The new authentication type for the GraphqlApi object.
The new authentication type for the GraphqlApi object.
The current status of the request to onboard a member account as an Firewall Manager administator.
\n\n ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
\n ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
\n OFFBOARDING - The account is being removed as an Firewall Manager administrator.
\n OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
\n\n ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
\n ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
\n OFFBOARDING - The account is being removed as an Firewall Manager administrator.
\n OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
Brief description of this remediation action.
" + } + }, + "Vpc": { + "target": "com.amazonaws.fms#ActionTarget", + "traits": { + "smithy.api#documentation": "The VPC that's associated with the remediation action.
" + } + }, + "FMSCanRemediate": { + "target": "com.amazonaws.fms#Boolean", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Information about the CreateNetworkAcl action in Amazon EC2. This is a remediation option in RemediationAction.
Brief description of this remediation action.
" + } + }, + "NetworkAclId": { + "target": "com.amazonaws.fms#ActionTarget", + "traits": { + "smithy.api#documentation": "The network ACL that's associated with the remediation action.
" + } + }, + "NetworkAclEntriesToBeCreated": { + "target": "com.amazonaws.fms#EntriesDescription", + "traits": { + "smithy.api#documentation": "Lists the entries that the remediation action would create.
" + } + }, + "FMSCanRemediate": { + "target": "com.amazonaws.fms#Boolean", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Information about the CreateNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Brief description of this remediation action.
" + } + }, + "NetworkAclId": { + "target": "com.amazonaws.fms#ActionTarget", + "traits": { + "smithy.api#documentation": "The network ACL that's associated with the remediation action.
" + } + }, + "NetworkAclEntriesToBeDeleted": { + "target": "com.amazonaws.fms#EntriesDescription", + "traits": { + "smithy.api#documentation": "Lists the entries that the remediation action would delete.
" + } + }, + "FMSCanRemediate": { + "target": "com.amazonaws.fms#Boolean", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Information about the DeleteNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the ReplaceRouteTableAssociation action in Amazon EC2.
" } }, + "com.amazonaws.fms#EntriesDescription": { + "type": "list", + "member": { + "target": "com.amazonaws.fms#EntryDescription" + } + }, + "com.amazonaws.fms#EntriesWithConflicts": { + "type": "list", + "member": { + "target": "com.amazonaws.fms#EntryDescription" + } + }, + "com.amazonaws.fms#EntryDescription": { + "type": "structure", + "members": { + "EntryDetail": { + "target": "com.amazonaws.fms#NetworkAclEntry", + "traits": { + "smithy.api#documentation": "Describes a rule in a network ACL.
\nEach network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.
\nWhen you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
" + } + }, + "EntryRuleNumber": { + "target": "com.amazonaws.fms#IntegerObjectMinimum0", + "traits": { + "smithy.api#default": 0, + "smithy.api#documentation": "The rule number for the entry. ACL entries are processed in ascending order by rule number. In a Firewall Manager network ACL policy, Firewall Manager \n assigns rule numbers.
" + } + }, + "EntryType": { + "target": "com.amazonaws.fms#EntryType", + "traits": { + "smithy.api#documentation": "Specifies whether the entry is managed by Firewall Manager or by a user, and, for Firewall Manager-managed entries, specifies whether the entry \n is among those that run first in the network ACL or those that run last.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes a single rule in a network ACL.
" + } + }, + "com.amazonaws.fms#EntryType": { + "type": "enum", + "members": { + "FMSManagedFirstEntry": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "FMS_MANAGED_FIRST_ENTRY" + } + }, + "FMSManagedLastEntry": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "FMS_MANAGED_LAST_ENTRY" + } + }, + "CustomEntry": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "CUSTOM_ENTRY" + } + } + } + }, + "com.amazonaws.fms#EntryViolation": { + "type": "structure", + "members": { + "ExpectedEntry": { + "target": "com.amazonaws.fms#EntryDescription", + "traits": { + "smithy.api#documentation": "The Firewall Manager-managed network ACL entry that is involved in the entry violation.
