aws-cdk-lib 2.171.1__py3-none-any.whl → 2.173.0__py3-none-any.whl

aws_cdk/aws_route53resolver/__init__.py

@@ -713,17 +713,17 @@ class CfnFirewallRuleGroup(
         ) -> None:
             '''A single firewall rule in a rule group.
 
-            :param action: The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list: - ``ALLOW`` - Permit the request to go through. - ``ALERT`` - Permit the request to go through but send an alert to the logs. - ``BLOCK`` - Disallow the request. If this is specified,then ``BlockResponse`` must also be specified. if ``BlockResponse`` is ``OVERRIDE`` , then all of the following ``OVERRIDE`` attributes must be specified: - ``BlockOverrideDnsType`` - ``BlockOverrideDomain`` - ``BlockOverrideTtl``
+            :param action: The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advvanced rule: - ``ALLOW`` - Permit the request to go through. Not available for DNS Firewall Advanced rules. - ``ALERT`` - Permit the request to go through but send an alert to the logs. - ``BLOCK`` - Disallow the request. If this is specified,then ``BlockResponse`` must also be specified. if ``BlockResponse`` is ``OVERRIDE`` , then all of the following ``OVERRIDE`` attributes must be specified: - ``BlockOverrideDnsType`` - ``BlockOverrideDomain`` - ``BlockOverrideTtl``
             :param priority: The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
             :param block_override_dns_type: The DNS record's type. This determines the format of the record value that you provided in ``BlockOverrideDomain`` . Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE`` .
             :param block_override_domain: The custom DNS record to send back in response to the query. Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE`` .
             :param block_override_ttl: The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE`` .
             :param block_response: The way that you want DNS Firewall to block the request. Used for the rule action setting ``BLOCK`` . - ``NODATA`` - Respond indicating that the query was successful, but no response is available for it. - ``NXDOMAIN`` - Respond indicating that the domain name that's in the query doesn't exist. - ``OVERRIDE`` - Provide a custom override in the response. This option requires custom handling details in the rule's ``BlockOverride*`` settings.
-            :param confidence_threshold: FirewallDomainRedirectionAction.
-            :param dns_threat_protection: FirewallDomainRedirectionAction.
+            :param confidence_threshold: The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean: - ``LOW`` : Provides the highest detection rate for threats, but also increases false positives. - ``MEDIUM`` : Provides a balance between detecting threats and false positives. - ``HIGH`` : Detects only the most well corroborated threats with a low rate of false positives.
+            :param dns_threat_protection: The type of the DNS Firewall Advanced rule. Valid values are:. - ``DGA`` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. - ``DNS_TUNNELING`` : DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
             :param firewall_domain_list_id: The ID of the domain list that's used in the rule.
             :param firewall_domain_redirection_action: How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME, or DNAME. ``Inspect_Redirection_Domain`` (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list. ``Trust_Redirection_Domain`` inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
-            :param firewall_threat_protection_id: ResourceId.
+            :param firewall_threat_protection_id: ID of the DNS Firewall Advanced rule.
             :param qtype: The DNS query type you want the rule to evaluate. Allowed values are; - A: Returns an IPv4 address. - AAAA: Returns an Ipv6 address. - CAA: Restricts CAs that can create SSL/TLS certifications for the domain. - CNAME: Returns another domain name. - DS: Record that identifies the DNSSEC signing key of a delegated zone. - MX: Specifies mail servers. - NAPTR: Regular-expression-based rewriting of domain names. - NS: Authoritative name servers. - PTR: Maps an IP address to a domain name. - SOA: Start of authority record for the zone. - SPF: Lists the servers authorized to send emails from a domain. - SRV: Application specific values that identify servers. - TXT: Verifies email senders and application-specific values. - A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE NUMBER , where the NUMBER can be 1-65334, for example, TYPE28. For more information, see `List of DNS record types <https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/List_of_DNS_record_types>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-firewallrulegroup-firewallrule.html
@@ -793,7 +793,9 @@ class CfnFirewallRuleGroup(
 
         @builtins.property
         def action(self) -> builtins.str:
-            '''The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:  - ``ALLOW`` - Permit the request to go through.
+            '''The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advvanced rule:  - ``ALLOW`` - Permit the request to go through.
+
+            Not available for DNS Firewall Advanced rules.
 
