Returns information about the specified account's administrative scope. The - * admistrative scope defines the resources that an Firewall Manager administrator - * can manage.
Returns detailed compliance information about the specified member account. * Details include resources that are in and out of compliance with the specified - * policy.
Resources are considered noncompliant for WAF and - * Shield Advanced policies if the specified policy has not been applied to - * them.
Resources are considered noncompliant for security group - * policies if they are in scope of the policy, they violate one or more of the - * policy rules, and remediation is disabled or not possible.
Resources are considered noncompliant for Network Firewall policies if a - * firewall is missing in the VPC, if the firewall endpoint isn't set up in an - * expected Availability Zone and subnet, if a subnet created by the Firewall - * Manager doesn't have the expected route table, and for modifications to a - * firewall policy that violate the Firewall Manager policy's rules.
Resources are considered noncompliant for DNS Firewall policies if a DNS - * Firewall rule group is missing from the rule group associations for the VPC. - *
The reasons for resources being considered compliant depend on + * the Firewall Manager policy type.
Firewall Manager provides the following types of policies:
- *Shield Advanced policy - This policy applies Shield - * Advanced protection to specified accounts and resources.
- * Security Groups policy - This type of policy gives you control over - * security groups that are in use throughout your organization in Organizations - * and lets you enforce a baseline set of rules across your organization.
- *Network Firewall policy - This policy applies Network - * Firewall protection to your organization's VPCs.
DNS - * Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall + *
WAF policy - This policy applies WAF web ACL protections to + * specified accounts and resources.
Shield Advanced + * policy - This policy applies Shield Advanced protection to specified + * accounts and resources.
Security Groups policy - This + * type of policy gives you control over security groups that are in use throughout + * your organization in Organizations and lets you enforce a baseline set of rules + * across your organization.
Network ACL policy - This + * type of policy gives you control over the network ACLs that are in use + * throughout your organization in Organizations and lets you enforce a baseline + * set of first and last network ACL rules across your organization.
Network Firewall policy - This policy applies Network Firewall + * protection to your organization's VPCs.
DNS Firewall + * policy - This policy applies Amazon Route 53 Resolver DNS Firewall * protections to your organization's VPCs.
Third-party * firewall policy - This policy applies third-party firewall protections. * Third-party firewalls are available by subscription through the Amazon Web diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/AdminAccountSummary.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/AdminAccountSummary.h index c4bc1f0f2c3..8e0892c51e6 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/AdminAccountSummary.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/AdminAccountSummary.h @@ -143,8 +143,8 @@ namespace Model /** *
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -156,8 +156,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -169,8 +169,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -182,8 +182,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -195,8 +195,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -208,8 +208,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
Information about the OFFBOARDING
diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclAction.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclAction.h
new file mode 100644
index 00000000000..1be17381bb1
--- /dev/null
+++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclAction.h
@@ -0,0 +1,161 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+
+#pragma once
+#include CreateNetworkAcl action in Amazon EC2.
+ * This is a remediation option in RemediationAction.See
+ * Also:
AWS
+ * API Reference
Brief description of this remediation action.
+ */ + inline const Aws::String& GetDescription() const{ return m_description; } + + /** + *Brief description of this remediation action.
+ */ + inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclAction& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclAction& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclAction& WithDescription(const char* value) { SetDescription(value); return *this;} + + + /** + *The VPC that's associated with the remediation action.
+ */ + inline const ActionTarget& GetVpc() const{ return m_vpc; } + + /** + *The VPC that's associated with the remediation action.
+ */ + inline bool VpcHasBeenSet() const { return m_vpcHasBeenSet; } + + /** + *The VPC that's associated with the remediation action.
+ */ + inline void SetVpc(const ActionTarget& value) { m_vpcHasBeenSet = true; m_vpc = value; } + + /** + *The VPC that's associated with the remediation action.
+ */ + inline void SetVpc(ActionTarget&& value) { m_vpcHasBeenSet = true; m_vpc = std::move(value); } + + /** + *The VPC that's associated with the remediation action.
+ */ + inline CreateNetworkAclAction& WithVpc(const ActionTarget& value) { SetVpc(value); return *this;} + + /** + *The VPC that's associated with the remediation action.
+ */ + inline CreateNetworkAclAction& WithVpc(ActionTarget&& value) { SetVpc(std::move(value)); return *this;} + + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool GetFMSCanRemediate() const{ return m_fMSCanRemediate; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool FMSCanRemediateHasBeenSet() const { return m_fMSCanRemediateHasBeenSet; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline void SetFMSCanRemediate(bool value) { m_fMSCanRemediateHasBeenSet = true; m_fMSCanRemediate = value; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline CreateNetworkAclAction& WithFMSCanRemediate(bool value) { SetFMSCanRemediate(value); return *this;} + + private: + + Aws::String m_description; + bool m_descriptionHasBeenSet = false; + + ActionTarget m_vpc; + bool m_vpcHasBeenSet = false; + + bool m_fMSCanRemediate; + bool m_fMSCanRemediateHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclEntriesAction.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclEntriesAction.h new file mode 100644 index 00000000000..838ce6c233a --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/CreateNetworkAclEntriesAction.h @@ -0,0 +1,207 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeInformation about the CreateNetworkAclEntries action in Amazon
+ * EC2. This is a remediation option in
+ * RemediationAction.
Brief description of this remediation action.
+ */ + inline const Aws::String& GetDescription() const{ return m_description; } + + /** + *Brief description of this remediation action.
+ */ + inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclEntriesAction& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclEntriesAction& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline CreateNetworkAclEntriesAction& WithDescription(const char* value) { SetDescription(value); return *this;} + + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline const ActionTarget& GetNetworkAclId() const{ return m_networkAclId; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline bool NetworkAclIdHasBeenSet() const { return m_networkAclIdHasBeenSet; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(const ActionTarget& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = value; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(ActionTarget&& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = std::move(value); } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline CreateNetworkAclEntriesAction& WithNetworkAclId(const ActionTarget& value) { SetNetworkAclId(value); return *this;} + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline CreateNetworkAclEntriesAction& WithNetworkAclId(ActionTarget&& value) { SetNetworkAclId(std::move(value)); return *this;} + + + /** + *Lists the entries that the remediation action would create.
+ */ + inline const Aws::VectorLists the entries that the remediation action would create.
+ */ + inline bool NetworkAclEntriesToBeCreatedHasBeenSet() const { return m_networkAclEntriesToBeCreatedHasBeenSet; } + + /** + *Lists the entries that the remediation action would create.
+ */ + inline void SetNetworkAclEntriesToBeCreated(const Aws::VectorLists the entries that the remediation action would create.
+ */ + inline void SetNetworkAclEntriesToBeCreated(Aws::VectorLists the entries that the remediation action would create.
+ */ + inline CreateNetworkAclEntriesAction& WithNetworkAclEntriesToBeCreated(const Aws::VectorLists the entries that the remediation action would create.
+ */ + inline CreateNetworkAclEntriesAction& WithNetworkAclEntriesToBeCreated(Aws::VectorLists the entries that the remediation action would create.
+ */ + inline CreateNetworkAclEntriesAction& AddNetworkAclEntriesToBeCreated(const EntryDescription& value) { m_networkAclEntriesToBeCreatedHasBeenSet = true; m_networkAclEntriesToBeCreated.push_back(value); return *this; } + + /** + *Lists the entries that the remediation action would create.
+ */ + inline CreateNetworkAclEntriesAction& AddNetworkAclEntriesToBeCreated(EntryDescription&& value) { m_networkAclEntriesToBeCreatedHasBeenSet = true; m_networkAclEntriesToBeCreated.push_back(std::move(value)); return *this; } + + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool GetFMSCanRemediate() const{ return m_fMSCanRemediate; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool FMSCanRemediateHasBeenSet() const { return m_fMSCanRemediateHasBeenSet; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline void SetFMSCanRemediate(bool value) { m_fMSCanRemediateHasBeenSet = true; m_fMSCanRemediate = value; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline CreateNetworkAclEntriesAction& WithFMSCanRemediate(bool value) { SetFMSCanRemediate(value); return *this;} + + private: + + Aws::String m_description; + bool m_descriptionHasBeenSet = false; + + ActionTarget m_networkAclId; + bool m_networkAclIdHasBeenSet = false; + + Aws::VectorInformation about the DeleteNetworkAclEntries action in Amazon
+ * EC2. This is a remediation option in RemediationAction.
+ *
Brief description of this remediation action.
+ */ + inline const Aws::String& GetDescription() const{ return m_description; } + + /** + *Brief description of this remediation action.
+ */ + inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } + + /** + *Brief description of this remediation action.
+ */ + inline DeleteNetworkAclEntriesAction& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline DeleteNetworkAclEntriesAction& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline DeleteNetworkAclEntriesAction& WithDescription(const char* value) { SetDescription(value); return *this;} + + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline const ActionTarget& GetNetworkAclId() const{ return m_networkAclId; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline bool NetworkAclIdHasBeenSet() const { return m_networkAclIdHasBeenSet; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(const ActionTarget& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = value; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(ActionTarget&& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = std::move(value); } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline DeleteNetworkAclEntriesAction& WithNetworkAclId(const ActionTarget& value) { SetNetworkAclId(value); return *this;} + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline DeleteNetworkAclEntriesAction& WithNetworkAclId(ActionTarget&& value) { SetNetworkAclId(std::move(value)); return *this;} + + + /** + *Lists the entries that the remediation action would delete.
+ */ + inline const Aws::VectorLists the entries that the remediation action would delete.
+ */ + inline bool NetworkAclEntriesToBeDeletedHasBeenSet() const { return m_networkAclEntriesToBeDeletedHasBeenSet; } + + /** + *Lists the entries that the remediation action would delete.
+ */ + inline void SetNetworkAclEntriesToBeDeleted(const Aws::VectorLists the entries that the remediation action would delete.
+ */ + inline void SetNetworkAclEntriesToBeDeleted(Aws::VectorLists the entries that the remediation action would delete.
+ */ + inline DeleteNetworkAclEntriesAction& WithNetworkAclEntriesToBeDeleted(const Aws::VectorLists the entries that the remediation action would delete.
+ */ + inline DeleteNetworkAclEntriesAction& WithNetworkAclEntriesToBeDeleted(Aws::VectorLists the entries that the remediation action would delete.
+ */ + inline DeleteNetworkAclEntriesAction& AddNetworkAclEntriesToBeDeleted(const EntryDescription& value) { m_networkAclEntriesToBeDeletedHasBeenSet = true; m_networkAclEntriesToBeDeleted.push_back(value); return *this; } + + /** + *Lists the entries that the remediation action would delete.
+ */ + inline DeleteNetworkAclEntriesAction& AddNetworkAclEntriesToBeDeleted(EntryDescription&& value) { m_networkAclEntriesToBeDeletedHasBeenSet = true; m_networkAclEntriesToBeDeleted.push_back(std::move(value)); return *this; } + + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool GetFMSCanRemediate() const{ return m_fMSCanRemediate; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool FMSCanRemediateHasBeenSet() const { return m_fMSCanRemediateHasBeenSet; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline void SetFMSCanRemediate(bool value) { m_fMSCanRemediateHasBeenSet = true; m_fMSCanRemediate = value; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline DeleteNetworkAclEntriesAction& WithFMSCanRemediate(bool value) { SetFMSCanRemediate(value); return *this;} + + private: + + Aws::String m_description; + bool m_descriptionHasBeenSet = false; + + ActionTarget m_networkAclId; + bool m_networkAclIdHasBeenSet = false; + + Aws::VectorDescribes a single rule in a network ACL.
Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline const NetworkAclEntry& GetEntryDetail() const{ return m_entryDetail; } + + /** + *Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline bool EntryDetailHasBeenSet() const { return m_entryDetailHasBeenSet; } + + /** + *Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline void SetEntryDetail(const NetworkAclEntry& value) { m_entryDetailHasBeenSet = true; m_entryDetail = value; } + + /** + *Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline void SetEntryDetail(NetworkAclEntry&& value) { m_entryDetailHasBeenSet = true; m_entryDetail = std::move(value); } + + /** + *Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline EntryDescription& WithEntryDetail(const NetworkAclEntry& value) { SetEntryDetail(value); return *this;} + + /** + *Describes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy specification.
