feat(client-fms): AWS Firewall Manager adds support for network ACL policies to manage Amazon Virtual Private Cloud (VPC) network access control lists (ACLs) for accounts in your organization.

Author: awstools

clients/client-fms/src/commands/GetAdminScopeCommand.ts

@@ -27,7 +27,7 @@ export interface GetAdminScopeCommandInput extends GetAdminScopeRequest {}
 export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __MetadataBearer {}
 
 /**
- * <p>Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.</p>
+ * <p>Returns information about the specified account's administrative scope. The administrative scope defines the resources that an Firewall Manager administrator can manage.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -63,7 +63,7 @@ export interface GetAdminScopeCommandOutput extends GetAdminScopeResponse, __Met
  * //     },
  * //     PolicyTypeScope: { // PolicyTypeScope
  * //       PolicyTypes: [ // SecurityServiceTypeList
- * //         "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
+ * //         "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
  * //       ],
  * //       AllPolicyTypesEnabled: true || false,
  * //     },

clients/client-fms/src/commands/GetComplianceDetailCommand.ts

@@ -29,28 +29,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
 /**
  * <p>Returns detailed compliance information about the specified member account. Details
  *       include resources that are in and out of compliance with the specified policy. </p>
- *          <ul>
- *             <li>
- *                <p>Resources are
- *               considered noncompliant for WAF and Shield Advanced policies if the specified policy has
- *               not been applied to them.</p>
- *             </li>
- *             <li>
- *                <p>Resources are considered noncompliant for security group policies if
- *               they are in scope of the policy, they violate one or more of the policy rules, and remediation
- *               is disabled or not possible.</p>
- *             </li>
- *             <li>
- *                <p>Resources are considered noncompliant for Network Firewall policies
- *                 if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet,
- *                 if a subnet created by the Firewall Manager doesn't have the expected route table,
- *                 and for modifications to a firewall policy that violate the Firewall Manager policy's rules.</p>
- *             </li>
- *             <li>
- *                <p>Resources are considered noncompliant for DNS Firewall policies
- *               if a DNS Firewall rule group is missing from the rule group associations for the VPC. </p>
- *             </li>
- *          </ul>
+ *          <p>The reasons for resources being considered compliant depend on the Firewall Manager policy type. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -71,7 +50,7 @@ export interface GetComplianceDetailCommandOutput extends GetComplianceDetailRes
  * //     Violators: [ // ComplianceViolators
  * //       { // ComplianceViolator
  * //         ResourceId: "STRING_VALUE",
- * //         ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT",
+ * //         ViolationReason: "WEB_ACL_MISSING_RULE_GROUP" || "RESOURCE_MISSING_WEB_ACL" || "RESOURCE_INCORRECT_WEB_ACL" || "RESOURCE_MISSING_SHIELD_PROTECTION" || "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION" || "RESOURCE_MISSING_SECURITY_GROUP" || "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP" || "SECURITY_GROUP_UNUSED" || "SECURITY_GROUP_REDUNDANT" || "FMS_CREATED_SECURITY_GROUP_EDITED" || "MISSING_FIREWALL" || "MISSING_FIREWALL_SUBNET_IN_AZ" || "MISSING_EXPECTED_ROUTE_TABLE" || "NETWORK_FIREWALL_POLICY_MODIFIED" || "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" || "INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE" || "FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE" || "UNEXPECTED_FIREWALL_ROUTES" || "UNEXPECTED_TARGET_GATEWAY_ROUTES" || "TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY" || "INVALID_ROUTE_CONFIGURATION" || "MISSING_TARGET_GATEWAY" || "INTERNET_TRAFFIC_NOT_INSPECTED" || "BLACK_HOLE_ROUTE_DETECTED" || "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" || "RESOURCE_MISSING_DNS_FIREWALL" || "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" || "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT" || "INVALID_NETWORK_ACL_ENTRY",
  * //         ResourceType: "STRING_VALUE",
  * //         Metadata: { // ComplianceViolatorMetadata
  * //           "<keys>": "STRING_VALUE",

