feat(client-fms): AWS Firewall Manager adds support for network ACL p…

…olicies to manage Amazon Virtual Private Cloud (VPC) network access control lists (ACLs) for accounts in your organization.
aws · Apr 25, 2024 · 75febc1 · 75febc1
1 parent c7872e2
commit 75febc1
Show file tree

Hide file tree

Showing 11 changed files with 1,451 additions and 125 deletions.
diff --git a/clients/client-fms/src/commands/GetAdminScopeCommand.ts b/clients/client-fms/src/commands/GetAdminScopeCommand.ts
@@ -27,7 +27,7 @@ export interface GetAdminScopeCommandInput extends GetAdminScopeRequest {}
 export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __MetadataBearer {}
 
 /**
- * <p>Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.</p>
+ * <p>Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -63,7 +63,7 @@ export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __Met
  * // },
  * // PolicyTypeScope: { // PolicyTypeScope
  * // PolicyTypes: [ // SecurityServiceTypeList
- * // "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
+ * // "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
  * // ],
  * // AllPolicyTypesEnabled: true || false,
  * // },

diff --git a/clients/client-fms/src/commands/GetComplianceDetailCommand.ts b/clients/client-fms/src/commands/GetComplianceDetailCommand.ts
@@ -29,28 +29,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
 /**
  * <p>Returns detailed compliance information about the specified member account. Details
  * include resources that are in and out of compliance with the specified policy. </p>
- * <ul>
- * <li>
- * <p>Resources are
- * considered noncompliant for WAF and Shield Advanced policies if the specified policy has
- * not been applied to them.</p>
- * </li>
- * <li>
- * <p>Resources are considered noncompliant for security group policies if
- * they are in scope of the policy, they violate one or more of the policy rules, and remediation
- * is disabled or not possible.</p>
- * </li>
- * <li>
- * <p>Resources are considered noncompliant for Network Firewall policies
- * if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet,
- * if a subnet created by the Firewall Manager doesn't have the expected route table,
- * and for modifications to a firewall policy that violate the Firewall Manager policy's rules.</p>
- * </li>
- * <li>
- * <p>Resources are considered noncompliant for DNS Firewall policies
- * if a DNS Firewall rule group is missing from the rule group associations for the VPC. </p>
- * </li>
- * </ul>
+ * <p>The reasons for resources being considered compliant depend on the Firewall Manager policy type. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -71,7 +50,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
  * // Violators: [ // ComplianceViolators
  * // { // ComplianceViolator
  * // ResourceId: "STRING_VALUE",
- * // ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT",
+ * // ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" || "INVALID_NETWORK_ACL_ENTRY",
  * // ResourceType: "STRING_VALUE",
  * // Metadata: { // ComplianceViolatorMetadata
  * // "<keys>": "STRING_VALUE",

diff --git a/clients/client-fms/src/commands/GetPolicyCommand.ts b/clients/client-fms/src/commands/GetPolicyCommand.ts
@@ -45,7 +45,7 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
  * // PolicyName: "STRING_VALUE", // required
  * // PolicyUpdateToken: "STRING_VALUE",
  * // SecurityServicePolicyData: { // SecurityServicePolicyData
- * // Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL", // required
+ * // Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON", // required
  * // ManagedServiceData: "STRING_VALUE",
  * // PolicyOption: { // PolicyOption
  * // NetworkFirewallPolicy: { // NetworkFirewallPolicy
@@ -54,6 +54,46 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
  * // ThirdPartyFirewallPolicy: { // ThirdPartyFirewallPolicy
  * // FirewallDeploymentModel: "CENTRALIZED" || "DISTRIBUTED",
  * // },
+ * // NetworkAclCommonPolicy: { // NetworkAclCommonPolicy
+ * // NetworkAclEntrySet: { // NetworkAclEntrySet
+ * // FirstEntries: [ // NetworkAclEntries
+ * // { // NetworkAclEntry
+ * // IcmpTypeCode: { // NetworkAclIcmpTypeCode
+ * // Code: Number("int"),
+ * // Type: Number("int"),
+ * // },
+ * // Protocol: "STRING_VALUE", // required
+ * // PortRange: { // NetworkAclPortRange
+ * // From: Number("int"),
+ * // To: Number("int"),
+ * // },
+ * // CidrBlock: "STRING_VALUE",
+ * // Ipv6CidrBlock: "STRING_VALUE",
+ * // RuleAction: "allow" || "deny", // required
+ * // Egress: true || false, // required
+ * // },
+ * // ],
+ * // ForceRemediateForFirstEntries: true || false, // required
+ * // LastEntries: [
+ * // {
+ * // IcmpTypeCode: {
+ * // Code: Number("int"),
+ * // Type: Number("int"),
+ * // },
+ * // Protocol: "STRING_VALUE", // required
+ * // PortRange: {
+ * // From: Number("int"),
+ * // To: Number("int"),
+ * // },
+ * // CidrBlock: "STRING_VALUE",
+ * // Ipv6CidrBlock: "STRING_VALUE",
+ * // RuleAction: "allow" || "deny", // required
+ * // Egress: true || false, // required
+ * // },
+ * // ],
+ * // ForceRemediateForLastEntries: true || false, // required
+ * // },
+ * // },
  * // },
  * // },
  * // ResourceType: "STRING_VALUE", // required

diff --git a/clients/client-fms/src/commands/GetProtectionStatusCommand.ts b/clients/client-fms/src/commands/GetProtectionStatusCommand.ts
@@ -47,7 +47,7 @@ export interface GetProtectionStatusCommandOutput extends GetProtectionStatusRes
  * const response = await client.send(command);
  * // { // GetProtectionStatusResponse
  * // AdminAccountId: "STRING_VALUE",
- * // ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
+ * // ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
  * // Data: "STRING_VALUE",
  * // NextToken: "STRING_VALUE",
  * // };