+ */ + inline EntryDescription& WithEntryDetail(NetworkAclEntry&& value) { SetEntryDetail(std::move(value)); return *this;} + + + /** + *The rule number for the entry. ACL entries are processed in ascending order + * by rule number. In a Firewall Manager network ACL policy, Firewall Manager + * assigns rule numbers.
+ */ + inline int GetEntryRuleNumber() const{ return m_entryRuleNumber; } + + /** + *The rule number for the entry. ACL entries are processed in ascending order + * by rule number. In a Firewall Manager network ACL policy, Firewall Manager + * assigns rule numbers.
+ */ + inline bool EntryRuleNumberHasBeenSet() const { return m_entryRuleNumberHasBeenSet; } + + /** + *The rule number for the entry. ACL entries are processed in ascending order + * by rule number. In a Firewall Manager network ACL policy, Firewall Manager + * assigns rule numbers.
+ */ + inline void SetEntryRuleNumber(int value) { m_entryRuleNumberHasBeenSet = true; m_entryRuleNumber = value; } + + /** + *The rule number for the entry. ACL entries are processed in ascending order + * by rule number. In a Firewall Manager network ACL policy, Firewall Manager + * assigns rule numbers.
+ */ + inline EntryDescription& WithEntryRuleNumber(int value) { SetEntryRuleNumber(value); return *this;} + + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline const EntryType& GetEntryType() const{ return m_entryType; } + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline bool EntryTypeHasBeenSet() const { return m_entryTypeHasBeenSet; } + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline void SetEntryType(const EntryType& value) { m_entryTypeHasBeenSet = true; m_entryType = value; } + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline void SetEntryType(EntryType&& value) { m_entryTypeHasBeenSet = true; m_entryType = std::move(value); } + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline EntryDescription& WithEntryType(const EntryType& value) { SetEntryType(value); return *this;} + + /** + *Specifies whether the entry is managed by Firewall Manager or by a user, and, + * for Firewall Manager-managed entries, specifies whether the entry is among those + * that run first in the network ACL or those that run last.
+ */ + inline EntryDescription& WithEntryType(EntryType&& value) { SetEntryType(std::move(value)); return *this;} + + private: + + NetworkAclEntry m_entryDetail; + bool m_entryDetailHasBeenSet = false; + + int m_entryRuleNumber; + bool m_entryRuleNumberHasBeenSet = false; + + EntryType m_entryType; + bool m_entryTypeHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/EntryType.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/EntryType.h new file mode 100644 index 00000000000..3b347ec476b --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/EntryType.h @@ -0,0 +1,32 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeDetailed information about an entry violation in a network ACL. The violation
+ * is against the network ACL specification inside the Firewall Manager network ACL
+ * policy. This data object is part of
+ * InvalidNetworkAclEntriesViolation.
The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline const EntryDescription& GetExpectedEntry() const{ return m_expectedEntry; } + + /** + *The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline bool ExpectedEntryHasBeenSet() const { return m_expectedEntryHasBeenSet; } + + /** + *The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline void SetExpectedEntry(const EntryDescription& value) { m_expectedEntryHasBeenSet = true; m_expectedEntry = value; } + + /** + *The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline void SetExpectedEntry(EntryDescription&& value) { m_expectedEntryHasBeenSet = true; m_expectedEntry = std::move(value); } + + /** + *The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline EntryViolation& WithExpectedEntry(const EntryDescription& value) { SetExpectedEntry(value); return *this;} + + /** + *The Firewall Manager-managed network ACL entry that is involved in the entry + * violation.
+ */ + inline EntryViolation& WithExpectedEntry(EntryDescription&& value) { SetExpectedEntry(std::move(value)); return *this;} + + + /** + *The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry should be, according to the network ACL policy
+ * specifications.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The evaluation location within the ordered list of entries where the
+ * ExpectedEntry is currently located.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The entry that's currently in the ExpectedEvaluationOrder
+ * location, in place of the expected entry.
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
The list of entries that are in conflict with ExpectedEntry.
+ *
Descriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline const Aws::VectorDescriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline bool EntryViolationReasonsHasBeenSet() const { return m_entryViolationReasonsHasBeenSet; } + + /** + *Descriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline void SetEntryViolationReasons(const Aws::VectorDescriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline void SetEntryViolationReasons(Aws::VectorDescriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline EntryViolation& WithEntryViolationReasons(const Aws::VectorDescriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline EntryViolation& WithEntryViolationReasons(Aws::VectorDescriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline EntryViolation& AddEntryViolationReasons(const EntryViolationReason& value) { m_entryViolationReasonsHasBeenSet = true; m_entryViolationReasons.push_back(value); return *this; } + + /** + *Descriptions of the violations that Firewall Manager found for these entries. + *
+ */ + inline EntryViolation& AddEntryViolationReasons(EntryViolationReason&& value) { m_entryViolationReasonsHasBeenSet = true; m_entryViolationReasons.push_back(std::move(value)); return *this; } + + private: + + EntryDescription m_expectedEntry; + bool m_expectedEntryHasBeenSet = false; + + Aws::String m_expectedEvaluationOrder; + bool m_expectedEvaluationOrderHasBeenSet = false; + + Aws::String m_actualEvaluationOrder; + bool m_actualEvaluationOrderHasBeenSet = false; + + EntryDescription m_entryAtExpectedEvaluationOrder; + bool m_entryAtExpectedEvaluationOrderHasBeenSet = false; + + Aws::VectorThe administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline const Aws::String& GetAdminAccount() const{ return m_adminAccount; } /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline bool AdminAccountHasBeenSet() const { return m_adminAccountHasBeenSet; } /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline void SetAdminAccount(const Aws::String& value) { m_adminAccountHasBeenSet = true; m_adminAccount = value; } /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline void SetAdminAccount(Aws::String&& value) { m_adminAccountHasBeenSet = true; m_adminAccount = std::move(value); } /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline void SetAdminAccount(const char* value) { m_adminAccountHasBeenSet = true; m_adminAccount.assign(value); } /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline GetAdminScopeRequest& WithAdminAccount(const Aws::String& value) { SetAdminAccount(value); return *this;} /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline GetAdminScopeRequest& WithAdminAccount(Aws::String&& value) { SetAdminAccount(std::move(value)); return *this;} /** - *The administator account that you want to get the details for.
+ *The administrator account that you want to get the details for.
*/ inline GetAdminScopeRequest& WithAdminAccount(const char* value) { SetAdminAccount(value); return *this;} diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetAdminScopeResult.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetAdminScopeResult.h index 38e6a527c60..d6aebc1a7bc 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetAdminScopeResult.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetAdminScopeResult.h @@ -62,8 +62,8 @@ namespace Model /** *The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -75,8 +75,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -88,8 +88,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -101,8 +101,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
@@ -114,8 +114,8 @@ namespace Model
/**
*
The current status of the request to onboard a member account as an Firewall - * Manager administator.
ONBOARDING - The account is
- * onboarding to Firewall Manager as an administrator.
+ * Manager administrator.
ONBOARDING - The account
+ * is onboarding to Firewall Manager as an administrator.
* ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to
* Firewall Manager as an administrator, and can perform actions on the resources
* defined in their AdminScope.
OFFBOARDING
diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetViolationDetailsRequest.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetViolationDetailsRequest.h
index d9f380c6082..83d3d6eeb96 100644
--- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetViolationDetailsRequest.h
+++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/GetViolationDetailsRequest.h
@@ -39,7 +39,7 @@ namespace Model
* get violation details for the following policy types:
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
DNS * Firewall
Imported Network Firewall
Network * Firewall
Security group content audit
Third-party firewall
Network ACL
Third-party firewall
Violation detail for the entries in a network ACL resource.
The VPC where the violation was found.
+ */ + inline const Aws::String& GetVpc() const{ return m_vpc; } + + /** + *The VPC where the violation was found.
+ */ + inline bool VpcHasBeenSet() const { return m_vpcHasBeenSet; } + + /** + *The VPC where the violation was found.
+ */ + inline void SetVpc(const Aws::String& value) { m_vpcHasBeenSet = true; m_vpc = value; } + + /** + *The VPC where the violation was found.
+ */ + inline void SetVpc(Aws::String&& value) { m_vpcHasBeenSet = true; m_vpc = std::move(value); } + + /** + *The VPC where the violation was found.
+ */ + inline void SetVpc(const char* value) { m_vpcHasBeenSet = true; m_vpc.assign(value); } + + /** + *The VPC where the violation was found.
+ */ + inline InvalidNetworkAclEntriesViolation& WithVpc(const Aws::String& value) { SetVpc(value); return *this;} + + /** + *The VPC where the violation was found.
+ */ + inline InvalidNetworkAclEntriesViolation& WithVpc(Aws::String&& value) { SetVpc(std::move(value)); return *this;} + + /** + *The VPC where the violation was found.
+ */ + inline InvalidNetworkAclEntriesViolation& WithVpc(const char* value) { SetVpc(value); return *this;} + + + /** + *The subnet that's associated with the network ACL.
+ */ + inline const Aws::String& GetSubnet() const{ return m_subnet; } + + /** + *The subnet that's associated with the network ACL.
+ */ + inline bool SubnetHasBeenSet() const { return m_subnetHasBeenSet; } + + /** + *The subnet that's associated with the network ACL.
+ */ + inline void SetSubnet(const Aws::String& value) { m_subnetHasBeenSet = true; m_subnet = value; } + + /** + *The subnet that's associated with the network ACL.
+ */ + inline void SetSubnet(Aws::String&& value) { m_subnetHasBeenSet = true; m_subnet = std::move(value); } + + /** + *The subnet that's associated with the network ACL.
+ */ + inline void SetSubnet(const char* value) { m_subnetHasBeenSet = true; m_subnet.assign(value); } + + /** + *The subnet that's associated with the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnet(const Aws::String& value) { SetSubnet(value); return *this;} + + /** + *The subnet that's associated with the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnet(Aws::String&& value) { SetSubnet(std::move(value)); return *this;} + + /** + *The subnet that's associated with the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnet(const char* value) { SetSubnet(value); return *this;} + + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline const Aws::String& GetSubnetAvailabilityZone() const{ return m_subnetAvailabilityZone; } + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline bool SubnetAvailabilityZoneHasBeenSet() const { return m_subnetAvailabilityZoneHasBeenSet; } + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline void SetSubnetAvailabilityZone(const Aws::String& value) { m_subnetAvailabilityZoneHasBeenSet = true; m_subnetAvailabilityZone = value; } + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline void SetSubnetAvailabilityZone(Aws::String&& value) { m_subnetAvailabilityZoneHasBeenSet = true; m_subnetAvailabilityZone = std::move(value); } + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline void SetSubnetAvailabilityZone(const char* value) { m_subnetAvailabilityZoneHasBeenSet = true; m_subnetAvailabilityZone.assign(value); } + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnetAvailabilityZone(const Aws::String& value) { SetSubnetAvailabilityZone(value); return *this;} + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnetAvailabilityZone(Aws::String&& value) { SetSubnetAvailabilityZone(std::move(value)); return *this;} + + /** + *The Availability Zone where the network ACL is in use.
+ */ + inline InvalidNetworkAclEntriesViolation& WithSubnetAvailabilityZone(const char* value) { SetSubnetAvailabilityZone(value); return *this;} + + + /** + *The network ACL containing the entry violations.
+ */ + inline const Aws::String& GetCurrentAssociatedNetworkAcl() const{ return m_currentAssociatedNetworkAcl; } + + /** + *The network ACL containing the entry violations.
+ */ + inline bool CurrentAssociatedNetworkAclHasBeenSet() const { return m_currentAssociatedNetworkAclHasBeenSet; } + + /** + *The network ACL containing the entry violations.
+ */ + inline void SetCurrentAssociatedNetworkAcl(const Aws::String& value) { m_currentAssociatedNetworkAclHasBeenSet = true; m_currentAssociatedNetworkAcl = value; } + + /** + *The network ACL containing the entry violations.