" + } + }, + "ExpectedEvaluationOrder": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The evaluation location within the ordered list of entries where the ExpectedEntry should be, according to the network ACL policy specifications.
The evaluation location within the ordered list of entries where the ExpectedEntry is currently located.
The entry that's currently in the ExpectedEvaluationOrder location, in place of the expected entry.
The list of entries that are in conflict with ExpectedEntry.
Descriptions of the violations that Firewall Manager found for these entries.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Detailed information about an entry violation in a network ACL. The violation is against the network ACL specification inside the\n Firewall Manager network ACL policy. This data object is part of InvalidNetworkAclEntriesViolation.
Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.
" + "smithy.api#documentation": "Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.
" } }, "com.amazonaws.fms#GetAdminScopeRequest": { @@ -3222,7 +3459,7 @@ "AdminAccount": { "target": "com.amazonaws.fms#AWSAccountId", "traits": { - "smithy.api#documentation": "The administator account that you want to get the details for.
", + "smithy.api#documentation": "The administrator account that you want to get the details for.
", "smithy.api#required": {} } } @@ -3243,7 +3480,7 @@ "Status": { "target": "com.amazonaws.fms#OrganizationStatus", "traits": { - "smithy.api#documentation": "The current status of the request to onboard a member account as an Firewall Manager administator.
\n\n ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
\n ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
\n OFFBOARDING - The account is being removed as an Firewall Manager administrator.
\n OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
\n\n ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
\n ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
\n OFFBOARDING - The account is being removed as an Firewall Manager administrator.
\n OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
Returns detailed compliance information about the specified member account. Details\n include resources that are in and out of compliance with the specified policy.
\nResources are\n considered noncompliant for WAF and Shield Advanced policies if the specified policy has\n not been applied to them.
\nResources are considered noncompliant for security group policies if\n they are in scope of the policy, they violate one or more of the policy rules, and remediation\n is disabled or not possible.
\nResources are considered noncompliant for Network Firewall policies\n if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet,\n if a subnet created by the Firewall Manager doesn't have the expected route table,\n and for modifications to a firewall policy that violate the Firewall Manager policy's rules.
\nResources are considered noncompliant for DNS Firewall policies\n if a DNS Firewall rule group is missing from the rule group associations for the VPC.
\nReturns detailed compliance information about the specified member account. Details\n include resources that are in and out of compliance with the specified policy.
\nThe reasons for resources being considered compliant depend on the Firewall Manager policy type.
" } }, "com.amazonaws.fms#GetComplianceDetailRequest": { @@ -3807,7 +4044,7 @@ "PolicyId": { "target": "com.amazonaws.fms#PolicyId", "traits": { - "smithy.api#documentation": "The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
\nDNS Firewall
\nImported Network Firewall
\nNetwork Firewall
\nSecurity group content audit
\nThird-party firewall
\nThe ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
\nDNS Firewall
\nImported Network Firewall
\nNetwork Firewall
\nSecurity group content audit
\nNetwork ACL
\nThird-party firewall
\nThe VPC where the violation was found.
" + } + }, + "Subnet": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The subnet that's associated with the network ACL.
" + } + }, + "SubnetAvailabilityZone": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The Availability Zone where the network ACL is in use.
" + } + }, + "CurrentAssociatedNetworkAcl": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The network ACL containing the entry violations.
" + } + }, + "EntryViolations": { + "target": "com.amazonaws.fms#EntryViolations", + "traits": { + "smithy.api#documentation": "Detailed information about the entry violations in the network ACL.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Violation detail for the entries in a network ACL resource.
" + } + }, "com.amazonaws.fms#InvalidOperationException": { "type": "structure", "members": { @@ -3933,6 +4236,15 @@ "target": "com.amazonaws.fms#DetailedInfo" } }, + "com.amazonaws.fms#LengthBoundedNonEmptyString": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 1024 + } + } + }, "com.amazonaws.fms#LengthBoundedString": { "type": "string", "traits": { @@ -4877,6 +5189,171 @@ "smithy.api#pattern": "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$" } }, + "com.amazonaws.fms#NetworkAclCommonPolicy": { + "type": "structure", + "members": { + "NetworkAclEntrySet": { + "target": "com.amazonaws.fms#NetworkAclEntrySet", + "traits": { + "smithy.api#documentation": "The definition of the first and last rules for the network ACL policy.
