|
254 | 254 | ], |
255 | 255 | "documentation":"<p>Returns the data objects for the specified rule group. </p>" |
256 | 256 | }, |
| 257 | + "DescribeRuleGroupMetadata":{ |
| 258 | + "name":"DescribeRuleGroupMetadata", |
| 259 | + "http":{ |
| 260 | + "method":"POST", |
| 261 | + "requestUri":"/" |
| 262 | + }, |
| 263 | + "input":{"shape":"DescribeRuleGroupMetadataRequest"}, |
| 264 | + "output":{"shape":"DescribeRuleGroupMetadataResponse"}, |
| 265 | + "errors":[ |
| 266 | + {"shape":"InvalidRequestException"}, |
| 267 | + {"shape":"ResourceNotFoundException"}, |
| 268 | + {"shape":"ThrottlingException"}, |
| 269 | + {"shape":"InternalServerError"} |
| 270 | + ], |
| 271 | + "documentation":"<p>High-level information about a rule group, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a rule group. You can retrieve all objects for a rule group by calling <a>DescribeRuleGroup</a>. </p>" |
| 272 | + }, |
257 | 273 | "DisassociateSubnets":{ |
258 | 274 | "name":"DisassociateSubnets", |
259 | 275 | "http":{ |
|
326 | 342 | "input":{"shape":"ListTagsForResourceRequest"}, |
327 | 343 | "output":{"shape":"ListTagsForResourceResponse"}, |
328 | 344 | "errors":[ |
| 345 | + {"shape":"ThrottlingException"}, |
| 346 | + {"shape":"InternalServerError"}, |
329 | 347 | {"shape":"ResourceNotFoundException"}, |
330 | 348 | {"shape":"InvalidRequestException"} |
331 | 349 | ], |
|
357 | 375 | "input":{"shape":"TagResourceRequest"}, |
358 | 376 | "output":{"shape":"TagResourceResponse"}, |
359 | 377 | "errors":[ |
| 378 | + {"shape":"ThrottlingException"}, |
| 379 | + {"shape":"InternalServerError"}, |
360 | 380 | {"shape":"ResourceNotFoundException"}, |
361 | 381 | {"shape":"InvalidRequestException"} |
362 | 382 | ], |
|
371 | 391 | "input":{"shape":"UntagResourceRequest"}, |
372 | 392 | "output":{"shape":"UntagResourceResponse"}, |
373 | 393 | "errors":[ |
| 394 | + {"shape":"ThrottlingException"}, |
| 395 | + {"shape":"InternalServerError"}, |
374 | 396 | {"shape":"ResourceNotFoundException"}, |
375 | 397 | {"shape":"InvalidRequestException"} |
376 | 398 | ], |
|
444 | 466 | {"shape":"InvalidTokenException"}, |
445 | 467 | {"shape":"ResourceOwnerCheckException"} |
446 | 468 | ], |
447 | | - "documentation":"<p/>" |
| 469 | + "documentation":"<p>Modifies the flag, <code>ChangeProtection</code>, which indicates whether it is possible to change the firewall. If the flag is set to <code>TRUE</code>, the firewall is protected from changes. This setting helps protect against accidentally changing a firewall that's in use.</p>" |
448 | 470 | }, |
449 | 471 | "UpdateLoggingConfiguration":{ |
450 | 472 | "name":"UpdateLoggingConfiguration", |
|
1049 | 1071 | } |
1050 | 1072 | } |
1051 | 1073 | }, |
| 1074 | + "DescribeRuleGroupMetadataRequest":{ |
| 1075 | + "type":"structure", |
| 1076 | + "members":{ |
| 1077 | + "RuleGroupName":{ |
| 1078 | + "shape":"ResourceName", |
| 1079 | + "documentation":"<p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p> <p>You must specify the ARN or the name, and you can specify both. </p>" |
| 1080 | + }, |
| 1081 | + "RuleGroupArn":{ |
| 1082 | + "shape":"ResourceArn", |
| 1083 | + "documentation":"<p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p> <p>You must specify the ARN or the name, and you can specify both. </p>" |
| 1084 | + }, |
| 1085 | + "Type":{ |
| 1086 | + "shape":"RuleGroupType", |
| 1087 | + "documentation":"<p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules. </p> <note> <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p> </note>" |
| 1088 | + } |
| 1089 | + } |
| 1090 | + }, |
| 1091 | + "DescribeRuleGroupMetadataResponse":{ |
| 1092 | + "type":"structure", |
| 1093 | + "required":[ |
| 1094 | + "RuleGroupArn", |
| 1095 | + "RuleGroupName" |
| 1096 | + ], |
| 1097 | + "members":{ |
| 1098 | + "RuleGroupArn":{ |
| 1099 | + "shape":"ResourceArn", |
| 1100 | + "documentation":"<p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p> <p>You must specify the ARN or the name, and you can specify both. </p>" |
| 1101 | + }, |
| 1102 | + "RuleGroupName":{ |
| 1103 | + "shape":"ResourceName", |
| 1104 | + "documentation":"<p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p> <p>You must specify the ARN or the name, and you can specify both. </p>" |
| 1105 | + }, |
| 1106 | + "Description":{ |
| 1107 | + "shape":"Description", |