+ */ + inline void SetCurrentAssociatedNetworkAcl(Aws::String&& value) { m_currentAssociatedNetworkAclHasBeenSet = true; m_currentAssociatedNetworkAcl = std::move(value); } + + /** + *The network ACL containing the entry violations.
+ */ + inline void SetCurrentAssociatedNetworkAcl(const char* value) { m_currentAssociatedNetworkAclHasBeenSet = true; m_currentAssociatedNetworkAcl.assign(value); } + + /** + *The network ACL containing the entry violations.
+ */ + inline InvalidNetworkAclEntriesViolation& WithCurrentAssociatedNetworkAcl(const Aws::String& value) { SetCurrentAssociatedNetworkAcl(value); return *this;} + + /** + *The network ACL containing the entry violations.
+ */ + inline InvalidNetworkAclEntriesViolation& WithCurrentAssociatedNetworkAcl(Aws::String&& value) { SetCurrentAssociatedNetworkAcl(std::move(value)); return *this;} + + /** + *The network ACL containing the entry violations.
+ */ + inline InvalidNetworkAclEntriesViolation& WithCurrentAssociatedNetworkAcl(const char* value) { SetCurrentAssociatedNetworkAcl(value); return *this;} + + + /** + *Detailed information about the entry violations in the network ACL.
+ */ + inline const Aws::VectorDetailed information about the entry violations in the network ACL.
+ */ + inline bool EntryViolationsHasBeenSet() const { return m_entryViolationsHasBeenSet; } + + /** + *Detailed information about the entry violations in the network ACL.
+ */ + inline void SetEntryViolations(const Aws::VectorDetailed information about the entry violations in the network ACL.
+ */ + inline void SetEntryViolations(Aws::VectorDetailed information about the entry violations in the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& WithEntryViolations(const Aws::VectorDetailed information about the entry violations in the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& WithEntryViolations(Aws::VectorDetailed information about the entry violations in the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& AddEntryViolations(const EntryViolation& value) { m_entryViolationsHasBeenSet = true; m_entryViolations.push_back(value); return *this; } + + /** + *Detailed information about the entry violations in the network ACL.
+ */ + inline InvalidNetworkAclEntriesViolation& AddEntryViolations(EntryViolation&& value) { m_entryViolationsHasBeenSet = true; m_entryViolations.push_back(std::move(value)); return *this; } + + private: + + Aws::String m_vpc; + bool m_vpcHasBeenSet = false; + + Aws::String m_subnet; + bool m_subnetHasBeenSet = false; + + Aws::String m_subnetAvailabilityZone; + bool m_subnetAvailabilityZoneHasBeenSet = false; + + Aws::String m_currentAssociatedNetworkAcl; + bool m_currentAssociatedNetworkAclHasBeenSet = false; + + Aws::VectorDefines a Firewall Manager network ACL policy. This is used in the
+ * PolicyOption of a SecurityServicePolicyData for a
+ * Policy, when the SecurityServicePolicyData type is set
+ * to NETWORK_ACL_COMMON.
For information about network ACLs, + * see Control + * traffic to subnets using network ACLs in the Amazon Virtual Private Cloud + * User Guide.
The definition of the first and last rules for the network ACL policy.
+ */ + inline const NetworkAclEntrySet& GetNetworkAclEntrySet() const{ return m_networkAclEntrySet; } + + /** + *The definition of the first and last rules for the network ACL policy.
+ */ + inline bool NetworkAclEntrySetHasBeenSet() const { return m_networkAclEntrySetHasBeenSet; } + + /** + *The definition of the first and last rules for the network ACL policy.
+ */ + inline void SetNetworkAclEntrySet(const NetworkAclEntrySet& value) { m_networkAclEntrySetHasBeenSet = true; m_networkAclEntrySet = value; } + + /** + *The definition of the first and last rules for the network ACL policy.
+ */ + inline void SetNetworkAclEntrySet(NetworkAclEntrySet&& value) { m_networkAclEntrySetHasBeenSet = true; m_networkAclEntrySet = std::move(value); } + + /** + *The definition of the first and last rules for the network ACL policy.
+ */ + inline NetworkAclCommonPolicy& WithNetworkAclEntrySet(const NetworkAclEntrySet& value) { SetNetworkAclEntrySet(value); return *this;} + + /** + *The definition of the first and last rules for the network ACL policy.
+ */ + inline NetworkAclCommonPolicy& WithNetworkAclEntrySet(NetworkAclEntrySet&& value) { SetNetworkAclEntrySet(std::move(value)); return *this;} + + private: + + NetworkAclEntrySet m_networkAclEntrySet; + bool m_networkAclEntrySetHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntry.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntry.h new file mode 100644 index 00000000000..93c37362225 --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntry.h @@ -0,0 +1,323 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeDescribes a rule in a network ACL.
Each network ACL has a set of + * numbered ingress rules and a separate set of numbered egress rules. When + * determining whether a packet should be allowed in or out of a subnet associated + * with the network ACL, Amazon Web Services processes the entries in the network + * ACL according to the rule numbers, in ascending order.
When you manage + * an individual network ACL, you explicitly specify the rule numbers. When you + * specify the network ACL rules in a Firewall Manager policy, you provide the + * rules to run first, in the order that you want them to run, and the rules to run + * last, in the order that you want them to run. Firewall Manager assigns the rule + * numbers for you when you save the network ACL policy + * specification.
ICMP protocol: The ICMP type and code.
+ */ + inline const NetworkAclIcmpTypeCode& GetIcmpTypeCode() const{ return m_icmpTypeCode; } + + /** + *ICMP protocol: The ICMP type and code.
+ */ + inline bool IcmpTypeCodeHasBeenSet() const { return m_icmpTypeCodeHasBeenSet; } + + /** + *ICMP protocol: The ICMP type and code.
+ */ + inline void SetIcmpTypeCode(const NetworkAclIcmpTypeCode& value) { m_icmpTypeCodeHasBeenSet = true; m_icmpTypeCode = value; } + + /** + *ICMP protocol: The ICMP type and code.
+ */ + inline void SetIcmpTypeCode(NetworkAclIcmpTypeCode&& value) { m_icmpTypeCodeHasBeenSet = true; m_icmpTypeCode = std::move(value); } + + /** + *ICMP protocol: The ICMP type and code.
+ */ + inline NetworkAclEntry& WithIcmpTypeCode(const NetworkAclIcmpTypeCode& value) { SetIcmpTypeCode(value); return *this;} + + /** + *ICMP protocol: The ICMP type and code.
+ */ + inline NetworkAclEntry& WithIcmpTypeCode(NetworkAclIcmpTypeCode&& value) { SetIcmpTypeCode(std::move(value)); return *this;} + + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline const Aws::String& GetProtocol() const{ return m_protocol; } + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline bool ProtocolHasBeenSet() const { return m_protocolHasBeenSet; } + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline void SetProtocol(const Aws::String& value) { m_protocolHasBeenSet = true; m_protocol = value; } + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline void SetProtocol(Aws::String&& value) { m_protocolHasBeenSet = true; m_protocol = std::move(value); } + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline void SetProtocol(const char* value) { m_protocolHasBeenSet = true; m_protocol.assign(value); } + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline NetworkAclEntry& WithProtocol(const Aws::String& value) { SetProtocol(value); return *this;} + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline NetworkAclEntry& WithProtocol(Aws::String&& value) { SetProtocol(std::move(value)); return *this;} + + /** + *The protocol number. A value of "-1" means all protocols.
+ */ + inline NetworkAclEntry& WithProtocol(const char* value) { SetProtocol(value); return *this;} + + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline const NetworkAclPortRange& GetPortRange() const{ return m_portRange; } + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline bool PortRangeHasBeenSet() const { return m_portRangeHasBeenSet; } + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline void SetPortRange(const NetworkAclPortRange& value) { m_portRangeHasBeenSet = true; m_portRange = value; } + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline void SetPortRange(NetworkAclPortRange&& value) { m_portRangeHasBeenSet = true; m_portRange = std::move(value); } + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline NetworkAclEntry& WithPortRange(const NetworkAclPortRange& value) { SetPortRange(value); return *this;} + + /** + *TCP or UDP protocols: The range of ports the rule applies to.
+ */ + inline NetworkAclEntry& WithPortRange(NetworkAclPortRange&& value) { SetPortRange(std::move(value)); return *this;} + + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline const Aws::String& GetCidrBlock() const{ return m_cidrBlock; } + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline bool CidrBlockHasBeenSet() const { return m_cidrBlockHasBeenSet; } + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline void SetCidrBlock(const Aws::String& value) { m_cidrBlockHasBeenSet = true; m_cidrBlock = value; } + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline void SetCidrBlock(Aws::String&& value) { m_cidrBlockHasBeenSet = true; m_cidrBlock = std::move(value); } + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline void SetCidrBlock(const char* value) { m_cidrBlockHasBeenSet = true; m_cidrBlock.assign(value); } + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithCidrBlock(const Aws::String& value) { SetCidrBlock(value); return *this;} + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithCidrBlock(Aws::String&& value) { SetCidrBlock(std::move(value)); return *this;} + + /** + *The IPv4 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithCidrBlock(const char* value) { SetCidrBlock(value); return *this;} + + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline const Aws::String& GetIpv6CidrBlock() const{ return m_ipv6CidrBlock; } + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline bool Ipv6CidrBlockHasBeenSet() const { return m_ipv6CidrBlockHasBeenSet; } + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline void SetIpv6CidrBlock(const Aws::String& value) { m_ipv6CidrBlockHasBeenSet = true; m_ipv6CidrBlock = value; } + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline void SetIpv6CidrBlock(Aws::String&& value) { m_ipv6CidrBlockHasBeenSet = true; m_ipv6CidrBlock = std::move(value); } + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline void SetIpv6CidrBlock(const char* value) { m_ipv6CidrBlockHasBeenSet = true; m_ipv6CidrBlock.assign(value); } + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithIpv6CidrBlock(const Aws::String& value) { SetIpv6CidrBlock(value); return *this;} + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithIpv6CidrBlock(Aws::String&& value) { SetIpv6CidrBlock(std::move(value)); return *this;} + + /** + *The IPv6 network range to allow or deny, in CIDR notation.
+ */ + inline NetworkAclEntry& WithIpv6CidrBlock(const char* value) { SetIpv6CidrBlock(value); return *this;} + + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline const NetworkAclRuleAction& GetRuleAction() const{ return m_ruleAction; } + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline bool RuleActionHasBeenSet() const { return m_ruleActionHasBeenSet; } + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline void SetRuleAction(const NetworkAclRuleAction& value) { m_ruleActionHasBeenSet = true; m_ruleAction = value; } + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline void SetRuleAction(NetworkAclRuleAction&& value) { m_ruleActionHasBeenSet = true; m_ruleAction = std::move(value); } + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline NetworkAclEntry& WithRuleAction(const NetworkAclRuleAction& value) { SetRuleAction(value); return *this;} + + /** + *Indicates whether to allow or deny the traffic that matches the rule.
+ */ + inline NetworkAclEntry& WithRuleAction(NetworkAclRuleAction&& value) { SetRuleAction(std::move(value)); return *this;} + + + /** + *Indicates whether the rule is an egress, or outbound, rule (applied to + * traffic leaving the subnet). If it's not an egress rule, then it's an ingress, + * or inbound, rule.
+ */ + inline bool GetEgress() const{ return m_egress; } + + /** + *Indicates whether the rule is an egress, or outbound, rule (applied to + * traffic leaving the subnet). If it's not an egress rule, then it's an ingress, + * or inbound, rule.
+ */ + inline bool EgressHasBeenSet() const { return m_egressHasBeenSet; } + + /** + *Indicates whether the rule is an egress, or outbound, rule (applied to + * traffic leaving the subnet). If it's not an egress rule, then it's an ingress, + * or inbound, rule.
+ */ + inline void SetEgress(bool value) { m_egressHasBeenSet = true; m_egress = value; } + + /** + *Indicates whether the rule is an egress, or outbound, rule (applied to + * traffic leaving the subnet). If it's not an egress rule, then it's an ingress, + * or inbound, rule.