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "Defines a Firewall Manager network ACL policy. This is used in the PolicyOption of a SecurityServicePolicyData for a Policy, when \n the SecurityServicePolicyData type is set to NETWORK_ACL_COMMON.
For information about network ACLs, see \n Control traffic to subnets using network ACLs \n in the Amazon Virtual Private Cloud User Guide.
" + } + }, + "com.amazonaws.fms#NetworkAclEntries": { + "type": "list", + "member": { + "target": "com.amazonaws.fms#NetworkAclEntry" + } + }, + "com.amazonaws.fms#NetworkAclEntry": { + "type": "structure", + "members": { + "IcmpTypeCode": { + "target": "com.amazonaws.fms#NetworkAclIcmpTypeCode", + "traits": { + "smithy.api#documentation": "ICMP protocol: The ICMP type and code.
" + } + }, + "Protocol": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The protocol number. A value of \"-1\" means all protocols.
", + "smithy.api#required": {} + } + }, + "PortRange": { + "target": "com.amazonaws.fms#NetworkAclPortRange", + "traits": { + "smithy.api#documentation": "TCP or UDP protocols: The range of ports the rule applies to.
" + } + }, + "CidrBlock": { + "target": "com.amazonaws.fms#LengthBoundedNonEmptyString", + "traits": { + "smithy.api#documentation": "The IPv4 network range to allow or deny, in CIDR notation.
" + } + }, + "Ipv6CidrBlock": { + "target": "com.amazonaws.fms#LengthBoundedNonEmptyString", + "traits": { + "smithy.api#documentation": "The IPv6 network range to allow or deny, in CIDR notation.
" + } + }, + "RuleAction": { + "target": "com.amazonaws.fms#NetworkAclRuleAction", + "traits": { + "smithy.api#documentation": "Indicates whether to allow or deny the traffic that matches the rule.
", + "smithy.api#required": {} + } + }, + "Egress": { + "target": "com.amazonaws.fms#BooleanObject", + "traits": { + "smithy.api#documentation": "Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet). If it's not\n an egress rule, then it's an ingress, or inbound, rule.
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "Describes a rule in a network ACL.
\nEach network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.
\nWhen you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
" + } + }, + "com.amazonaws.fms#NetworkAclEntrySet": { + "type": "structure", + "members": { + "FirstEntries": { + "target": "com.amazonaws.fms#NetworkAclEntries", + "traits": { + "smithy.api#documentation": "The rules that you want to run first in the Firewall Manager managed network ACLs.
\nProvide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.
\nApplies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.
\nIf forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \n Network access control list (ACL) policies \n in the Firewall Manager Developer Guide.
", + "smithy.api#required": {} + } + }, + "LastEntries": { + "target": "com.amazonaws.fms#NetworkAclEntries", + "traits": { + "smithy.api#documentation": "The rules that you want to run last in the Firewall Manager managed network ACLs.
\nProvide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.
\nApplies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.
\nIf forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \n Network access control list (ACL) policies \n in the Firewall Manager Developer Guide.
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
" + } + }, + "com.amazonaws.fms#NetworkAclIcmpTypeCode": { + "type": "structure", + "members": { + "Code": { + "target": "com.amazonaws.fms#IntegerObject", + "traits": { + "smithy.api#documentation": "ICMP code.
" + } + }, + "Type": { + "target": "com.amazonaws.fms#IntegerObject", + "traits": { + "smithy.api#documentation": "ICMP type.
" + } + } + }, + "traits": { + "smithy.api#documentation": "ICMP protocol: The ICMP type and code.