| 1108 | + "documentation":"<p>Returns the metadata objects for the specified rule group. </p>" |
| 1109 | + }, |
| 1110 | + "Type":{ |
| 1111 | + "shape":"RuleGroupType", |
| 1112 | + "documentation":"<p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules. </p> <note> <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p> </note>" |
| 1113 | + }, |
| 1114 | + "Capacity":{ |
| 1115 | + "shape":"RuleCapacity", |
| 1116 | + "documentation":"<p>The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group. </p> <p>You can retrieve the capacity that would be required for a rule group before you create the rule group by calling <a>CreateRuleGroup</a> with <code>DryRun</code> set to <code>TRUE</code>. </p>" |
| 1117 | + }, |
| 1118 | + "StatefulRuleOptions":{"shape":"StatefulRuleOptions"} |
| 1119 | + } |
| 1120 | + }, |
1052 | 1121 | "DescribeRuleGroupRequest":{ |
1053 | 1122 | "type":"structure", |
1054 | 1123 | "members":{ |
|
1269 | 1338 | }, |
1270 | 1339 | "StatefulDefaultActions":{ |
1271 | 1340 | "shape":"StatefulActions", |
1272 | | - "documentation":"<p>The default actions to take on a packet that doesn't match any stateful rules.</p>" |
| 1341 | + "documentation":"<p>The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.</p> <p>Valid values of the stateful default action:</p> <ul> <li> <p>aws:drop_strict</p> </li> <li> <p>aws:drop_established</p> </li> <li> <p>aws:alert_strict</p> </li> <li> <p>aws:alert_established</p> </li> </ul> <p>For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-strict-rule-evaluation-order.html\">Strict evaluation order</a> in the <i>AWS Network Firewall Developer Guide</i>. </p>" |
1273 | 1342 | }, |
1274 | 1343 | "StatefulEngineOptions":{ |
1275 | 1344 | "shape":"StatefulEngineOptions", |
|
1580 | 1649 | "MaxResults":{ |
1581 | 1650 | "shape":"PaginationMaxResults", |
1582 | 1651 | "documentation":"<p>The maximum number of objects that you want Network Firewall to return for this request. If more objects are available, in the response, Network Firewall provides a <code>NextToken</code> value that you can use in a subsequent call to get the next batch of objects.</p>" |
| 1652 | + }, |
| 1653 | + "Scope":{ |
| 1654 | + "shape":"ResourceManagedStatus", |
| 1655 | + "documentation":"<p>The scope of the request. The default setting of <code>ACCOUNT</code> or a setting of <code>NULL</code> returns all of the rule groups in your account. A setting of <code>MANAGED</code> returns all available managed rule groups.</p>" |
1583 | 1656 | } |
1584 | 1657 | } |
1585 | 1658 | }, |
|
1727 | 1800 | "documentation":"<p>Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags. </p>" |
1728 | 1801 | }, |
1729 | 1802 | "NumberOfAssociations":{"type":"integer"}, |
| 1803 | + "OverrideAction":{ |
| 1804 | + "type":"string", |
| 1805 | + "enum":["DROP_TO_ALERT"] |
| 1806 | + }, |
1730 | 1807 | "PaginationMaxResults":{ |
1731 | 1808 | "type":"integer", |
1732 | 1809 | "max":100, |
|
1872 | 1949 | "min":36, |
1873 | 1950 | "pattern":"^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$" |
1874 | 1951 | }, |
| 1952 | + "ResourceManagedStatus":{ |
| 1953 | + "type":"string", |
| 1954 | + "enum":[ |
| 1955 | + "MANAGED", |
| 1956 | + "ACCOUNT" |
| 1957 | + ] |
| 1958 | + }, |
1875 | 1959 | "ResourceName":{ |
1876 | 1960 | "type":"string", |
1877 | 1961 | "max":128, |
|
2097 | 2181 | "members":{ |
2098 | 2182 | "Targets":{ |
2099 | 2183 | "shape":"RuleTargets", |
2100 | | - "documentation":"<p>The domains that you want to inspect for in your traffic flows. To provide multiple domains, separate them with commas. Valid domain specifications are the following:</p> <ul> <li> <p>Explicit names. For example, <code>abc.example.com</code> matches only the domain <code>abc.example.com</code>.</p> </li> <li> <p>Names that use a domain wildcard, which you indicate with an initial '<code>.</code>'. For example,<code>.example.com</code> matches <code>example.com</code> and matches all subdomains of <code>example.com</code>, such as <code>abc.example.com</code> and <code>www.example.com</code>. </p> </li> </ul>" |