+ */ + inline NetworkAclEntry& WithEgress(bool value) { SetEgress(value); return *this;} + + private: + + NetworkAclIcmpTypeCode m_icmpTypeCode; + bool m_icmpTypeCodeHasBeenSet = false; + + Aws::String m_protocol; + bool m_protocolHasBeenSet = false; + + NetworkAclPortRange m_portRange; + bool m_portRangeHasBeenSet = false; + + Aws::String m_cidrBlock; + bool m_cidrBlockHasBeenSet = false; + + Aws::String m_ipv6CidrBlock; + bool m_ipv6CidrBlockHasBeenSet = false; + + NetworkAclRuleAction m_ruleAction; + bool m_ruleActionHasBeenSet = false; + + bool m_egress; + bool m_egressHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntrySet.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntrySet.h new file mode 100644 index 00000000000..98c6e2f1bd6 --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclEntrySet.h @@ -0,0 +1,286 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeThe configuration of the first and last rules for the network ACL policy, and + * the remediation settings for each.
The rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline const Aws::VectorThe rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline bool FirstEntriesHasBeenSet() const { return m_firstEntriesHasBeenSet; } + + /** + *The rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline void SetFirstEntries(const Aws::VectorThe rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline void SetFirstEntries(Aws::VectorThe rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& WithFirstEntries(const Aws::VectorThe rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& WithFirstEntries(Aws::VectorThe rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& AddFirstEntries(const NetworkAclEntry& value) { m_firstEntriesHasBeenSet = true; m_firstEntries.push_back(value); return *this; } + + /** + *The rules that you want to run first in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& AddFirstEntries(NetworkAclEntry&& value) { m_firstEntriesHasBeenSet = true; m_firstEntries.push_back(std::move(value)); return *this; } + + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline bool GetForceRemediateForFirstEntries() const{ return m_forceRemediateForFirstEntries; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline bool ForceRemediateForFirstEntriesHasBeenSet() const { return m_forceRemediateForFirstEntriesHasBeenSet; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline void SetForceRemediateForFirstEntries(bool value) { m_forceRemediateForFirstEntriesHasBeenSet = true; m_forceRemediateForFirstEntries = value; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline NetworkAclEntrySet& WithForceRemediateForFirstEntries(bool value) { SetForceRemediateForFirstEntries(value); return *this;} + + + /** + *The rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline const Aws::VectorThe rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline bool LastEntriesHasBeenSet() const { return m_lastEntriesHasBeenSet; } + + /** + *The rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline void SetLastEntries(const Aws::VectorThe rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline void SetLastEntries(Aws::VectorThe rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& WithLastEntries(const Aws::VectorThe rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& WithLastEntries(Aws::VectorThe rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& AddLastEntries(const NetworkAclEntry& value) { m_lastEntriesHasBeenSet = true; m_lastEntries.push_back(value); return *this; } + + /** + *The rules that you want to run last in the Firewall Manager managed network + * ACLs.
Provide these in the order in which you want them to run. + * Firewall Manager will assign the specific rule numbers for you, in the network + * ACLs that it creates.
+ */ + inline NetworkAclEntrySet& AddLastEntries(NetworkAclEntry&& value) { m_lastEntriesHasBeenSet = true; m_lastEntries.push_back(std::move(value)); return *this; } + + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline bool GetForceRemediateForLastEntries() const{ return m_forceRemediateForLastEntries; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline bool ForceRemediateForLastEntriesHasBeenSet() const { return m_forceRemediateForLastEntriesHasBeenSet; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline void SetForceRemediateForLastEntries(bool value) { m_forceRemediateForLastEntriesHasBeenSet = true; m_forceRemediateForLastEntries = value; } + + /** + *Applies only when remediation is enabled for the policy as a whole. Firewall + * Manager uses this setting when it finds policy violations that involve conflicts + * between the custom entries and the policy entries.
If forced remediation + * is disabled, Firewall Manager marks the network ACL as noncompliant and does not + * try to remediate. For more information about the remediation behavior, see Network + * access control list (ACL) policies in the Firewall Manager Developer + * Guide.
+ */ + inline NetworkAclEntrySet& WithForceRemediateForLastEntries(bool value) { SetForceRemediateForLastEntries(value); return *this;} + + private: + + Aws::VectorICMP protocol: The ICMP type and code.
ICMP code.
+ */ + inline int GetCode() const{ return m_code; } + + /** + *ICMP code.
+ */ + inline bool CodeHasBeenSet() const { return m_codeHasBeenSet; } + + /** + *ICMP code.
+ */ + inline void SetCode(int value) { m_codeHasBeenSet = true; m_code = value; } + + /** + *ICMP code.
+ */ + inline NetworkAclIcmpTypeCode& WithCode(int value) { SetCode(value); return *this;} + + + /** + *ICMP type.
+ */ + inline int GetType() const{ return m_type; } + + /** + *ICMP type.
+ */ + inline bool TypeHasBeenSet() const { return m_typeHasBeenSet; } + + /** + *ICMP type.
+ */ + inline void SetType(int value) { m_typeHasBeenSet = true; m_type = value; } + + /** + *ICMP type.
+ */ + inline NetworkAclIcmpTypeCode& WithType(int value) { SetType(value); return *this;} + + private: + + int m_code; + bool m_codeHasBeenSet = false; + + int m_type; + bool m_typeHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclPortRange.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclPortRange.h new file mode 100644 index 00000000000..8932ea4396d --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclPortRange.h @@ -0,0 +1,91 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeTCP or UDP protocols: The range of ports the rule applies to.
The beginning port number of the range.
+ */ + inline int GetFrom() const{ return m_from; } + + /** + *The beginning port number of the range.
+ */ + inline bool FromHasBeenSet() const { return m_fromHasBeenSet; } + + /** + *The beginning port number of the range.
+ */ + inline void SetFrom(int value) { m_fromHasBeenSet = true; m_from = value; } + + /** + *The beginning port number of the range.
+ */ + inline NetworkAclPortRange& WithFrom(int value) { SetFrom(value); return *this;} + + + /** + *The ending port number of the range.
+ */ + inline int GetTo() const{ return m_to; } + + /** + *The ending port number of the range.
+ */ + inline bool ToHasBeenSet() const { return m_toHasBeenSet; } + + /** + *The ending port number of the range.
+ */ + inline void SetTo(int value) { m_toHasBeenSet = true; m_to = value; } + + /** + *The ending port number of the range.
+ */ + inline NetworkAclPortRange& WithTo(int value) { SetTo(value); return *this;} + + private: + + int m_from; + bool m_fromHasBeenSet = false; + + int m_to; + bool m_toHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclRuleAction.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclRuleAction.h new file mode 100644 index 00000000000..f5a90ee5dbf --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/NetworkAclRuleAction.h @@ -0,0 +1,31 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#pragma once +#includeAWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
AWS::ElasticLoadBalancingV2::LoadBalancer. WAF - AWS::ApiGateway::Stage,
* AWS::ElasticLoadBalancingV2::LoadBalancer, and
- * AWS::CloudFront::Distribution.
DNS Firewall,
- * Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced -
+ * AWS::CloudFront::Distribution.
Shield Advanced -
* AWS::ElasticLoadBalancingV2::LoadBalancer,
* AWS::ElasticLoadBalancing::LoadBalancer,
* AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit -
- * AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface,
- * and AWS::EC2::Instance.
Security group usage
- * audit - AWS::EC2::SecurityGroup.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup,
+ * AWS::EC2::NetworkInterface, and
+ * AWS::EC2::Instance.
DNS Firewall, Network
+ * Firewall, and third-party firewall - AWS::EC2::VPC.
Contains the Network Firewall firewall policy options to configure the - * policy's deployment model and third-party firewall policy - * settings.
Defines a Firewall Manager network ACL policy.
+ */ + inline const NetworkAclCommonPolicy& GetNetworkAclCommonPolicy() const{ return m_networkAclCommonPolicy; } + + /** + *Defines a Firewall Manager network ACL policy.
+ */ + inline bool NetworkAclCommonPolicyHasBeenSet() const { return m_networkAclCommonPolicyHasBeenSet; } + + /** + *Defines a Firewall Manager network ACL policy.
+ */ + inline void SetNetworkAclCommonPolicy(const NetworkAclCommonPolicy& value) { m_networkAclCommonPolicyHasBeenSet = true; m_networkAclCommonPolicy = value; } + + /** + *Defines a Firewall Manager network ACL policy.
+ */ + inline void SetNetworkAclCommonPolicy(NetworkAclCommonPolicy&& value) { m_networkAclCommonPolicyHasBeenSet = true; m_networkAclCommonPolicy = std::move(value); } + + /** + *Defines a Firewall Manager network ACL policy.
+ */ + inline PolicyOption& WithNetworkAclCommonPolicy(const NetworkAclCommonPolicy& value) { SetNetworkAclCommonPolicy(value); return *this;} + + /** + *Defines a Firewall Manager network ACL policy.
+ */ + inline PolicyOption& WithNetworkAclCommonPolicy(NetworkAclCommonPolicy&& value) { SetNetworkAclCommonPolicy(std::move(value)); return *this;} + private: NetworkFirewallPolicy m_networkFirewallPolicy; @@ -108,6 +140,9 @@ namespace Model ThirdPartyFirewallPolicy m_thirdPartyFirewallPolicy; bool m_thirdPartyFirewallPolicyHasBeenSet = false; + + NetworkAclCommonPolicy m_networkAclCommonPolicy; + bool m_networkAclCommonPolicyHasBeenSet = false; }; } // namespace Model diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/PolicySummary.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/PolicySummary.h index f165e78b96a..0ae77dea71e 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/PolicySummary.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/PolicySummary.h @@ -166,16 +166,7 @@ namespace Model *The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the
* format shown in the Amazon
- * Web Services Resource Types Reference. For WAF and Shield Advanced, examples
- * include AWS::ElasticLoadBalancingV2::LoadBalancer and
- * AWS::CloudFront::Distribution. For a security group common policy,
- * valid values are AWS::EC2::NetworkInterface and
- * AWS::EC2::Instance. For a security group content audit policy,
- * valid values are AWS::EC2::SecurityGroup,
- * AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
- * For a security group usage audit policy, the value is
- * AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS
- * Firewall policy, the value is AWS::EC2::VPC.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the CreateNetworkAcl action in Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the CreateNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the DeleteNetworkAclEntries action in Amazon
+ * EC2.
Information about the ReplaceNetworkAclAssociation action in
+ * Amazon EC2. This is a remediation option in
+ * RemediationAction.
Brief description of this remediation action.
+ */ + inline const Aws::String& GetDescription() const{ return m_description; } + + /** + *Brief description of this remediation action.
+ */ + inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } + + /** + *Brief description of this remediation action.
+ */ + inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } + + /** + *Brief description of this remediation action.
+ */ + inline ReplaceNetworkAclAssociationAction& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline ReplaceNetworkAclAssociationAction& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} + + /** + *Brief description of this remediation action.
+ */ + inline ReplaceNetworkAclAssociationAction& WithDescription(const char* value) { SetDescription(value); return *this;} + + + + inline const ActionTarget& GetAssociationId() const{ return m_associationId; } + + + inline bool AssociationIdHasBeenSet() const { return m_associationIdHasBeenSet; } + + + inline void SetAssociationId(const ActionTarget& value) { m_associationIdHasBeenSet = true; m_associationId = value; } + + + inline void SetAssociationId(ActionTarget&& value) { m_associationIdHasBeenSet = true; m_associationId = std::move(value); } + + + inline ReplaceNetworkAclAssociationAction& WithAssociationId(const ActionTarget& value) { SetAssociationId(value); return *this;} + + + inline ReplaceNetworkAclAssociationAction& WithAssociationId(ActionTarget&& value) { SetAssociationId(std::move(value)); return *this;} + + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline const ActionTarget& GetNetworkAclId() const{ return m_networkAclId; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline bool NetworkAclIdHasBeenSet() const { return m_networkAclIdHasBeenSet; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(const ActionTarget& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = value; } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline void SetNetworkAclId(ActionTarget&& value) { m_networkAclIdHasBeenSet = true; m_networkAclId = std::move(value); } + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline ReplaceNetworkAclAssociationAction& WithNetworkAclId(const ActionTarget& value) { SetNetworkAclId(value); return *this;} + + /** + *The network ACL that's associated with the remediation action.