" + } + }, + "com.amazonaws.fms#NetworkAclPortRange": { + "type": "structure", + "members": { + "From": { + "target": "com.amazonaws.fms#IPPortNumberInteger", + "traits": { + "smithy.api#documentation": "The beginning port number of the range.
" + } + }, + "To": { + "target": "com.amazonaws.fms#IPPortNumberInteger", + "traits": { + "smithy.api#documentation": "The ending port number of the range.
" + } + } + }, + "traits": { + "smithy.api#documentation": "TCP or UDP protocols: The range of ports the rule applies to.
" + } + }, + "com.amazonaws.fms#NetworkAclRuleAction": { + "type": "enum", + "members": { + "ALLOW": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "allow" + } + }, + "DENY": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "deny" + } + } + } + }, "com.amazonaws.fms#NetworkFirewallAction": { "type": "string", "traits": { @@ -5608,7 +6085,7 @@ "ResourceType": { "target": "com.amazonaws.fms#ResourceType", "traits": { - "smithy.api#documentation": "The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference.\n To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
\nAmazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
Security group usage audit - AWS::EC2::SecurityGroup.
The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference.\n To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
\nAmazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
Defines the policy options for a third-party firewall policy.
" } + }, + "NetworkAclCommonPolicy": { + "target": "com.amazonaws.fms#NetworkAclCommonPolicy", + "traits": { + "smithy.api#documentation": "Defines a Firewall Manager network ACL policy.
" + } } }, "traits": { - "smithy.api#documentation": "Contains the Network Firewall firewall policy options to configure the policy's deployment model and third-party firewall policy settings.
" + "smithy.api#documentation": "Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
" } }, "com.amazonaws.fms#PolicySummary": { @@ -5860,7 +6343,7 @@ "ResourceType": { "target": "com.amazonaws.fms#ResourceType", "traits": { - "smithy.api#documentation": "The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference.\n For WAF and Shield Advanced, examples include\n AWS::ElasticLoadBalancingV2::LoadBalancer and\n AWS::CloudFront::Distribution. For a security group common policy, valid values\n are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a\n security group content audit policy, valid values are AWS::EC2::SecurityGroup,\n AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security\n group usage audit policy, the value is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy,\n the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference.
" } }, "SecurityServiceType": { @@ -6316,7 +6799,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates an Firewall Manager policy.
\nA Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple\n\t\tpolicy types across accounts, you can create multiple policies. You can create more than one\n\t\tpolicy for each type.
\nIf you add a new account to an organization that you created with Organizations, Firewall Manager\n\t\tautomatically applies the policy to the resources in that account that are within scope of\n\t\tthe policy.
\nFirewall Manager provides the following types of policies:
\n\n Shield Advanced policy - This policy applies Shield Advanced\n\t\t\t\tprotection to specified accounts and resources.
\n\n Security Groups policy - This type of policy gives you\n\t\t\t\tcontrol over security groups that are in use throughout your organization in\n\t\t\t\tOrganizations and lets you enforce a baseline set of rules across your organization.
\n\n Network Firewall policy - This policy applies\n\t\t\t\tNetwork Firewall protection to your organization's VPCs.
\n\n DNS Firewall policy - This policy applies\n\t\t\t\tAmazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
\n\n Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
\n\n Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
\n\n Fortigate CNF policy - This policy applies\n\t\t\t\t\t\tFortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
\nCreates an Firewall Manager policy.
\nA Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple\n\t\tpolicy types across accounts, you can create multiple policies. You can create more than one\n\t\tpolicy for each type.
\nIf you add a new account to an organization that you created with Organizations, Firewall Manager\n\t\tautomatically applies the policy to the resources in that account that are within scope of\n\t\tthe policy.
\nFirewall Manager provides the following types of policies:
\n\n WAF policy - This policy applies WAF web ACL\n\t\t\t\tprotections to specified accounts and resources.
\n\n Shield Advanced policy - This policy applies Shield Advanced\n\t\t\t\tprotection to specified accounts and resources.
