Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
- Service Configuration
- Errors
- InsufficientCapacityException
- InternalServerError
- InvalidOperationException
- InvalidRequestException
- InvalidResourcePolicyException
- InvalidTokenException
- LimitExceededException
- LogDestinationPermissionException
- ResourceNotFoundException
- ResourceOwnerCheckException
- ThrottlingException
- UnsupportedOperationException
- Waiters
- Operations
- AssociateFirewallPolicy
- AssociateSubnets
- CreateFirewall
- CreateFirewallPolicy
- CreateRuleGroup
- DeleteFirewall
- DeleteFirewallPolicy
- DeleteResourcePolicy
- DeleteRuleGroup
- DescribeFirewall
- DescribeFirewallPolicy
- DescribeLoggingConfiguration
- DescribeResourcePolicy
- DescribeRuleGroup
- DescribeRuleGroupMetadata
- DisassociateSubnets
- ListFirewallPolicies (Paginated)
- ListFirewalls (Paginated)
- ListRuleGroups (Paginated)
- ListTagsForResource (Paginated)
- PutResourcePolicy
- TagResource
- UntagResource
- UpdateFirewallDeleteProtection
- UpdateFirewallDescription
- UpdateFirewallEncryptionConfiguration
- UpdateFirewallPolicy
- UpdateFirewallPolicyChangeProtection
- UpdateLoggingConfiguration
- UpdateRuleGroup
- UpdateSubnetChangeProtection
- Types
- AttachmentStatus
- ConfigurationSyncState
- EncryptionType
- FirewallStatusValue
- GeneratedRulesType
- LogDestinationType
- LogType
- OverrideAction
- PerObjectSyncStatus
- ResourceManagedStatus
- ResourceManagedType
- ResourceStatus
- RuleGroupType
- RuleOrder
- StatefulAction
- StatefulRuleDirection
- StatefulRuleProtocol
- StreamExceptionPolicy
- TCPFlag
- TargetType
- ActionDefinition
- Address
- Attachment
- CIDRSummary
- CapacityUsageSummary
- CustomAction
- Dimension
- EncryptionConfiguration
- Firewall
- FirewallMetadata
- FirewallPolicy
- FirewallPolicyMetadata
- FirewallPolicyResponse
- FirewallStatus
- Header
- IPSet
- IPSetMetadata
- IPSetReference
- LogDestinationConfig
- LoggingConfiguration
- MatchAttributes
- PerObjectStatus
- PortRange
- PortSet
- PublishMetricAction
- ReferenceSets
- RuleDefinition
- RuleGroup
- RuleGroupMetadata
- RuleGroupResponse
- RuleOption
- RuleVariables
- RulesSource
- RulesSourceList
- SourceMetadata
- StatefulEngineOptions
- StatefulRule
- StatefulRuleGroupOverride
- StatefulRuleGroupReference
- StatefulRuleOptions
- StatelessRule
- StatelessRuleGroupReference
- StatelessRulesAndCustomActions
- SubnetMapping
- SyncState
- TCPFlagField
- Tag
Derived from API version 2020-11-12
of the AWS service descriptions, licensed under Apache 2.0.
This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.
The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see Amazon Web Services APIs.
To access Network Firewall using the REST API endpoint:
https://network-firewall.<region>.amazonaws.com
- Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
- For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the Network Firewall Developer Guide.
Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 5.0.2. For information about Suricata, see the Suricata website.
You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:
- Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.
- Use custom lists of known bad domains to limit the types of domain names that your applications can access.
- Perform deep packet inspection on traffic entering or leaving your VPC.
- Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.
To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see Amazon VPC User Guide.
To start using Network Firewall, do the following:
- (Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.
- In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.
- In Network Firewall, create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.
- In Network Firewall, create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.
- In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.
- In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.