+ */ + inline ReplaceNetworkAclAssociationAction& WithNetworkAclId(ActionTarget&& value) { SetNetworkAclId(std::move(value)); return *this;} + + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool GetFMSCanRemediate() const{ return m_fMSCanRemediate; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline bool FMSCanRemediateHasBeenSet() const { return m_fMSCanRemediateHasBeenSet; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline void SetFMSCanRemediate(bool value) { m_fMSCanRemediateHasBeenSet = true; m_fMSCanRemediate = value; } + + /** + *Indicates whether it is possible for Firewall Manager to perform this + * remediation action. A false value indicates that auto remediation is disabled or + * Firewall Manager is unable to perform the action due to a conflict of some + * kind.
+ */ + inline ReplaceNetworkAclAssociationAction& WithFMSCanRemediate(bool value) { SetFMSCanRemediate(value); return *this;} + + private: + + Aws::String m_description; + bool m_descriptionHasBeenSet = false; + + ActionTarget m_associationId; + bool m_associationIdHasBeenSet = false; + + ActionTarget m_networkAclId; + bool m_networkAclIdHasBeenSet = false; + + bool m_fMSCanRemediate; + bool m_fMSCanRemediateHasBeenSet = false; + }; + +} // namespace Model +} // namespace FMS +} // namespace Aws diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ResourceViolation.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ResourceViolation.h index b9aa357cdff..55b30392921 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ResourceViolation.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ResourceViolation.h @@ -21,13 +21,14 @@ #includeA list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline const PossibleRemediationActions& GetPossibleRemediationActions() const{ return m_possibleRemediationActions; } - - /** - *A list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline bool PossibleRemediationActionsHasBeenSet() const { return m_possibleRemediationActionsHasBeenSet; } - - /** - *A list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline void SetPossibleRemediationActions(const PossibleRemediationActions& value) { m_possibleRemediationActionsHasBeenSet = true; m_possibleRemediationActions = value; } - - /** - *A list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline void SetPossibleRemediationActions(PossibleRemediationActions&& value) { m_possibleRemediationActionsHasBeenSet = true; m_possibleRemediationActions = std::move(value); } - - /** - *A list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline ResourceViolation& WithPossibleRemediationActions(const PossibleRemediationActions& value) { SetPossibleRemediationActions(value); return *this;} - - /** - *A list of possible remediation action lists. Each individual possible - * remediation action is a list of individual remediation actions.
- */ - inline ResourceViolation& WithPossibleRemediationActions(PossibleRemediationActions&& value) { SetPossibleRemediationActions(std::move(value)); return *this;} - - /** *Contains details about the firewall subnet that violates the policy * scope.
@@ -879,6 +843,74 @@ namespace Model */ inline ResourceViolation& WithFirewallSubnetMissingVPCEndpointViolation(FirewallSubnetMissingVPCEndpointViolation&& value) { SetFirewallSubnetMissingVPCEndpointViolation(std::move(value)); return *this;} + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline const InvalidNetworkAclEntriesViolation& GetInvalidNetworkAclEntriesViolation() const{ return m_invalidNetworkAclEntriesViolation; } + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline bool InvalidNetworkAclEntriesViolationHasBeenSet() const { return m_invalidNetworkAclEntriesViolationHasBeenSet; } + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline void SetInvalidNetworkAclEntriesViolation(const InvalidNetworkAclEntriesViolation& value) { m_invalidNetworkAclEntriesViolationHasBeenSet = true; m_invalidNetworkAclEntriesViolation = value; } + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline void SetInvalidNetworkAclEntriesViolation(InvalidNetworkAclEntriesViolation&& value) { m_invalidNetworkAclEntriesViolationHasBeenSet = true; m_invalidNetworkAclEntriesViolation = std::move(value); } + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline ResourceViolation& WithInvalidNetworkAclEntriesViolation(const InvalidNetworkAclEntriesViolation& value) { SetInvalidNetworkAclEntriesViolation(value); return *this;} + + /** + *Violation detail for the entries in a network ACL resource.
+ */ + inline ResourceViolation& WithInvalidNetworkAclEntriesViolation(InvalidNetworkAclEntriesViolation&& value) { SetInvalidNetworkAclEntriesViolation(std::move(value)); return *this;} + + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline const PossibleRemediationActions& GetPossibleRemediationActions() const{ return m_possibleRemediationActions; } + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline bool PossibleRemediationActionsHasBeenSet() const { return m_possibleRemediationActionsHasBeenSet; } + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline void SetPossibleRemediationActions(const PossibleRemediationActions& value) { m_possibleRemediationActionsHasBeenSet = true; m_possibleRemediationActions = value; } + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline void SetPossibleRemediationActions(PossibleRemediationActions&& value) { m_possibleRemediationActionsHasBeenSet = true; m_possibleRemediationActions = std::move(value); } + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline ResourceViolation& WithPossibleRemediationActions(const PossibleRemediationActions& value) { SetPossibleRemediationActions(value); return *this;} + + /** + *A list of possible remediation action lists. Each individual possible + * remediation action is a list of individual remediation actions.
+ */ + inline ResourceViolation& WithPossibleRemediationActions(PossibleRemediationActions&& value) { SetPossibleRemediationActions(std::move(value)); return *this;} + private: AwsVPCSecurityGroupViolation m_awsVPCSecurityGroupViolation; @@ -929,9 +961,6 @@ namespace Model DnsRuleGroupLimitExceededViolation m_dnsRuleGroupLimitExceededViolation; bool m_dnsRuleGroupLimitExceededViolationHasBeenSet = false; - PossibleRemediationActions m_possibleRemediationActions; - bool m_possibleRemediationActionsHasBeenSet = false; - FirewallSubnetIsOutOfScopeViolation m_firewallSubnetIsOutOfScopeViolation; bool m_firewallSubnetIsOutOfScopeViolationHasBeenSet = false; @@ -949,6 +978,12 @@ namespace Model FirewallSubnetMissingVPCEndpointViolation m_firewallSubnetMissingVPCEndpointViolation; bool m_firewallSubnetMissingVPCEndpointViolationHasBeenSet = false; + + InvalidNetworkAclEntriesViolation m_invalidNetworkAclEntriesViolation; + bool m_invalidNetworkAclEntriesViolationHasBeenSet = false; + + PossibleRemediationActions m_possibleRemediationActions; + bool m_possibleRemediationActionsHasBeenSet = false; }; } // namespace Model diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServicePolicyData.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServicePolicyData.h index dbfed21b6d8..17e1bfc919d 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServicePolicyData.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServicePolicyData.h @@ -169,7 +169,7 @@ namespace Model *true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant. Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -397,7 +397,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -625,7 +625,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -853,7 +853,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -1081,7 +1081,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -1309,7 +1309,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -1537,7 +1537,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared
* VPCs. Apply the preceding policy to resources in shared VPCs as well as to those
@@ -1765,7 +1765,7 @@ namespace Model
* true, otherwise Firewall Manager won't be able to create the
* policy. When you enable revertManualSecurityGroupChanges, Firewall
* Manager identifies and reports when the security groups created by this policy
- * become non-compliant.
Firewall Manager won't distrubute system tags + * become non-compliant.
Firewall Manager won't distribute system tags
* added by Amazon Web Services services into the replica security groups. System
* tags begin with the aws: prefix.
Example: Shared * VPCs. Apply the preceding policy to resources in shared VPCs as well as to those @@ -1927,38 +1927,38 @@ namespace Model /** - *
Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline const PolicyOption& GetPolicyOption() const{ return m_policyOption; } /** - *Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline bool PolicyOptionHasBeenSet() const { return m_policyOptionHasBeenSet; } /** - *Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline void SetPolicyOption(const PolicyOption& value) { m_policyOptionHasBeenSet = true; m_policyOption = value; } /** - *Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline void SetPolicyOption(PolicyOption&& value) { m_policyOptionHasBeenSet = true; m_policyOption = std::move(value); } /** - *Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline SecurityServicePolicyData& WithPolicyOption(const PolicyOption& value) { SetPolicyOption(value); return *this;} /** - *Contains the Network Firewall firewall policy options to configure a - * centralized deployment model.
+ *Contains the settings to configure a network ACL policy, a Network Firewall + * firewall policy deployment model, or a third-party firewall policy.
*/ inline SecurityServicePolicyData& WithPolicyOption(PolicyOption&& value) { SetPolicyOption(std::move(value)); return *this;} diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServiceType.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServiceType.h index b4e20620b65..c631951b806 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServiceType.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/SecurityServiceType.h @@ -25,7 +25,8 @@ namespace Model NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL, - IMPORT_NETWORK_FIREWALL + IMPORT_NETWORK_FIREWALL, + NETWORK_ACL_COMMON }; namespace SecurityServiceTypeMapper diff --git a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ViolationReason.h b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ViolationReason.h index 16058cad370..1b73fab912c 100644 --- a/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ViolationReason.h +++ b/generated/src/aws-cpp-sdk-fms/include/aws/fms/model/ViolationReason.h @@ -43,7 +43,8 @@ namespace Model BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET, RESOURCE_MISSING_DNS_FIREWALL, ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT, - FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT + FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT, + INVALID_NETWORK_ACL_ENTRY }; namespace ViolationReasonMapper diff --git a/generated/src/aws-cpp-sdk-fms/source/model/CreateNetworkAclAction.cpp b/generated/src/aws-cpp-sdk-fms/source/model/CreateNetworkAclAction.cpp new file mode 100644 index 00000000000..6795f574552 --- /dev/null +++ b/generated/src/aws-cpp-sdk-fms/source/model/CreateNetworkAclAction.cpp @@ -0,0 +1,91 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +#includeChannel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline const Aws::String& GetArn() const{ return m_arn; } /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline bool ArnHasBeenSet() const { return m_arnHasBeenSet; } /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline void SetArn(const Aws::String& value) { m_arnHasBeenSet = true; m_arn = value; } /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline void SetArn(Aws::String&& value) { m_arnHasBeenSet = true; m_arn = std::move(value); } /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline void SetArn(const char* value) { m_arnHasBeenSet = true; m_arn.assign(value); } /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline BatchError& WithArn(const Aws::String& value) { SetArn(value); return *this;} /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline BatchError& WithArn(Aws::String&& value) { SetArn(std::move(value)); return *this;} /** - *Channel ARN.
+ *ARN of an IVS resource; e.g., channel.
*/ inline BatchError& WithArn(const char* value) { SetArn(value); return *this;} diff --git a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/CreateDBInstanceRequest.h b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/CreateDBInstanceRequest.h index 72169f4469e..5c74ef8e957 100644 --- a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/CreateDBInstanceRequest.h +++ b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/CreateDBInstanceRequest.h @@ -4149,64 +4149,80 @@ namespace Model /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline const Aws::String& GetTimezone() const{ return m_timezone; } /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline bool TimezoneHasBeenSet() const { return m_timezoneHasBeenSet; } /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline void SetTimezone(const Aws::String& value) { m_timezoneHasBeenSet = true; m_timezone = value; } /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline void SetTimezone(Aws::String&& value) { m_timezoneHasBeenSet = true; m_timezone = std::move(value); } /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline void SetTimezone(const char* value) { m_timezoneHasBeenSet = true; m_timezone.assign(value); } /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline CreateDBInstanceRequest& WithTimezone(const Aws::String& value) { SetTimezone(value); return *this;} /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline CreateDBInstanceRequest& WithTimezone(Aws::String&& value) { SetTimezone(std::move(value)); return *this;} /** *The time zone of the DB instance. The time zone parameter is currently * supported only by Microsoft - * SQL Server.