\n\n Security Groups policy - This type of policy gives you\n\t\t\t\tcontrol over security groups that are in use throughout your organization in\n\t\t\t\tOrganizations and lets you enforce a baseline set of rules across your organization.
\n\n Network ACL policy - This type of policy gives you\n\t\t\t\tcontrol over the network ACLs that are in use throughout your organization in\n\t\t\t\tOrganizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
\n\n Network Firewall policy - This policy applies\n\t\t\t\tNetwork Firewall protection to your organization's VPCs.
\n\n DNS Firewall policy - This policy applies\n\t\t\t\tAmazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
\n\n Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
\n\n Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
\n\n Fortigate CNF policy - This policy applies\n\t\t\t\t\t\tFortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
\nThe remedial action to take when updating a firewall configuration.
" } + }, + "CreateNetworkAclAction": { + "target": "com.amazonaws.fms#CreateNetworkAclAction", + "traits": { + "smithy.api#documentation": "Information about the CreateNetworkAcl action in Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in Amazon EC2.
Information about the CreateNetworkAclEntries action in Amazon EC2.
Information about the DeleteNetworkAclEntries action in Amazon EC2.
An ordered list of actions you can take to remediate a violation.
" } }, + "com.amazonaws.fms#ReplaceNetworkAclAssociationAction": { + "type": "structure", + "members": { + "Description": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "Brief description of this remediation action.
" + } + }, + "AssociationId": { + "target": "com.amazonaws.fms#ActionTarget" + }, + "NetworkAclId": { + "target": "com.amazonaws.fms#ActionTarget", + "traits": { + "smithy.api#documentation": "The network ACL that's associated with the remediation action.
" + } + }, + "FMSCanRemediate": { + "target": "com.amazonaws.fms#Boolean", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Information about the ReplaceNetworkAclAssociation action in Amazon EC2. This is a remediation option in RemediationAction.
Violation detail for a DNS Firewall policy that indicates that the VPC reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed.
" } }, - "PossibleRemediationActions": { - "target": "com.amazonaws.fms#PossibleRemediationActions", - "traits": { - "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" - } - }, "FirewallSubnetIsOutOfScopeViolation": { "target": "com.amazonaws.fms#FirewallSubnetIsOutOfScopeViolation", "traits": { @@ -7052,6 +7583,18 @@ "traits": { "smithy.api#documentation": "The violation details for a third-party firewall's VPC endpoint subnet that was deleted.
" } + }, + "InvalidNetworkAclEntriesViolation": { + "target": "com.amazonaws.fms#InvalidNetworkAclEntriesViolation", + "traits": { + "smithy.api#documentation": "Violation detail for the entries in a network ACL resource.
" + } + }, + "PossibleRemediationActions": { + "target": "com.amazonaws.fms#PossibleRemediationActions", + "traits": { + "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" + } } }, "traits": { @@ -7295,13 +7838,13 @@ "ManagedServiceData": { "target": "com.amazonaws.fms#ManagedServiceData", "traits": { - "smithy.api#documentation": "Details about the service that are specific to the service type, in JSON format.
\nExample: DNS_FIREWALL\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid\n values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL\n
\n \"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid\n values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment\n model
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"\n
To use the centralized deployment model, you must set PolicyOption to\n CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration
\n \n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"\n \n
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration and route management
\n \n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"\n \n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"\n \n
\n With custom Availability Zone configuration,\n you define which specific Availability Zones to create endpoints in by configuring\n firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.\n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration and route management
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"\n \n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: SECURITY_GROUPS_COMMON\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_COMMON - Security group tag distribution\n
\n \"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"\n
\n Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.\n
\n Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.\n
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as\n well as to those in VPCs that the account owns
\n\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_CONTENT_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"\n
The security group action for content audit can be ALLOW or\n DENY. For ALLOW, all in-scope security group rules must\n be within the allowed range of the policy's security group rules. For\n DENY, all in-scope security group rules must not contain a value or a\n range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"\n
Example: SHIELD_ADVANCED with web ACL management
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"\n
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
\nIf you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"\n
For example:\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\":\n {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\",\n \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"\n
The default value for automaticResponseStatus is\n IGNORED. The value for automaticResponseAction is only\n required when automaticResponseStatus is set to ENABLED.\n The default value for overrideCustomerWebaclClassic is\n false.