Synopsis
- defaultService :: Service
- _InsufficientCapacityException :: AsError a => Fold a ServiceError
- _InternalServerError :: AsError a => Fold a ServiceError
- _InvalidOperationException :: AsError a => Fold a ServiceError
- _InvalidRequestException :: AsError a => Fold a ServiceError
- _InvalidResourcePolicyException :: AsError a => Fold a ServiceError
- _InvalidTokenException :: AsError a => Fold a ServiceError
- _LimitExceededException :: AsError a => Fold a ServiceError
- _LogDestinationPermissionException :: AsError a => Fold a ServiceError
- _ResourceNotFoundException :: AsError a => Fold a ServiceError
- _ResourceOwnerCheckException :: AsError a => Fold a ServiceError
- _ThrottlingException :: AsError a => Fold a ServiceError
- _UnsupportedOperationException :: AsError a => Fold a ServiceError
- data AssociateFirewallPolicy = AssociateFirewallPolicy' (Maybe Text) (Maybe Text) (Maybe Text) Text
- newAssociateFirewallPolicy :: Text -> AssociateFirewallPolicy
- data AssociateFirewallPolicyResponse = AssociateFirewallPolicyResponse' (Maybe Text) (Maybe Text) (Maybe Text) (Maybe Text) Int
- newAssociateFirewallPolicyResponse :: Int -> AssociateFirewallPolicyResponse
- data AssociateSubnets = AssociateSubnets' (Maybe Text) (Maybe Text) (Maybe Text) [SubnetMapping]
- newAssociateSubnets :: AssociateSubnets
- data AssociateSubnetsResponse = AssociateSubnetsResponse' (Maybe Text) (Maybe Text) (Maybe [SubnetMapping]) (Maybe Text) Int
- newAssociateSubnetsResponse :: Int -> AssociateSubnetsResponse
- data CreateFirewall = CreateFirewall' (Maybe Bool) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe Bool) (Maybe Bool) (Maybe (NonEmpty Tag)) Text Text Text [SubnetMapping]
- newCreateFirewall :: Text -> Text -> Text -> CreateFirewall
- data CreateFirewallResponse = CreateFirewallResponse' (Maybe Firewall) (Maybe FirewallStatus) Int
- newCreateFirewallResponse :: Int -> CreateFirewallResponse
- data CreateFirewallPolicy = CreateFirewallPolicy' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe (NonEmpty Tag)) Text FirewallPolicy
- newCreateFirewallPolicy :: Text -> FirewallPolicy -> CreateFirewallPolicy
- data CreateFirewallPolicyResponse = CreateFirewallPolicyResponse' Int Text FirewallPolicyResponse
- newCreateFirewallPolicyResponse :: Int -> Text -> FirewallPolicyResponse -> CreateFirewallPolicyResponse
- data CreateRuleGroup = CreateRuleGroup' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe RuleGroup) (Maybe Text) (Maybe SourceMetadata) (Maybe (NonEmpty Tag)) Text RuleGroupType Int
- newCreateRuleGroup :: Text -> RuleGroupType -> Int -> CreateRuleGroup
- data CreateRuleGroupResponse = CreateRuleGroupResponse' Int Text RuleGroupResponse
- newCreateRuleGroupResponse :: Int -> Text -> RuleGroupResponse -> CreateRuleGroupResponse
- data DeleteFirewall = DeleteFirewall' (Maybe Text) (Maybe Text)
- newDeleteFirewall :: DeleteFirewall
- data DeleteFirewallResponse = DeleteFirewallResponse' (Maybe Firewall) (Maybe FirewallStatus) Int
- newDeleteFirewallResponse :: Int -> DeleteFirewallResponse
- data DeleteFirewallPolicy = DeleteFirewallPolicy' (Maybe Text) (Maybe Text)
- newDeleteFirewallPolicy :: DeleteFirewallPolicy
- data DeleteFirewallPolicyResponse = DeleteFirewallPolicyResponse' Int FirewallPolicyResponse
- newDeleteFirewallPolicyResponse :: Int -> FirewallPolicyResponse -> DeleteFirewallPolicyResponse
- data DeleteResourcePolicy = DeleteResourcePolicy' Text
- newDeleteResourcePolicy :: Text -> DeleteResourcePolicy
- data DeleteResourcePolicyResponse = DeleteResourcePolicyResponse' Int
- newDeleteResourcePolicyResponse :: Int -> DeleteResourcePolicyResponse
- data DeleteRuleGroup = DeleteRuleGroup' (Maybe Text) (Maybe Text) (Maybe RuleGroupType)
- newDeleteRuleGroup :: DeleteRuleGroup
- data DeleteRuleGroupResponse = DeleteRuleGroupResponse' Int RuleGroupResponse
- newDeleteRuleGroupResponse :: Int -> RuleGroupResponse -> DeleteRuleGroupResponse
- data DescribeFirewall = DescribeFirewall' (Maybe Text) (Maybe Text)
- newDescribeFirewall :: DescribeFirewall
- data DescribeFirewallResponse = DescribeFirewallResponse' (Maybe Firewall) (Maybe FirewallStatus) (Maybe Text) Int
- newDescribeFirewallResponse :: Int -> DescribeFirewallResponse
- data DescribeFirewallPolicy = DescribeFirewallPolicy' (Maybe Text) (Maybe Text)