+ * href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-time-zone">RDS + * for Db2 and RDS + * for SQL Server. */ inline CreateDBInstanceRequest& WithTimezone(const char* value) { SetTimezone(value); return *this;} diff --git a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/DBInstance.h b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/DBInstance.h index 899ee0f31db..6aaf9b5d452 100644 --- a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/DBInstance.h +++ b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/DBInstance.h @@ -2322,57 +2322,65 @@ namespace Model /** *The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline const Aws::String& GetTimezone() const{ return m_timezone; }
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline bool TimezoneHasBeenSet() const { return m_timezoneHasBeenSet; }
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline void SetTimezone(const Aws::String& value) { m_timezoneHasBeenSet = true; m_timezone = value; }
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline void SetTimezone(Aws::String&& value) { m_timezoneHasBeenSet = true; m_timezone = std::move(value); }
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline void SetTimezone(const char* value) { m_timezoneHasBeenSet = true; m_timezone.assign(value); }
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline DBInstance& WithTimezone(const Aws::String& value) { SetTimezone(value); return *this;}
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline DBInstance& WithTimezone(Aws::String&& value) { SetTimezone(std::move(value)); return *this;}
/**
* The time zone of the DB instance. In most cases, the Timezone
- * element is empty. Timezone content appears only for Microsoft SQL
- * Server DB instances that were created with a time zone specified.
Timezone content appears only for RDS for Db2 and
+ * RDS for SQL Server DB instances that were created with a time zone
+ * specified.
*/
inline DBInstance& WithTimezone(const char* value) { SetTimezone(value); return *this;}
diff --git a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/ModifyDBInstanceRequest.h b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/ModifyDBInstanceRequest.h
index c2ec1863b54..0c857e8ba78 100644
--- a/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/ModifyDBInstanceRequest.h
+++ b/generated/src/aws-cpp-sdk-rds/include/aws/rds/model/ModifyDBInstanceRequest.h
@@ -380,7 +380,7 @@ namespace Model
* with a DB instance in a VPC in the Amazon RDS User Guide.
* Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
Changing the subnet group causes an outage during the change. The change is
* applied during the next maintenance window, unless you enable
- * ApplyImmediately.
This parameter doesn't apply to RDS Custom
+ * ApplyImmediately.
This setting doesn't apply to RDS Custom * DB instances.
Constraints:
If supplied, must match * existing DB subnet group.
Example:
* mydbsubnetgroup
This setting doesn't apply to Amazon Aurora
+ * DB instances. You can enable or disable deletion protection for the DB cluster.
+ * For more information, see ModifyDBCluster. DB instances in a DB
+ * cluster can be deleted even when deletion protection is enabled for the DB
+ * cluster.
This setting doesn't apply to Amazon Aurora
+ * DB instances. You can enable or disable deletion protection for the DB cluster.
+ * For more information, see ModifyDBCluster. DB instances in a DB
+ * cluster can be deleted even when deletion protection is enabled for the DB
+ * cluster.
This setting doesn't apply to Amazon Aurora
+ * DB instances. You can enable or disable deletion protection for the DB cluster.
+ * For more information, see ModifyDBCluster. DB instances in a DB
+ * cluster can be deleted even when deletion protection is enabled for the DB
+ * cluster.
This setting doesn't apply to Amazon Aurora
+ * DB instances. You can enable or disable deletion protection for the DB cluster.
+ * For more information, see ModifyDBCluster. DB instances in a DB
+ * cluster can be deleted even when deletion protection is enabled for the DB
+ * cluster.
Validates the syntax of a state machine definition.
You can validate
+ * that a state machine definition is correct without creating a state machine
+ * resource. Step Functions will implicitly perform the same syntax check when you
+ * invoke CreateStateMachine and UpdateStateMachine.
+ * State machine definitions are specified using a JSON-based, structured language.
+ * For more information on Amazon States Language see Amazon
+ * States Language (ASL).
Suggested uses for
+ * ValidateStateMachineDefinition:
Integrate + * automated checks into your code review or Continuous Integration (CI) process to + * validate state machine definitions before starting deployments.
Run the validation from a Git pre-commit hook to check your state machine + * definitions before committing them to your source repository.
Errors found in the state machine definition will be returned in the + * response as a list of diagnostic elements, rather than raise an + * exception.
Describes an error found during validation. Validation errors found in the + * definition return in the response as diagnostic elements, rather than + * raise an exception.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
A value of ERROR means that you cannot create or update a state
+ * machine with this definition.
Identifying code for the diagnostic.
+ */ + inline const Aws::String& GetCode() const{ return m_code; } + + /** + *Identifying code for the diagnostic.
+ */ + inline bool CodeHasBeenSet() const { return m_codeHasBeenSet; } + + /** + *Identifying code for the diagnostic.
+ */ + inline void SetCode(const Aws::String& value) { m_codeHasBeenSet = true; m_code = value; } + + /** + *Identifying code for the diagnostic.
+ */ + inline void SetCode(Aws::String&& value) { m_codeHasBeenSet = true; m_code = std::move(value); } + + /** + *Identifying code for the diagnostic.
+ */ + inline void SetCode(const char* value) { m_codeHasBeenSet = true; m_code.assign(value); } + + /** + *Identifying code for the diagnostic.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithCode(const Aws::String& value) { SetCode(value); return *this;} + + /** + *Identifying code for the diagnostic.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithCode(Aws::String&& value) { SetCode(std::move(value)); return *this;} + + /** + *Identifying code for the diagnostic.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithCode(const char* value) { SetCode(value); return *this;} + + + /** + *Message describing the diagnostic condition.
+ */ + inline const Aws::String& GetMessage() const{ return m_message; } + + /** + *Message describing the diagnostic condition.
+ */ + inline bool MessageHasBeenSet() const { return m_messageHasBeenSet; } + + /** + *Message describing the diagnostic condition.
+ */ + inline void SetMessage(const Aws::String& value) { m_messageHasBeenSet = true; m_message = value; } + + /** + *Message describing the diagnostic condition.
+ */ + inline void SetMessage(Aws::String&& value) { m_messageHasBeenSet = true; m_message = std::move(value); } + + /** + *Message describing the diagnostic condition.
+ */ + inline void SetMessage(const char* value) { m_messageHasBeenSet = true; m_message.assign(value); } + + /** + *Message describing the diagnostic condition.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithMessage(const Aws::String& value) { SetMessage(value); return *this;} + + /** + *Message describing the diagnostic condition.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithMessage(Aws::String&& value) { SetMessage(std::move(value)); return *this;} + + /** + *Message describing the diagnostic condition.
+ */ + inline ValidateStateMachineDefinitionDiagnostic& WithMessage(const char* value) { SetMessage(value); return *this;} + + + /** + *Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
Location of the issue in the state machine, if available.
For errors
+ * specific to a field, the location could be in the format:
+ * /States/<StateName>/<FieldName>, for example:
+ * /States/FailState/ErrorPath.
The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline const Aws::String& GetDefinition() const{ return m_definition; } + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline bool DefinitionHasBeenSet() const { return m_definitionHasBeenSet; } + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline void SetDefinition(const Aws::String& value) { m_definitionHasBeenSet = true; m_definition = value; } + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline void SetDefinition(Aws::String&& value) { m_definitionHasBeenSet = true; m_definition = std::move(value); } + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline void SetDefinition(const char* value) { m_definitionHasBeenSet = true; m_definition.assign(value); } + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline ValidateStateMachineDefinitionRequest& WithDefinition(const Aws::String& value) { SetDefinition(value); return *this;} + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline ValidateStateMachineDefinitionRequest& WithDefinition(Aws::String&& value) { SetDefinition(std::move(value)); return *this;} + + /** + *The Amazon States Language definition of the state machine. For more + * information, see Amazon + * States Language (ASL).
+ */ + inline ValidateStateMachineDefinitionRequest& WithDefinition(const char* value) { SetDefinition(value); return *this;} + + + /** + *The target type of state machine for this definition. The default is
+ * STANDARD.
The target type of state machine for this definition. The default is
+ * STANDARD.
The target type of state machine for this definition. The default is
+ * STANDARD.
The target type of state machine for this definition. The default is
+ * STANDARD.
The target type of state machine for this definition. The default is
+ * STANDARD.
The target type of state machine for this definition. The default is
+ * STANDARD.
The result value will be OK when no syntax errors are found, or
+ * FAIL if the workflow definition does not pass verification.
The result value will be OK when no syntax errors are found, or
+ * FAIL if the workflow definition does not pass verification.
The result value will be OK when no syntax errors are found, or
+ * FAIL if the workflow definition does not pass verification.
The result value will be OK when no syntax errors are found, or
+ * FAIL if the workflow definition does not pass verification.
The result value will be OK when no syntax errors are found, or
+ * FAIL if the workflow definition does not pass verification.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
If the result is OK, this field will be empty. When there are
+ * errors, this field will contain an array of Diagnostic objects to help
+ * you troubleshoot.
Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.
" + "documentation":"Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.
" }, "GetAppsList":{ "name":"GetAppsList", @@ -242,7 +243,7 @@ {"shape":"InvalidInputException"}, {"shape":"InvalidOperationException"} ], - "documentation":"Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
Resources are considered noncompliant for WAF and Shield Advanced policies if the specified policy has not been applied to them.
Resources are considered noncompliant for security group policies if they are in scope of the policy, they violate one or more of the policy rules, and remediation is disabled or not possible.
Resources are considered noncompliant for Network Firewall policies if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet, if a subnet created by the Firewall Manager doesn't have the expected route table, and for modifications to a firewall policy that violate the Firewall Manager policy's rules.
Resources are considered noncompliant for DNS Firewall policies if a DNS Firewall rule group is missing from the rule group associations for the VPC.
Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
The reasons for resources being considered compliant depend on the Firewall Manager policy type.
" }, "GetNotificationChannel":{ "name":"GetNotificationChannel", @@ -598,7 +599,7 @@ {"shape":"InternalErrorException"}, {"shape":"InvalidTypeException"} ], - "documentation":"Creates an Firewall Manager policy.
A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.
If you add a new account to an organization that you created with Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.
Firewall Manager provides the following types of policies:
Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in Organizations and lets you enforce a baseline set of rules across your organization.
Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
DNS Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
Creates an Firewall Manager policy.
A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.
If you add a new account to an organization that you created with Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.
Firewall Manager provides the following types of policies:
WAF policy - This policy applies WAF web ACL protections to specified accounts and resources.
Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in Organizations and lets you enforce a baseline set of rules across your organization.
Network ACL policy - This type of policy gives you control over the network ACLs that are in use throughout your organization in Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
DNS Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace.
Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
Contains high level information about the Firewall Manager administrator account.
" @@ -1034,6 +1035,7 @@ } }, "Boolean":{"type":"boolean"}, + "BooleanObject":{"type":"boolean"}, "CIDR":{ "type":"string", "max":256, @@ -1071,6 +1073,46 @@ "type":"list", "member":{"shape":"ComplianceViolator"} }, + "CreateNetworkAclAction":{ + "type":"structure", + "members":{ + "Description":{ + "shape":"LengthBoundedString", + "documentation":"Brief description of this remediation action.
" + }, + "Vpc":{ + "shape":"ActionTarget", + "documentation":"The VPC that's associated with the remediation action.
" + }, + "FMSCanRemediate":{ + "shape":"Boolean", + "documentation":"Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + }, + "documentation":"Information about the CreateNetworkAcl action in Amazon EC2. This is a remediation option in RemediationAction.
Brief description of this remediation action.
" + }, + "NetworkAclId":{ + "shape":"ActionTarget", + "documentation":"The network ACL that's associated with the remediation action.
" + }, + "NetworkAclEntriesToBeCreated":{ + "shape":"EntriesDescription", + "documentation":"Lists the entries that the remediation action would create.
" + }, + "FMSCanRemediate":{ + "shape":"Boolean", + "documentation":"Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + }, + "documentation":"Information about the CreateNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Brief description of this remediation action.
" + }, + "NetworkAclId":{ + "shape":"ActionTarget", + "documentation":"The network ACL that's associated with the remediation action.
" + }, + "NetworkAclEntriesToBeDeleted":{ + "shape":"EntriesDescription", + "documentation":"Lists the entries that the remediation action would delete.