For other resource types that you can protect with a Shield Advanced policy, this\n ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL\n
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\n \"{\n \"type\":\"THIRD_PARTY_FIREWALL\",\n \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\",\n \"thirdPartyFirewallConfig\":{\n \"thirdPartyFirewallPolicyList\":[\"global-1\"]\n },\n\t \"firewallDeploymentModel\":{\n \"distributedFirewallDeploymentModel\":{\n \"distributedFirewallOrchestrationConfig\":{\n \"firewallCreationConfig\":{\n \"endpointLocation\":{\n \"availabilityZoneConfigList\":[\n {\n \"availabilityZoneName\":\"${AvailabilityZone}\"\n }\n ]\n }\n },\n \"allowedIPV4CidrList\":[\n ]\n }\n }\n }\n }\"\n
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"\n
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
\nIf you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"\n
\n CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
\n defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"\n
\n To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.\n
Example: WAFV2 - Logging configurations\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"\n
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference\n
In the loggingConfiguration, you can specify one\n logDestinationConfigs. Optionally provide as many as 20\n redactedFields. The RedactedFieldType must be one of\n URI, QUERY_STRING, HEADER, or\n METHOD.
Example: WAF Classic\n
\n \"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\":\n [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\":\n \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"\n
Details about the service that are specific to the service type, in JSON format.
\nExample: DNS_FIREWALL\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid\n values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL\n
\n \"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid\n values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment\n model
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"\n
To use the centralized deployment model, you must set PolicyOption to\n CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration
\n \n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"\n \n
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration and route management
\n \n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"\n \n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"\n \n
\n With custom Availability Zone configuration,\n you define which specific Availability Zones to create endpoints in by configuring\n firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.\n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration and route management
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"\n \n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: SECURITY_GROUPS_COMMON\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_COMMON - Security group tag distribution\n
\n \"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"\n
\n Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.\n
\n Firewall Manager won't distribute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.\n
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as\n well as to those in VPCs that the account owns
\n\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_CONTENT_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"\n
The security group action for content audit can be ALLOW or\n DENY. For ALLOW, all in-scope security group rules must\n be within the allowed range of the policy's security group rules. For\n DENY, all in-scope security group rules must not contain a value or a\n range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"\n
Example: SHIELD_ADVANCED with web ACL management
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"\n
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
\nIf you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"\n
For example:\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\":\n {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\",\n \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"\n
The default value for automaticResponseStatus is\n IGNORED. The value for automaticResponseAction is only\n required when automaticResponseStatus is set to ENABLED.\n The default value for overrideCustomerWebaclClassic is\n false.
For other resource types that you can protect with a Shield Advanced policy, this\n ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL\n
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\n \"{\n \"type\":\"THIRD_PARTY_FIREWALL\",\n \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\",\n \"thirdPartyFirewallConfig\":{\n \"thirdPartyFirewallPolicyList\":[\"global-1\"]\n },\n\t \"firewallDeploymentModel\":{\n \"distributedFirewallDeploymentModel\":{\n \"distributedFirewallOrchestrationConfig\":{\n \"firewallCreationConfig\":{\n \"endpointLocation\":{\n \"availabilityZoneConfigList\":[\n {\n \"availabilityZoneName\":\"${AvailabilityZone}\"\n }\n ]\n }\n },\n \"allowedIPV4CidrList\":[\n ]\n }\n }\n }\n }\"\n
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"\n
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
\nIf you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"\n
\n CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
\n defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"\n
\n To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.\n
Example: WAFV2 - Logging configurations\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"\n
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference\n
In the loggingConfiguration, you can specify one\n logDestinationConfigs. Optionally provide as many as 20\n redactedFields. The RedactedFieldType must be one of\n URI, QUERY_STRING, HEADER, or\n METHOD.
