Skip to content

Commit

Permalink
feat(client-fms): AWS Firewall Manager adds support for network ACL p…
Browse files Browse the repository at this point in the history
…olicies to manage Amazon Virtual Private Cloud (VPC) network access control lists (ACLs) for accounts in your organization.
  • Loading branch information
awstools committed Apr 25, 2024
1 parent c7872e2 commit 75febc1
Show file tree
Hide file tree
Showing 11 changed files with 1,451 additions and 125 deletions.
4 changes: 2 additions & 2 deletions clients/client-fms/src/commands/GetAdminScopeCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ export interface GetAdminScopeCommandInput extends GetAdminScopeRequest {}
export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __MetadataBearer {}

/**
* <p>Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.</p>
* <p>Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.</p>
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
Expand Down Expand Up @@ -63,7 +63,7 @@ export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __Met
* // },
* // PolicyTypeScope: { // PolicyTypeScope
* // PolicyTypes: [ // SecurityServiceTypeList
* // "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
* // "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
* // ],
* // AllPolicyTypesEnabled: true || false,
* // },
Expand Down
25 changes: 2 additions & 23 deletions clients/client-fms/src/commands/GetComplianceDetailCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,28 +29,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
/**
* <p>Returns detailed compliance information about the specified member account. Details
* include resources that are in and out of compliance with the specified policy. </p>
* <ul>
* <li>
* <p>Resources are
* considered noncompliant for WAF and Shield Advanced policies if the specified policy has
* not been applied to them.</p>
* </li>
* <li>
* <p>Resources are considered noncompliant for security group policies if
* they are in scope of the policy, they violate one or more of the policy rules, and remediation
* is disabled or not possible.</p>
* </li>
* <li>
* <p>Resources are considered noncompliant for Network Firewall policies
* if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet,
* if a subnet created by the Firewall Manager doesn't have the expected route table,
* and for modifications to a firewall policy that violate the Firewall Manager policy's rules.</p>
* </li>
* <li>
* <p>Resources are considered noncompliant for DNS Firewall policies
* if a DNS Firewall rule group is missing from the rule group associations for the VPC. </p>
* </li>
* </ul>
* <p>The reasons for resources being considered compliant depend on the Firewall Manager policy type. </p>
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
Expand All @@ -71,7 +50,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
* // Violators: [ // ComplianceViolators
* // { // ComplianceViolator
* // ResourceId: "STRING_VALUE",
* // ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT",
* // ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" || "INVALID_NETWORK_ACL_ENTRY",
* // ResourceType: "STRING_VALUE",
* // Metadata: { // ComplianceViolatorMetadata
* // "<keys>": "STRING_VALUE",
Expand Down
42 changes: 41 additions & 1 deletion clients/client-fms/src/commands/GetPolicyCommand.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
* // PolicyName: "STRING_VALUE", // required
* // PolicyUpdateToken: "STRING_VALUE",
* // SecurityServicePolicyData: { // SecurityServicePolicyData
* // Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL", // required
* // Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON", // required
* // ManagedServiceData: "STRING_VALUE",
* // PolicyOption: { // PolicyOption
* // NetworkFirewallPolicy: { // NetworkFirewallPolicy
Expand All @@ -54,6 +54,46 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
* // ThirdPartyFirewallPolicy: { // ThirdPartyFirewallPolicy
* // FirewallDeploymentModel: "CENTRALIZED" || "DISTRIBUTED",
* // },
* // NetworkAclCommonPolicy: { // NetworkAclCommonPolicy
* // NetworkAclEntrySet: { // NetworkAclEntrySet
* // FirstEntries: [ // NetworkAclEntries
* // { // NetworkAclEntry
* // IcmpTypeCode: { // NetworkAclIcmpTypeCode
* // Code: Number("int"),
* // Type: Number("int"),
* // },
* // Protocol: "STRING_VALUE", // required
* // PortRange: { // NetworkAclPortRange
* // From: Number("int"),
* // To: Number("int"),
* // },
* // CidrBlock: "STRING_VALUE",
* // Ipv6CidrBlock: "STRING_VALUE",
* // RuleAction: "allow" || "deny", // required
* // Egress: true || false, // required
* // },
* // ],
* // ForceRemediateForFirstEntries: true || false, // required
* // LastEntries: [
* // {
* // IcmpTypeCode: {
* // Code: Number("int"),
* // Type: Number("int"),
* // },
* // Protocol: "STRING_VALUE", // required
* // PortRange: {
* // From: Number("int"),
* // To: Number("int"),
* // },
* // CidrBlock: "STRING_VALUE",
* // Ipv6CidrBlock: "STRING_VALUE",
* // RuleAction: "allow" || "deny", // required
* // Egress: true || false, // required
* // },
* // ],
* // ForceRemediateForLastEntries: true || false, // required
* // },
* // },
* // },
* // },
* // ResourceType: "STRING_VALUE", // required
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ export interface GetProtectionStatusCommandOutput extends GetProtectionStatusRes
* const response = await client.send(command);
* // { // GetProtectionStatusResponse
* // AdminAccountId: "STRING_VALUE",
* // ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
* // ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
* // Data: "STRING_VALUE",
* // NextToken: "STRING_VALUE",
* // };
Expand Down
Loading

0 comments on commit 75febc1

Please sign in to comment.