" + }, + "FMSCanRemediate":{ + "shape":"Boolean", + "documentation":"Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + }, + "documentation":"Information about the DeleteNetworkAclEntries action in Amazon EC2. This is a remediation option in RemediationAction.
Information about the ReplaceRouteTableAssociation action in Amazon EC2.
" }, + "EntriesDescription":{ + "type":"list", + "member":{"shape":"EntryDescription"} + }, + "EntriesWithConflicts":{ + "type":"list", + "member":{"shape":"EntryDescription"} + }, + "EntryDescription":{ + "type":"structure", + "members":{ + "EntryDetail":{ + "shape":"NetworkAclEntry", + "documentation":"Describes a rule in a network ACL.
Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the entries in the network ACL according to the rule numbers, in ascending order.
When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
" + }, + "EntryRuleNumber":{ + "shape":"IntegerObjectMinimum0", + "documentation":"The rule number for the entry. ACL entries are processed in ascending order by rule number. In a Firewall Manager network ACL policy, Firewall Manager assigns rule numbers.
" + }, + "EntryType":{ + "shape":"EntryType", + "documentation":"Specifies whether the entry is managed by Firewall Manager or by a user, and, for Firewall Manager-managed entries, specifies whether the entry is among those that run first in the network ACL or those that run last.
" + } + }, + "documentation":"Describes a single rule in a network ACL.
" + }, + "EntryType":{ + "type":"string", + "enum":[ + "FMS_MANAGED_FIRST_ENTRY", + "FMS_MANAGED_LAST_ENTRY", + "CUSTOM_ENTRY" + ] + }, + "EntryViolation":{ + "type":"structure", + "members":{ + "ExpectedEntry":{ + "shape":"EntryDescription", + "documentation":"The Firewall Manager-managed network ACL entry that is involved in the entry violation.
" + }, + "ExpectedEvaluationOrder":{ + "shape":"LengthBoundedString", + "documentation":"The evaluation location within the ordered list of entries where the ExpectedEntry should be, according to the network ACL policy specifications.
The evaluation location within the ordered list of entries where the ExpectedEntry is currently located.
The entry that's currently in the ExpectedEvaluationOrder location, in place of the expected entry.
The list of entries that are in conflict with ExpectedEntry.
Descriptions of the violations that Firewall Manager found for these entries.
" + } + }, + "documentation":"Detailed information about an entry violation in a network ACL. The violation is against the network ACL specification inside the Firewall Manager network ACL policy. This data object is part of InvalidNetworkAclEntriesViolation.
The administator account that you want to get the details for.
" + "documentation":"The administrator account that you want to get the details for.
" } } }, @@ -1673,7 +1817,7 @@ }, "Status":{ "shape":"OrganizationStatus", - "documentation":"The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administrator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
DNS Firewall
Imported Network Firewall
Network Firewall
Security group content audit
Third-party firewall
The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:
DNS Firewall
Imported Network Firewall
Network Firewall
Security group content audit
Network ACL
Third-party firewall
The parameters of the request were invalid.
", "exception":true }, + "InvalidNetworkAclEntriesViolation":{ + "type":"structure", + "members":{ + "Vpc":{ + "shape":"ResourceId", + "documentation":"The VPC where the violation was found.
" + }, + "Subnet":{ + "shape":"ResourceId", + "documentation":"The subnet that's associated with the network ACL.
" + }, + "SubnetAvailabilityZone":{ + "shape":"LengthBoundedString", + "documentation":"The Availability Zone where the network ACL is in use.
" + }, + "CurrentAssociatedNetworkAcl":{ + "shape":"ResourceId", + "documentation":"The network ACL containing the entry violations.
" + }, + "EntryViolations":{ + "shape":"EntryViolations", + "documentation":"Detailed information about the entry violations in the network ACL.
" + } + }, + "documentation":"Violation detail for the entries in a network ACL resource.
" + }, "InvalidOperationException":{ "type":"structure", "members":{ @@ -1987,6 +2172,11 @@ "key":{"shape":"DependentServiceName"}, "value":{"shape":"DetailedInfo"} }, + "LengthBoundedNonEmptyString":{ + "type":"string", + "max":1024, + "min":1 + }, "LengthBoundedString":{ "type":"string", "max":1024, @@ -2380,6 +2570,121 @@ "min":1, "pattern":"^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$" }, + "NetworkAclCommonPolicy":{ + "type":"structure", + "required":["NetworkAclEntrySet"], + "members":{ + "NetworkAclEntrySet":{ + "shape":"NetworkAclEntrySet", + "documentation":"The definition of the first and last rules for the network ACL policy.
" + } + }, + "documentation":"Defines a Firewall Manager network ACL policy. This is used in the PolicyOption of a SecurityServicePolicyData for a Policy, when the SecurityServicePolicyData type is set to NETWORK_ACL_COMMON.
For information about network ACLs, see Control traffic to subnets using network ACLs in the Amazon Virtual Private Cloud User Guide.
" + }, + "NetworkAclEntries":{ + "type":"list", + "member":{"shape":"NetworkAclEntry"} + }, + "NetworkAclEntry":{ + "type":"structure", + "required":[ + "Protocol", + "RuleAction", + "Egress" + ], + "members":{ + "IcmpTypeCode":{ + "shape":"NetworkAclIcmpTypeCode", + "documentation":"ICMP protocol: The ICMP type and code.
" + }, + "Protocol":{ + "shape":"LengthBoundedString", + "documentation":"The protocol number. A value of \"-1\" means all protocols.
" + }, + "PortRange":{ + "shape":"NetworkAclPortRange", + "documentation":"TCP or UDP protocols: The range of ports the rule applies to.
" + }, + "CidrBlock":{ + "shape":"LengthBoundedNonEmptyString", + "documentation":"The IPv4 network range to allow or deny, in CIDR notation.
" + }, + "Ipv6CidrBlock":{ + "shape":"LengthBoundedNonEmptyString", + "documentation":"The IPv6 network range to allow or deny, in CIDR notation.
" + }, + "RuleAction":{ + "shape":"NetworkAclRuleAction", + "documentation":"Indicates whether to allow or deny the traffic that matches the rule.
" + }, + "Egress":{ + "shape":"BooleanObject", + "documentation":"Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet). If it's not an egress rule, then it's an ingress, or inbound, rule.
" + } + }, + "documentation":"Describes a rule in a network ACL.
Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the entries in the network ACL according to the rule numbers, in ascending order.
When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
" + }, + "NetworkAclEntrySet":{ + "type":"structure", + "required":[ + "ForceRemediateForFirstEntries", + "ForceRemediateForLastEntries" + ], + "members":{ + "FirstEntries":{ + "shape":"NetworkAclEntries", + "documentation":"The rules that you want to run first in the Firewall Manager managed network ACLs.
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see Network access control list (ACL) policies in the Firewall Manager Developer Guide.
" + }, + "LastEntries":{ + "shape":"NetworkAclEntries", + "documentation":"The rules that you want to run last in the Firewall Manager managed network ACLs.
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see Network access control list (ACL) policies in the Firewall Manager Developer Guide.
" + } + }, + "documentation":"The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
" + }, + "NetworkAclIcmpTypeCode":{ + "type":"structure", + "members":{ + "Code":{ + "shape":"IntegerObject", + "documentation":"ICMP code.
" + }, + "Type":{ + "shape":"IntegerObject", + "documentation":"ICMP type.
" + } + }, + "documentation":"ICMP protocol: The ICMP type and code.
" + }, + "NetworkAclPortRange":{ + "type":"structure", + "members":{ + "From":{ + "shape":"IPPortNumberInteger", + "documentation":"The beginning port number of the range.
" + }, + "To":{ + "shape":"IPPortNumberInteger", + "documentation":"The ending port number of the range.
" + } + }, + "documentation":"TCP or UDP protocols: The range of ports the rule applies to.
" + }, + "NetworkAclRuleAction":{ + "type":"string", + "enum":[ + "allow", + "deny" + ] + }, "NetworkFirewallAction":{ "type":"string", "max":128, @@ -2864,7 +3169,7 @@ }, "ResourceType":{ "shape":"ResourceType", - "documentation":"The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
Security group usage audit - AWS::EC2::SecurityGroup.
The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
The following are valid resource types for each Firewall Manager policy type:
Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.
WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.
Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.
Network ACL - AWS::EC2::Subnet.
Security group usage audit - AWS::EC2::SecurityGroup.
Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.
DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.
Defines the policy options for a third-party firewall policy.
" + }, + "NetworkAclCommonPolicy":{ + "shape":"NetworkAclCommonPolicy", + "documentation":"Defines a Firewall Manager network ACL policy.
" } }, - "documentation":"Contains the Network Firewall firewall policy options to configure the policy's deployment model and third-party firewall policy settings.
" + "documentation":"Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
" }, "PolicySummary":{ "type":"structure", @@ -3025,7 +3334,7 @@ }, "ResourceType":{ "shape":"ResourceType", - "documentation":"The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. For WAF and Shield Advanced, examples include AWS::ElasticLoadBalancingV2::LoadBalancer and AWS::CloudFront::Distribution. For a security group common policy, valid values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a security group content audit policy, valid values are AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security group usage audit policy, the value is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy, the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference.
" }, "SecurityServiceType":{ "shape":"SecurityServiceType", @@ -3395,6 +3704,22 @@ "FMSPolicyUpdateFirewallCreationConfigAction":{ "shape":"FMSPolicyUpdateFirewallCreationConfigAction", "documentation":"The remedial action to take when updating a firewall configuration.
" + }, + "CreateNetworkAclAction":{ + "shape":"CreateNetworkAclAction", + "documentation":"Information about the CreateNetworkAcl action in Amazon EC2.
Information about the ReplaceNetworkAclAssociation action in Amazon EC2.
Information about the CreateNetworkAclEntries action in Amazon EC2.
Information about the DeleteNetworkAclEntries action in Amazon EC2.
Information about an individual action you can take to remediate a violation.
" @@ -3426,6 +3751,25 @@ }, "documentation":"An ordered list of actions you can take to remediate a violation.
" }, + "ReplaceNetworkAclAssociationAction":{ + "type":"structure", + "members":{ + "Description":{ + "shape":"LengthBoundedString", + "documentation":"Brief description of this remediation action.
" + }, + "AssociationId":{"shape":"ActionTarget"}, + "NetworkAclId":{ + "shape":"ActionTarget", + "documentation":"The network ACL that's associated with the remediation action.
" + }, + "FMSCanRemediate":{ + "shape":"Boolean", + "documentation":"Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.
" + } + }, + "documentation":"Information about the ReplaceNetworkAclAssociation action in Amazon EC2. This is a remediation option in RemediationAction.
Violation detail for a DNS Firewall policy that indicates that the VPC reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed.
" }, - "PossibleRemediationActions":{ - "shape":"PossibleRemediationActions", - "documentation":"A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" - }, "FirewallSubnetIsOutOfScopeViolation":{ "shape":"FirewallSubnetIsOutOfScopeViolation", "documentation":"Contains details about the firewall subnet that violates the policy scope.
" @@ -3696,6 +4036,14 @@ "FirewallSubnetMissingVPCEndpointViolation":{ "shape":"FirewallSubnetMissingVPCEndpointViolation", "documentation":"The violation details for a third-party firewall's VPC endpoint subnet that was deleted.
" + }, + "InvalidNetworkAclEntriesViolation":{ + "shape":"InvalidNetworkAclEntriesViolation", + "documentation":"Violation detail for the entries in a network ACL resource.
" + }, + "PossibleRemediationActions":{ + "shape":"PossibleRemediationActions", + "documentation":"A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" } }, "documentation":"Violation detail based on resource type.
" @@ -3857,11 +4205,11 @@ }, "ManagedServiceData":{ "shape":"ManagedServiceData", - "documentation":"Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL
\"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Example: SHIELD_ADVANCED with web ACL management
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"
CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAFV2 - Logging configurations
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference
In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL
\"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distribute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Example: SHIELD_ADVANCED with web ACL management
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"
If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.
If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: THIRD_PARTY_FIREWALL
Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.
Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.
If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"
CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAFV2 - Logging configurations
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference
In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
Contains the Network Firewall firewall policy options to configure a centralized deployment model.
