hints["last_entries"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "force_remediate_for_first_entries": force_remediate_for_first_entries,
+                "force_remediate_for_last_entries": force_remediate_for_last_entries,
+            }
+            if first_entries is not None:
+                self._values["first_entries"] = first_entries
+            if last_entries is not None:
+                self._values["last_entries"] = last_entries
+
+        @builtins.property
+        def force_remediate_for_first_entries(
+            self,
+        ) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+            '''Applies only when remediation is enabled for the policy as a whole.
+
+            Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
+
+            If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see `Remediation for managed network ACLs <https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation>`_ in the *AWS Firewall Manager Developer Guide* .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentryset.html#cfn-fms-policy-networkaclentryset-forceremediateforfirstentries
+            '''
+            result = self._values.get("force_remediate_for_first_entries")
+            assert result is not None, "Required property 'force_remediate_for_first_entries' is missing"
+            return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], result)
+
+        @builtins.property
+        def force_remediate_for_last_entries(
+            self,
+        ) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+            '''Applies only when remediation is enabled for the policy as a whole.
+
+            Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
+
+            If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see `Remediation for managed network ACLs <https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation>`_ in the *AWS Firewall Manager Developer Guide* .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentryset.html#cfn-fms-policy-networkaclentryset-forceremediateforlastentries
+            '''
+            result = self._values.get("force_remediate_for_last_entries")
+            assert result is not None, "Required property 'force_remediate_for_last_entries' is missing"
+            return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], result)
+
+        @builtins.property
+        def first_entries(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntryProperty"]]]]:
+            '''The rules that you want to run first in the Firewall Manager managed network ACLs.
+
+            .. epigraph::
+
+               Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
+
+            You must specify at least one first entry or one last entry in any network ACL policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentryset.html#cfn-fms-policy-networkaclentryset-firstentries
+            '''
+            result = self._values.get("first_entries")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntryProperty"]]]], result)
+
+        @builtins.property
+        def last_entries(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntryProperty"]]]]:
+            '''The rules that you want to run last in the Firewall Manager managed network ACLs.
+
+            .. epigraph::
+
+               Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
+
+            You must specify at least one first entry or one last entry in any network ACL policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkaclentryset.html#cfn-fms-policy-networkaclentryset-lastentries
+            '''
+            result = self._values.get("last_entries")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnPolicy.NetworkAclEntryProperty"]]]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "NetworkAclEntrySetProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.NetworkFirewallPolicyProperty",
         jsii_struct_bases=[],
@@ -896,7 +1410,48 @@ class CfnPolicy(
                 from aws_cdk import aws_fms as fms
                 
                 policy_option_property = fms.CfnPolicy.PolicyOptionProperty(
-                    network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(),
+                    network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(
+                        network_acl_entry_set=fms.CfnPolicy.NetworkAclEntrySetProperty(
+                            force_remediate_for_first_entries=False,
+                            force_remediate_for_last_entries=False,
+                
+                            # the properties below are optional
+                            first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                egress=False,
+                                protocol="protocol",
+                                rule_action="ruleAction",
+                
+                                # the properties below are optional
+                                cidr_block="cidrBlock",
+                                icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                    code=123,
+                                    type=123
+                                ),
+                                ipv6_cidr_block="ipv6CidrBlock",
+                                port_range=fms.CfnPolicy.PortRangeProperty(
+                                    from=123,
+                                    to=123
+                                )
+                            )],
+                            last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                egress=False,
+                                protocol="protocol",
+                                rule_action="ruleAction",
+                
+                                # the properties below are optional
+                                cidr_block="cidrBlock",
+                                icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                    code=123,
+                                    type=123
+                                ),
+                                ipv6_cidr_block="ipv6CidrBlock",
+                                port_range=fms.CfnPolicy.PortRangeProperty(
+                                    from=123,
+                                    to=123
+                                )
+                            )]
+                        )
+                    ),
                     network_firewall_policy=fms.CfnPolicy.NetworkFirewallPolicyProperty(
                         firewall_deployment_model="firewallDeploymentModel"
                     ),
@@ -1034,6 +1589,72 @@ class CfnPolicy(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.PortRangeProperty",
+        jsii_struct_bases=[],
+        name_mapping={"from_": "from", "to": "to"},
+    )
+    class PortRangeProperty:
+        def __init__(self, *, from_: jsii.Number, to: jsii.Number) -> None:
+            '''TCP or UDP protocols: The range of ports the rule applies to.
+
+            :param from_: The beginning port number of the range.