clients/client-fms/src/commands/GetPolicyCommand.ts

@@ -45,7 +45,7 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
  * //     PolicyName: "STRING_VALUE", // required
  * //     PolicyUpdateToken: "STRING_VALUE",
  * //     SecurityServicePolicyData: { // SecurityServicePolicyData
- * //       Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL", // required
+ * //       Type: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON", // required
  * //       ManagedServiceData: "STRING_VALUE",
  * //       PolicyOption: { // PolicyOption
  * //         NetworkFirewallPolicy: { // NetworkFirewallPolicy
@@ -54,6 +54,46 @@ export interface GetPolicyCommandOutput extends GetPolicyResponse, __MetadataBea
  * //         ThirdPartyFirewallPolicy: { // ThirdPartyFirewallPolicy
  * //           FirewallDeploymentModel: "CENTRALIZED" || "DISTRIBUTED",
  * //         },
+ * //         NetworkAclCommonPolicy: { // NetworkAclCommonPolicy
+ * //           NetworkAclEntrySet: { // NetworkAclEntrySet
+ * //             FirstEntries: [ // NetworkAclEntries
+ * //               { // NetworkAclEntry
+ * //                 IcmpTypeCode: { // NetworkAclIcmpTypeCode
+ * //                   Code: Number("int"),
+ * //                   Type: Number("int"),
+ * //                 },
+ * //                 Protocol: "STRING_VALUE", // required
+ * //                 PortRange: { // NetworkAclPortRange
+ * //                   From: Number("int"),
+ * //                   To: Number("int"),
+ * //                 },
+ * //                 CidrBlock: "STRING_VALUE",
+ * //                 Ipv6CidrBlock: "STRING_VALUE",
+ * //                 RuleAction: "allow" || "deny", // required
+ * //                 Egress: true || false, // required
+ * //               },
+ * //             ],
+ * //             ForceRemediateForFirstEntries: true || false, // required
+ * //             LastEntries: [
+ * //               {
+ * //                 IcmpTypeCode: {
+ * //                   Code: Number("int"),
+ * //                   Type: Number("int"),
+ * //                 },
+ * //                 Protocol: "STRING_VALUE", // required
+ * //                 PortRange: {
+ * //                   From: Number("int"),
+ * //                   To: Number("int"),
+ * //                 },
+ * //                 CidrBlock: "STRING_VALUE",
+ * //                 Ipv6CidrBlock: "STRING_VALUE",
+ * //                 RuleAction: "allow" || "deny", // required
+ * //                 Egress: true || false, // required
+ * //               },
+ * //             ],
+ * //             ForceRemediateForLastEntries: true || false, // required
+ * //           },
+ * //         },
  * //       },
  * //     },
  * //     ResourceType: "STRING_VALUE", // required

clients/client-fms/src/commands/GetProtectionStatusCommand.ts

@@ -47,7 +47,7 @@ export interface GetProtectionStatusCommandOutput extends GetProtectionStatusRes
  * const response = await client.send(command);
  * // { // GetProtectionStatusResponse
  * //   AdminAccountId: "STRING_VALUE",
- * //   ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL",
+ * //   ServiceType: "WAF" || "WAFV2" || "SHIELD_ADVANCED" || "SECURITY_GROUPS_COMMON" || "SECURITY_GROUPS_CONTENT_AUDIT" || "SECURITY_GROUPS_USAGE_AUDIT" || "NETWORK_FIREWALL" || "DNS_FIREWALL" || "THIRD_PARTY_FIREWALL" || "IMPORT_NETWORK_FIREWALL" || "NETWORK_ACL_COMMON",
  * //   Data: "STRING_VALUE",
  * //   NextToken: "STRING_VALUE",
  * // };