" + "documentation":"Contains the settings to configure a network ACL policy, a Network Firewall firewall policy deployment model, or a third-party firewall policy.
" } }, "documentation":"Details about the security service that is being used to protect the resources.
" @@ -3878,7 +4226,8 @@ "NETWORK_FIREWALL", "DNS_FIREWALL", "THIRD_PARTY_FIREWALL", - "IMPORT_NETWORK_FIREWALL" + "IMPORT_NETWORK_FIREWALL", + "NETWORK_ACL_COMMON" ] }, "SecurityServiceTypeList":{ @@ -4254,7 +4603,8 @@ "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL", "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", - "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" + "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT", + "INVALID_NETWORK_ACL_ENTRY" ] }, "ViolationTarget":{ diff --git a/tools/code-generation/api-descriptions/ivs-2020-07-14.normal.json b/tools/code-generation/api-descriptions/ivs-2020-07-14.normal.json index ced443f1849..635dd0c199d 100644 --- a/tools/code-generation/api-descriptions/ivs-2020-07-14.normal.json +++ b/tools/code-generation/api-descriptions/ivs-2020-07-14.normal.json @@ -636,7 +636,7 @@ "members":{ "arn":{ "shape":"ResourceArn", - "documentation":"Channel ARN.
" + "documentation":"ARN of an IVS resource; e.g., channel.
" }, "code":{ "shape":"errorCode", @@ -839,7 +839,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" }, "ChannelArnList":{ "type":"list", @@ -1695,7 +1695,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:playback-key/[a-zA-Z0-9-]+$" }, "PlaybackKeyPairFingerprint":{"type":"string"}, "PlaybackKeyPairList":{ @@ -2002,7 +2002,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" }, "ResourceNotFoundException":{ "type":"structure", @@ -2219,7 +2219,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:stream-key/[a-zA-Z0-9-]+$" }, "StreamKeyArnList":{ "type":"list", diff --git a/tools/code-generation/api-descriptions/ivs-realtime-2020-07-14.normal.json b/tools/code-generation/api-descriptions/ivs-realtime-2020-07-14.normal.json index 7573c1c611d..66e5b9e9abb 100644 --- a/tools/code-generation/api-descriptions/ivs-realtime-2020-07-14.normal.json +++ b/tools/code-generation/api-descriptions/ivs-realtime-2020-07-14.normal.json @@ -483,6 +483,7 @@ {"shape":"ValidationException"}, {"shape":"AccessDeniedException"}, {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"}, {"shape":"PendingVerification"} ], "documentation":"Updates a stage’s configuration.
" @@ -520,7 +521,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:channel/[a-zA-Z0-9-]+$" }, "ChannelDestinationConfiguration":{ "type":"structure", @@ -1935,7 +1936,7 @@ "type":"string", "max":128, "min":1, - "pattern":"^arn:aws:[is]vs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" + "pattern":"^arn:aws:ivs:[a-z0-9-]+:[0-9]+:[a-z-]/[a-zA-Z0-9-]+$" }, "ResourceNotFoundException":{ "type":"structure", diff --git a/tools/code-generation/api-descriptions/rds-2013-01-10.normal.json b/tools/code-generation/api-descriptions/rds-2013-01-10.normal.json index 610c4dc8729..a114cf89461 100644 --- a/tools/code-generation/api-descriptions/rds-2013-01-10.normal.json +++ b/tools/code-generation/api-descriptions/rds-2013-01-10.normal.json @@ -4,6 +4,7 @@ "apiVersion":"2013-01-10", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", diff --git a/tools/code-generation/api-descriptions/rds-2013-02-12.normal.json b/tools/code-generation/api-descriptions/rds-2013-02-12.normal.json index 4c3c4676b88..8ca8dd0f96e 100644 --- a/tools/code-generation/api-descriptions/rds-2013-02-12.normal.json +++ b/tools/code-generation/api-descriptions/rds-2013-02-12.normal.json @@ -4,6 +4,7 @@ "apiVersion":"2013-02-12", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", diff --git a/tools/code-generation/api-descriptions/rds-2013-09-09.normal.json b/tools/code-generation/api-descriptions/rds-2013-09-09.normal.json index f7e3363ba82..bfde91db177 100644 --- a/tools/code-generation/api-descriptions/rds-2013-09-09.normal.json +++ b/tools/code-generation/api-descriptions/rds-2013-09-09.normal.json @@ -4,6 +4,7 @@ "apiVersion":"2013-09-09", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", diff --git a/tools/code-generation/api-descriptions/rds-2014-09-01.normal.json b/tools/code-generation/api-descriptions/rds-2014-09-01.normal.json index 83279896737..8eff6769d4c 100644 --- a/tools/code-generation/api-descriptions/rds-2014-09-01.normal.json +++ b/tools/code-generation/api-descriptions/rds-2014-09-01.normal.json @@ -4,6 +4,7 @@ "apiVersion":"2014-09-01", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", diff --git a/tools/code-generation/api-descriptions/rds-2014-10-31.normal.json b/tools/code-generation/api-descriptions/rds-2014-10-31.normal.json index cd9417644db..ba7381f714a 100644 --- a/tools/code-generation/api-descriptions/rds-2014-10-31.normal.json +++ b/tools/code-generation/api-descriptions/rds-2014-10-31.normal.json @@ -4,6 +4,7 @@ "apiVersion":"2014-10-31", "endpointPrefix":"rds", "protocol":"query", + "protocols":["query"], "serviceAbbreviation":"Amazon RDS", "serviceFullName":"Amazon Relational Database Service", "serviceId":"RDS", @@ -4569,7 +4570,7 @@ }, "Timezone":{ "shape":"String", - "documentation":"The time zone of the DB instance. The time zone parameter is currently supported only by Microsoft SQL Server.
" + "documentation":"The time zone of the DB instance. The time zone parameter is currently supported only by RDS for Db2 and RDS for SQL Server.
" }, "EnableIAMDatabaseAuthentication":{ "shape":"BooleanOptional", @@ -6865,7 +6866,7 @@ }, "Timezone":{ "shape":"String", - "documentation":"The time zone of the DB instance. In most cases, the Timezone element is empty. Timezone content appears only for Microsoft SQL Server DB instances that were created with a time zone specified.
The time zone of the DB instance. In most cases, the Timezone element is empty. Timezone content appears only for RDS for Db2 and RDS for SQL Server DB instances that were created with a time zone specified.
The new DB subnet group for the DB instance. You can use this parameter to move your DB instance to a different VPC. If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC. For more information, see Working with a DB instance in a VPC in the Amazon RDS User Guide.
Changing the subnet group causes an outage during the change. The change is applied during the next maintenance window, unless you enable ApplyImmediately.
This parameter doesn't apply to RDS Custom DB instances.
Constraints:
If supplied, must match existing DB subnet group.
Example: mydbsubnetgroup
The new DB subnet group for the DB instance. You can use this parameter to move your DB instance to a different VPC. If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC. For more information, see Working with a DB instance in a VPC in the Amazon RDS User Guide.
Changing the subnet group causes an outage during the change. The change is applied during the next maintenance window, unless you enable ApplyImmediately.
This setting doesn't apply to RDS Custom DB instances.
Constraints:
If supplied, must match existing DB subnet group.
Example: mydbsubnetgroup
Specifies whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection isn't enabled. For more information, see Deleting a DB Instance.
" + "documentation":"Specifies whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection isn't enabled. For more information, see Deleting a DB Instance.
This setting doesn't apply to Amazon Aurora DB instances. You can enable or disable deletion protection for the DB cluster. For more information, see ModifyDBCluster. DB instances in a DB cluster can be deleted even when deletion protection is enabled for the DB cluster.
Restarts unsuccessful executions of Standard workflows that didn't complete successfully in the last 14 days. These include failed, aborted, or timed out executions. When you redrive an execution, it continues the failed execution from the unsuccessful step and uses the same input. Step Functions preserves the results and execution history of the successful steps, and doesn't rerun these steps when you redrive an execution. Redriven executions use the same state machine definition and execution ARN as the original execution attempt.
For workflows that include an Inline Map or Parallel state, RedriveExecution API action reschedules and redrives only the iterations and branches that failed or aborted.
To redrive a workflow that includes a Distributed Map state whose Map Run failed, you must redrive the parent workflow. The parent workflow redrives all the unsuccessful states, including a failed Map Run. If a Map Run was not started in the original execution attempt, the redriven parent workflow starts the Map Run.
This API action is not supported by EXPRESS state machines.
However, you can restart the unsuccessful executions of Express child workflows in a Distributed Map by redriving its Map Run. When you redrive a Map Run, the Express child workflows are rerun using the StartExecution API action. For more information, see Redriving Map Runs.
You can redrive executions if your original execution meets the following conditions:
The execution status isn't SUCCEEDED.
Your workflow execution has not exceeded the redrivable period of 14 days. Redrivable period refers to the time during which you can redrive a given execution. This period starts from the day a state machine completes its execution.
The workflow execution has not exceeded the maximum open time of one year. For more information about state machine quotas, see Quotas related to state machine executions.
The execution event history count is less than 24,999. Redriven executions append their event history to the existing event history. Make sure your workflow execution contains less than 24,999 events to accommodate the ExecutionRedriven history event and at least one other history event.
Updates the configuration of an existing state machine alias by modifying its description or routingConfiguration.
You must specify at least one of the description or routingConfiguration parameters to update a state machine alias.
UpdateStateMachineAlias is an idempotent API. Step Functions bases the idempotency check on the stateMachineAliasArn, description, and routingConfiguration parameters. Requests with the same parameters return an idempotent response.
This operation is eventually consistent. All StartExecution requests made within a few seconds use the latest alias configuration. Executions started immediately after calling UpdateStateMachineAlias may use the previous routing configuration.
Related operations:
" + }, + "ValidateStateMachineDefinition":{ + "name":"ValidateStateMachineDefinition", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ValidateStateMachineDefinitionInput"}, + "output":{"shape":"ValidateStateMachineDefinitionOutput"}, + "errors":[ + {"shape":"ValidationException"} + ], + "documentation":"Validates the syntax of a state machine definition.
You can validate that a state machine definition is correct without creating a state machine resource. Step Functions will implicitly perform the same syntax check when you invoke CreateStateMachine and UpdateStateMachine. State machine definitions are specified using a JSON-based, structured language. For more information on Amazon States Language see Amazon States Language (ASL).
Suggested uses for ValidateStateMachineDefinition:
Integrate automated checks into your code review or Continuous Integration (CI) process to validate state machine definitions before starting deployments.
Run the validation from a Git pre-commit hook to check your state machine definitions before committing them to your source repository.
Errors found in the state machine definition will be returned in the response as a list of diagnostic elements, rather than raise an exception.
A value of ERROR means that you cannot create or update a state machine with this definition.
Identifying code for the diagnostic.
" + }, + "message":{ + "shape":"ValidateStateMachineDefinitionMessage", + "documentation":"Message describing the diagnostic condition.
" + }, + "location":{ + "shape":"ValidateStateMachineDefinitionLocation", + "documentation":"Location of the issue in the state machine, if available.
For errors specific to a field, the location could be in the format: /States/<StateName>/<FieldName>, for example: /States/FailState/ErrorPath.
Describes an error found during validation. Validation errors found in the definition return in the response as diagnostic elements, rather than raise an exception.
" + }, + "ValidateStateMachineDefinitionDiagnosticList":{ + "type":"list", + "member":{"shape":"ValidateStateMachineDefinitionDiagnostic"} + }, + "ValidateStateMachineDefinitionInput":{ + "type":"structure", + "required":["definition"], + "members":{ + "definition":{ + "shape":"Definition", + "documentation":"The Amazon States Language definition of the state machine. For more information, see Amazon States Language (ASL).
" + }, + "type":{ + "shape":"StateMachineType", + "documentation":"The target type of state machine for this definition. The default is STANDARD.
The result value will be OK when no syntax errors are found, or FAIL if the workflow definition does not pass verification.
If the result is OK, this field will be empty. When there are errors, this field will contain an array of Diagnostic objects to help you troubleshoot.