Example: WAF Classic\n
\n \"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\":\n [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\":\n \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"\n
Contains the Network Firewall firewall policy options to configure a centralized deployment\n model.
" + "smithy.api#documentation": "Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
" } } }, @@ -7371,6 +7914,12 @@ "traits": { "smithy.api#enumValue": "IMPORT_NETWORK_FIREWALL" } + }, + "NETWORK_ACL_COMMON": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "NETWORK_ACL_COMMON" + } } } }, @@ -8171,6 +8720,12 @@ "traits": { "smithy.api#enumValue": "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" } + }, + "InvalidNetworkAclEntry": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INVALID_NETWORK_ACL_ENTRY" + } } } }, diff --git a/codegen/sdk-codegen/aws-models/ivs-realtime.json b/codegen/sdk-codegen/aws-models/ivs-realtime.json index 48f09f35dce..8f144a2e2c1 100644 --- a/codegen/sdk-codegen/aws-models/ivs-realtime.json +++ b/codegen/sdk-codegen/aws-models/ivs-realtime.json @@ -828,7 +828,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivsrealtime#ChannelDestinationConfiguration": { @@ -3731,7 +3731,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivsrealtime#ResourceNotFoundException": { @@ -4407,6 +4407,9 @@ { "target": "com.amazonaws.ivsrealtime#AccessDeniedException" }, + { + "target": "com.amazonaws.ivsrealtime#ConflictException" + }, { "target": "com.amazonaws.ivsrealtime#PendingVerification" }, diff --git a/codegen/sdk-codegen/aws-models/ivs.json b/codegen/sdk-codegen/aws-models/ivs.json index 94571f6d477..3f00894941e 100644 --- a/codegen/sdk-codegen/aws-models/ivs.json +++ b/codegen/sdk-codegen/aws-models/ivs.json @@ -908,7 +908,7 @@ "arn": { "target": "com.amazonaws.ivs#ResourceArn", "traits": { - "smithy.api#documentation": "Channel ARN.
" + "smithy.api#documentation": "ARN of an IVS resource; e.g., channel.
" } }, "code": { @@ -1262,7 +1262,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivs#ChannelArnList": { @@ -3249,7 +3249,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivs#PlaybackKeyPairFingerprint": { @@ -3755,7 +3755,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivs#ResourceNotFoundException": { @@ -4130,7 +4130,7 @@ "min": 1, "max": 128 }, - "smithy.api#pattern": "^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" + "smithy.api#pattern": "^arn:aws:ivs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" } }, "com.amazonaws.ivs#StreamKeyArnList": { diff --git a/codegen/sdk-codegen/aws-models/rds.json b/codegen/sdk-codegen/aws-models/rds.json index 589480531c8..4d7bd459e53 100644 --- a/codegen/sdk-codegen/aws-models/rds.json +++ b/codegen/sdk-codegen/aws-models/rds.json @@ -5155,7 +5155,7 @@ "Timezone": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "The time zone of the DB instance. \n The time zone parameter is currently supported only by\n Microsoft SQL Server.
" + "smithy.api#documentation": "The time zone of the DB instance. \n The time zone parameter is currently supported only by RDS for Db2 and\n RDS for SQL Server.
" } }, "EnableIAMDatabaseAuthentication": { @@ -9222,7 +9222,7 @@ "Timezone": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "The time zone of the DB instance.\n In most cases, the Timezone element is empty.\n Timezone content appears only for\n Microsoft SQL Server DB instances \n that were created with a time zone specified.
The time zone of the DB instance.\n In most cases, the Timezone element is empty.\n Timezone content appears only for\n RDS for Db2 and RDS for SQL Server DB instances \n that were created with a time zone specified.
The new DB subnet group for the DB instance.\n You can use this parameter to move your DB instance to a different VPC.\n \n \n If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC.\n For more information, see \n Working with a DB instance in a VPC \n in the Amazon RDS User Guide.