| 2184 | + "documentation":"<p>The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:</p> <ul> <li> <p>Explicit names. For example, <code>abc.example.com</code> matches only the domain <code>abc.example.com</code>.</p> </li> <li> <p>Names that use a domain wildcard, which you indicate with an initial '<code>.</code>'. For example,<code>.example.com</code> matches <code>example.com</code> and matches all subdomains of <code>example.com</code>, such as <code>abc.example.com</code> and <code>www.example.com</code>. </p> </li> </ul>" |
2101 | 2185 | }, |
2102 | 2186 | "TargetTypes":{ |
2103 | 2187 | "shape":"TargetTypes", |
|
2148 | 2232 | "members":{ |
2149 | 2233 | "RuleOrder":{ |
2150 | 2234 | "shape":"RuleOrder", |
2151 | | - "documentation":"<p>Indicates how to manage the order of stateful rule evaluation for the policy. By default, Network Firewall leaves the rule evaluation order up to the Suricata rule processing engine. If you set this to <code>STRICT_ORDER</code>, your rules are evaluated in the exact order that you provide them in the policy. With strict ordering, the rule groups are evaluated by order of priority, starting from the lowest number, and the rules in each rule group are processed in the order that they're defined. </p>" |
| 2235 | + "documentation":"<p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>DEFAULT_ACTION_ORDER</code> is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html\">Evaluation order for stateful rules</a> in the <i>AWS Network Firewall Developer Guide</i>. </p>" |
2152 | 2236 | } |
2153 | 2237 | }, |
2154 | 2238 | "documentation":"<p>Configuration settings for the handling of the stateful rule groups in a firewall policy. </p>" |
|
2183 | 2267 | "ANY" |
2184 | 2268 | ] |
2185 | 2269 | }, |
| 2270 | + "StatefulRuleGroupOverride":{ |
| 2271 | + "type":"structure", |
| 2272 | + "members":{ |
| 2273 | + "Action":{ |
| 2274 | + "shape":"OverrideAction", |
| 2275 | + "documentation":"<p>The action that changes the rule group from <code>DROP</code> to <code>ALERT</code>. This only applies to managed rule groups.</p>" |
| 2276 | + } |
| 2277 | + }, |
| 2278 | + "documentation":"<p>The setting that allows the policy owner to change the behavior of the rule group within a policy. </p>" |
| 2279 | + }, |
2186 | 2280 | "StatefulRuleGroupReference":{ |
2187 | 2281 | "type":"structure", |
2188 | 2282 | "required":["ResourceArn"], |
|
2195 | 2289 | "shape":"Priority", |
2196 | 2290 | "documentation":"<p>An integer setting that indicates the order in which to run the stateful rule groups in a single <a>FirewallPolicy</a>. This setting only applies to firewall policies that specify the <code>STRICT_ORDER</code> rule order in the stateful engine options settings.</p> <p>Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.</p> <p>You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on. </p>", |
2197 | 2291 | "box":true |
| 2292 | + }, |
| 2293 | + "Override":{ |
| 2294 | + "shape":"StatefulRuleGroupOverride", |
| 2295 | + "documentation":"<p>The action that allows the policy owner to override the behavior of the rule group within a policy.</p>" |
2198 | 2296 | } |
2199 | 2297 | }, |
2200 | 2298 | "documentation":"<p>Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group. </p>" |
|
2208 | 2306 | "members":{ |
2209 | 2307 | "RuleOrder":{ |
2210 | 2308 | "shape":"RuleOrder", |
2211 | | - "documentation":"<p>Indicates how to manage the order of the rule evaluation for the rule group. By default, Network Firewall leaves the rule evaluation order up to the Suricata rule processing engine. If you set this to <code>STRICT_ORDER</code>, your rules are evaluated in the exact order that they're listed in your Suricata rules string. </p>" |
| 2309 | + "documentation":"<p>Indicates how to manage the order of the rule evaluation for the rule group. <code>DEFAULT_ACTION_ORDER</code> is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html\">Evaluation order for stateful rules</a> in the <i>AWS Network Firewall Developer Guide</i>. </p>" |
2212 | 2310 | } |
2213 | 2311 | }, |
2214 | 2312 | "documentation":"<p>Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.</p>" |
|
2528 | 2626 | }, |
2529 | 2627 | "DeleteProtection":{ |
2530 | 2628 | "shape":"Boolean", |
2531 | | - "documentation":"<p/>" |
| 2629 | + "documentation":"<p>A flag indicating whether it is possible to delete the firewall. A setting of <code>TRUE</code> indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to <code>TRUE</code>.</p>" |
2532 | 2630 | }, |
2533 | 2631 | "UpdateToken":{ |
2534 | 2632 | "shape":"UpdateToken", |
|
0 commit comments