             - ``ALERT`` - Permit the request to go through but send an alert to the logs.
             - ``BLOCK`` - Disallow the request. If this is specified,then ``BlockResponse`` must also be specified.
@@ -870,7 +872,13 @@ class CfnFirewallRuleGroup(
 
         @builtins.property
         def confidence_threshold(self) -> typing.Optional[builtins.str]:
-            '''FirewallDomainRedirectionAction.
+            '''The confidence threshold for DNS Firewall Advanced.
+
+            You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
+
+            - ``LOW`` : Provides the highest detection rate for threats, but also increases false positives.
+            - ``MEDIUM`` : Provides a balance between detecting threats and false positives.
+            - ``HIGH`` : Detects only the most well corroborated threats with a low rate of false positives.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-firewallrulegroup-firewallrule.html#cfn-route53resolver-firewallrulegroup-firewallrule-confidencethreshold
             '''
@@ -879,7 +887,10 @@ class CfnFirewallRuleGroup(
 
         @builtins.property
         def dns_threat_protection(self) -> typing.Optional[builtins.str]:
-            '''FirewallDomainRedirectionAction.
+            '''The type of the DNS Firewall Advanced rule. Valid values are:.
+
+            - ``DGA`` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+            - ``DNS_TUNNELING`` : DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-firewallrulegroup-firewallrule.html#cfn-route53resolver-firewallrulegroup-firewallrule-dnsthreatprotection
             '''
@@ -910,7 +921,7 @@ class CfnFirewallRuleGroup(
 
         @builtins.property
         def firewall_threat_protection_id(self) -> typing.Optional[builtins.str]:
-            '''ResourceId.
+            '''ID of the DNS Firewall Advanced rule.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53resolver-firewallrulegroup-firewallrule.html#cfn-route53resolver-firewallrulegroup-firewallrule-firewallthreatprotectionid
             '''

aws_cdk/aws_s3/__init__.py

@@ -4244,7 +4244,7 @@ class CfnBucket(
         :param logging_configuration: Settings that define where logs are stored.
         :param metrics_configurations: Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see `PutBucketMetricsConfiguration <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html>`_ .
         :param notification_configuration: Configuration that defines how Amazon S3 handles bucket notifications.
-        :param object_lock_configuration: .. epigraph:: This operation is not supported by directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
+        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
         :param object_lock_enabled: Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket.
         :param ownership_controls: Configuration that defines how Amazon S3 handles Object Ownership rules.
         :param public_access_block_configuration: Configuration that defines how Amazon S3 handles public access.
@@ -4597,7 +4597,7 @@ class CfnBucket(
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.ObjectLockConfigurationProperty"]]:
         '''.. epigraph::
 
-   This operation is not supported by directory buckets.'''
+   This operation is not supported for directory buckets.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.ObjectLockConfigurationProperty"]], jsii.get(self, "objectLockConfiguration"))
 
     @object_lock_configuration.setter
@@ -10797,7 +10797,7 @@ class CfnBucketProps:
         :param logging_configuration: Settings that define where logs are stored.
         :param metrics_configurations: Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see `PutBucketMetricsConfiguration <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html>`_ .
         :param notification_configuration: Configuration that defines how Amazon S3 handles bucket notifications.
-        :param object_lock_configuration: .. epigraph:: This operation is not supported by directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
+        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
         :param object_lock_enabled: Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket.
         :param ownership_controls: Configuration that defines how Amazon S3 handles Object Ownership rules.
         :param public_access_block_configuration: Configuration that defines how Amazon S3 handles public access.
@@ -11046,7 +11046,7 @@ class CfnBucketProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.ObjectLockConfigurationProperty]]:
         '''.. epigraph::
 
-   This operation is not supported by directory buckets.
+   This operation is not supported for directory buckets.
 
         Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ .
         .. epigraph::