\nChanging the subnet group causes an outage during the change. \n The change is applied during the next maintenance window,\n unless you enable ApplyImmediately.
This parameter doesn't apply to RDS Custom DB instances.
\nConstraints:
\nIf supplied, must match existing DB subnet group.
\nExample: mydbsubnetgroup\n
The new DB subnet group for the DB instance.\n You can use this parameter to move your DB instance to a different VPC.\n \n \n If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC.\n For more information, see \n Working with a DB instance in a VPC \n in the Amazon RDS User Guide.
\nChanging the subnet group causes an outage during the change. \n The change is applied during the next maintenance window,\n unless you enable ApplyImmediately.
This setting doesn't apply to RDS Custom DB instances.
\nConstraints:
\nIf supplied, must match existing DB subnet group.
\nExample: mydbsubnetgroup\n
Specifies whether the DB instance has deletion protection enabled. \n The database can't be deleted when deletion protection is enabled. By default, \n deletion protection isn't enabled. For more information, see \n \n Deleting a DB Instance.
" + "smithy.api#documentation": "Specifies whether the DB instance has deletion protection enabled. \n The database can't be deleted when deletion protection is enabled. By default, \n deletion protection isn't enabled. For more information, see \n \n Deleting a DB Instance.
\nThis setting doesn't apply to Amazon Aurora DB instances. You can enable or disable deletion protection for the DB cluster. \n For more information, see ModifyDBCluster. DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.
Validates the syntax of a state machine definition.
\nYou can validate that a state machine definition is correct without \n creating a state machine resource. Step Functions will implicitly perform the same\n syntax check when you invoke CreateStateMachine and\n UpdateStateMachine. State machine definitions are specified using a\n JSON-based, structured language. For more information on Amazon States Language see Amazon States Language (ASL).
Suggested uses for ValidateStateMachineDefinition:
Integrate automated checks into your code review or Continuous Integration\n (CI) process to validate state machine definitions before starting\n deployments.
\nRun the validation from a Git pre-commit hook to check your state machine\n definitions before committing them to your source repository.
\nErrors found in the state machine definition will be returned in the response as a list of diagnostic elements, rather than raise an exception.
\nA value of ERROR means that you cannot create or update a state machine with this definition.
Identifying code for the diagnostic.
", + "smithy.api#required": {} + } + }, + "message": { + "target": "com.amazonaws.sfn#ValidateStateMachineDefinitionMessage", + "traits": { + "smithy.api#documentation": "Message describing the diagnostic condition.
", + "smithy.api#required": {} + } + }, + "location": { + "target": "com.amazonaws.sfn#ValidateStateMachineDefinitionLocation", + "traits": { + "smithy.api#documentation": "Location of the issue in the state machine, if available.
\nFor errors specific to a field, the location could be in the format: /States/, for example: /States/FailState/ErrorPath.
Describes an error found during validation. Validation errors found in the definition\n return in the response as diagnostic elements, rather\n than raise an exception.
" + } + }, + "com.amazonaws.sfn#ValidateStateMachineDefinitionDiagnosticList": { + "type": "list", + "member": { + "target": "com.amazonaws.sfn#ValidateStateMachineDefinitionDiagnostic" + } + }, + "com.amazonaws.sfn#ValidateStateMachineDefinitionInput": { + "type": "structure", + "members": { + "definition": { + "target": "com.amazonaws.sfn#Definition", + "traits": { + "smithy.api#documentation": "The Amazon States Language definition of the state machine. For more information, see\n Amazon States Language (ASL).
", + "smithy.api#required": {} + } + }, + "type": { + "target": "com.amazonaws.sfn#StateMachineType", + "traits": { + "smithy.api#documentation": "The target type of state machine for this definition. The default is STANDARD.
The result value will be OK when no syntax errors are found, or\n FAIL if the workflow definition does not pass verification.
If the result is OK, this field will be empty. When there are errors,\n this field will contain an array of Diagnostic objects\n to help you troubleshoot.