+            :param to: The ending port number of the range.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-portrange.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_fms as fms
+                
+                port_range_property = fms.CfnPolicy.PortRangeProperty(
+                    from=123,
+                    to=123
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__fbc1cd0112a3be4230fd0e2a96f8a5e7799f9f8c3925aad80c6eef4a1172da43)
+                check_type(argname="argument from_", value=from_, expected_type=type_hints["from_"])
+                check_type(argname="argument to", value=to, expected_type=type_hints["to"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "from_": from_,
+                "to": to,
+            }
+
+        @builtins.property
+        def from_(self) -> jsii.Number:
+            '''The beginning port number of the range.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-portrange.html#cfn-fms-policy-portrange-from
+            '''
+            result = self._values.get("from_")
+            assert result is not None, "Required property 'from_' is missing"
+            return typing.cast(jsii.Number, result)
+
+        @builtins.property
+        def to(self) -> jsii.Number:
+            '''The ending port number of the range.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-portrange.html#cfn-fms-policy-portrange-to
+            '''
+            result = self._values.get("to")
+            assert result is not None, "Required property 'to' is missing"
+            return typing.cast(jsii.Number, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "PortRangeProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_fms.CfnPolicy.ResourceTagProperty",
         jsii_struct_bases=[],
@@ -1147,7 +1768,48 @@ class CfnPolicy(
                     # the properties below are optional
                     managed_service_data="managedServiceData",
                     policy_option=fms.CfnPolicy.PolicyOptionProperty(
-                        network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(),
+                        network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(
+                            network_acl_entry_set=fms.CfnPolicy.NetworkAclEntrySetProperty(
+                                force_remediate_for_first_entries=False,
+                                force_remediate_for_last_entries=False,
+                
+                                # the properties below are optional
+                                first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                    egress=False,
+                                    protocol="protocol",
+                                    rule_action="ruleAction",
+                
+                                    # the properties below are optional
+                                    cidr_block="cidrBlock",
+                                    icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                        code=123,
+                                        type=123
+                                    ),
+                                    ipv6_cidr_block="ipv6CidrBlock",
+                                    port_range=fms.CfnPolicy.PortRangeProperty(
+                                        from=123,
+                                        to=123
+                                    )
+                                )],
+                                last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                    egress=False,
+                                    protocol="protocol",
+                                    rule_action="ruleAction",
+                
+                                    # the properties below are optional
+                                    cidr_block="cidrBlock",
+                                    icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                        code=123,
+                                        type=123
+                                    ),
+                                    ipv6_cidr_block="ipv6CidrBlock",
+                                    port_range=fms.CfnPolicy.PortRangeProperty(
+                                        from=123,
+                                        to=123
+                                    )
+                                )]
+                            )
+                        ),
                         network_firewall_policy=fms.CfnPolicy.NetworkFirewallPolicyProperty(
                             firewall_deployment_model="firewallDeploymentModel"
                         ),
@@ -1436,7 +2098,48 @@ class CfnPolicyProps:
                     # the properties below are optional
                     managed_service_data="managedServiceData",
                     policy_option=fms.CfnPolicy.PolicyOptionProperty(
-                        network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(),
+                        network_acl_common_policy=fms.CfnPolicy.NetworkAclCommonPolicyProperty(
+                            network_acl_entry_set=fms.CfnPolicy.NetworkAclEntrySetProperty(
+                                force_remediate_for_first_entries=False,
+                                force_remediate_for_last_entries=False,
+            
+                                # the properties below are optional
+                                first_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                    egress=False,
+                                    protocol="protocol",
+                                    rule_action="ruleAction",
+            
+                                    # the properties below are optional
+                                    cidr_block="cidrBlock",
+                                    icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                        code=123,
+                                        type=123
+                                    ),
+                                    ipv6_cidr_block="ipv6CidrBlock",
+                                    port_range=fms.CfnPolicy.PortRangeProperty(
+                                        from=123,
+                                        to=123
+                                    )
+                                )],
+                                last_entries=[fms.CfnPolicy.NetworkAclEntryProperty(
+                                    egress=False,
+                                    protocol="protocol",
+                                    rule_action="ruleAction",
+            
+                                    # the properties below are optional
+                                    cidr_block="cidrBlock",
+                                    icmp_type_code=fms.CfnPolicy.IcmpTypeCodeProperty(
+                                        code=123,
+                                        type=123
+                                    ),
+                                    ipv6_cidr_block="ipv6CidrBlock",
+                                    port_range=fms.CfnPolicy.PortRangeProperty(
+                                        from=123,
+                                        to=123
+                                    )
+                                )]
+                            )
+                        ),
                         network_firewall_policy=fms.CfnPolicy.NetworkFirewallPolicyProperty(
                             firewall_deployment_model="firewallDeploymentModel"
                         ),
@@ -2324,6 +3027,44 @@ def _typecheckingstub__6bcb551e43b08ef4828de279b99e59a3954c4cdc19c8adfe6bf93e810
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__65b9cc6166ca508cd4c5ab4d066ea459564143dea548a99b579d93e51f574165(
+    *,
+    code: jsii.Number,
+    type: jsii.Number,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6dfc57cc41dc1d1b1ebbc44d2e08c4db8913dbb8d25d9bff92c2c760de2fdc82(
+    *,
+    network_acl_entry_set: typing.Union[_IResolvable_da3f097b, typing.Union[CfnPolicy.NetworkAclEntrySetProperty, typing.Dict[builtins.str, typing.Any]]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7a315c8565b94dd4f1c73bc5bb6afd0ade3bc8461a7c74c1098d0d7f66076bf4(
+    *,
+    egress: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    protocol: builtins.str,
+    rule_action: builtins.str,
+    cidr_block: typing.Optional[builtins.str] = None,
+    icmp_type_code: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPolicy.IcmpTypeCodeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ipv6_cidr_block: typing.Optional[builtins.str] = None,
+    port_range: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPolicy.PortRangeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b2907f7090b00fafcfa0eb4f641b098a7fa37436ba6c4ffff2dafc1595c81a6e(
+    *,
+    force_remediate_for_first_entries: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    force_remediate_for_last_entries: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    first_entries: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPolicy.NetworkAclEntryProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    last_entries: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPolicy.NetworkAclEntryProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1dee79c6872a0421399375d5fc2757431881011031a81ccd6674040de21bac13(
     *,
     firewall_deployment_model: builtins.str,
@@ -2348,6 +3089,14 @@ def _typecheckingstub__4d5ee16e00771d59c6939cbdec3cdf3c57cdb9a09a7e914e3faf7baaa
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__fbc1cd0112a3be4230fd0e2a96f8a5e7799f9f8c3925aad80c6eef4a1172da43(
+    *,
+    from_: jsii.Number,
+    to: jsii.Number,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1533af324aea7be8b3e806a7d4a851c48bea2139cd3bb0ce1cc81ff86e976487(
     *,
     key: builtins.str,