- newDescribeFirewallPolicy :: DescribeFirewallPolicy
- data DescribeFirewallPolicyResponse = DescribeFirewallPolicyResponse' (Maybe FirewallPolicy) Int Text FirewallPolicyResponse
- newDescribeFirewallPolicyResponse :: Int -> Text -> FirewallPolicyResponse -> DescribeFirewallPolicyResponse
- data DescribeLoggingConfiguration = DescribeLoggingConfiguration' (Maybe Text) (Maybe Text)
- newDescribeLoggingConfiguration :: DescribeLoggingConfiguration
- data DescribeLoggingConfigurationResponse = DescribeLoggingConfigurationResponse' (Maybe Text) (Maybe LoggingConfiguration) Int
- newDescribeLoggingConfigurationResponse :: Int -> DescribeLoggingConfigurationResponse
- data DescribeResourcePolicy = DescribeResourcePolicy' Text
- newDescribeResourcePolicy :: Text -> DescribeResourcePolicy
- data DescribeResourcePolicyResponse = DescribeResourcePolicyResponse' (Maybe Text) Int
- newDescribeResourcePolicyResponse :: Int -> DescribeResourcePolicyResponse
- data DescribeRuleGroup = DescribeRuleGroup' (Maybe Text) (Maybe Text) (Maybe RuleGroupType)
- newDescribeRuleGroup :: DescribeRuleGroup
- data DescribeRuleGroupResponse = DescribeRuleGroupResponse' (Maybe RuleGroup) Int Text RuleGroupResponse
- newDescribeRuleGroupResponse :: Int -> Text -> RuleGroupResponse -> DescribeRuleGroupResponse
- data DescribeRuleGroupMetadata = DescribeRuleGroupMetadata' (Maybe Text) (Maybe Text) (Maybe RuleGroupType)
- newDescribeRuleGroupMetadata :: DescribeRuleGroupMetadata
- data DescribeRuleGroupMetadataResponse = DescribeRuleGroupMetadataResponse' (Maybe Int) (Maybe Text) (Maybe POSIX) (Maybe StatefulRuleOptions) (Maybe RuleGroupType) Int Text Text
- newDescribeRuleGroupMetadataResponse :: Int -> Text -> Text -> DescribeRuleGroupMetadataResponse
- data DisassociateSubnets = DisassociateSubnets' (Maybe Text) (Maybe Text) (Maybe Text) [Text]
- newDisassociateSubnets :: DisassociateSubnets
- data DisassociateSubnetsResponse = DisassociateSubnetsResponse' (Maybe Text) (Maybe Text) (Maybe [SubnetMapping]) (Maybe Text) Int
- newDisassociateSubnetsResponse :: Int -> DisassociateSubnetsResponse
- data ListFirewallPolicies = ListFirewallPolicies' (Maybe Natural) (Maybe Text)
- newListFirewallPolicies :: ListFirewallPolicies
- data ListFirewallPoliciesResponse = ListFirewallPoliciesResponse' (Maybe [FirewallPolicyMetadata]) (Maybe Text) Int
- newListFirewallPoliciesResponse :: Int -> ListFirewallPoliciesResponse
- data ListFirewalls = ListFirewalls' (Maybe Natural) (Maybe Text) (Maybe [Text])
- newListFirewalls :: ListFirewalls
- data ListFirewallsResponse = ListFirewallsResponse' (Maybe [FirewallMetadata]) (Maybe Text) Int
- newListFirewallsResponse :: Int -> ListFirewallsResponse
- data ListRuleGroups = ListRuleGroups' (Maybe ResourceManagedType) (Maybe Natural) (Maybe Text) (Maybe ResourceManagedStatus) (Maybe RuleGroupType)
- newListRuleGroups :: ListRuleGroups
- data ListRuleGroupsResponse = ListRuleGroupsResponse' (Maybe Text) (Maybe [RuleGroupMetadata]) Int
- newListRuleGroupsResponse :: Int -> ListRuleGroupsResponse
- data ListTagsForResource = ListTagsForResource' (Maybe Natural) (Maybe Text) Text
- newListTagsForResource :: Text -> ListTagsForResource
- data ListTagsForResourceResponse = ListTagsForResourceResponse' (Maybe Text) (Maybe (NonEmpty Tag)) Int
- newListTagsForResourceResponse :: Int -> ListTagsForResourceResponse
- data PutResourcePolicy = PutResourcePolicy' Text Text
- newPutResourcePolicy :: Text -> Text -> PutResourcePolicy
- data PutResourcePolicyResponse = PutResourcePolicyResponse' Int
- newPutResourcePolicyResponse :: Int -> PutResourcePolicyResponse
- data TagResource = TagResource' Text (NonEmpty Tag)
- newTagResource :: Text -> NonEmpty Tag -> TagResource
- data TagResourceResponse = TagResourceResponse' Int
- newTagResourceResponse :: Int -> TagResourceResponse
- data UntagResource = UntagResource' Text (NonEmpty Text)
- newUntagResource :: Text -> NonEmpty Text -> UntagResource
- data UntagResourceResponse = UntagResourceResponse' Int
- newUntagResourceResponse :: Int -> UntagResourceResponse
- data UpdateFirewallDeleteProtection = UpdateFirewallDeleteProtection' (Maybe Text) (Maybe Text) (Maybe Text) Bool
- newUpdateFirewallDeleteProtection :: Bool -> UpdateFirewallDeleteProtection
- data UpdateFirewallDeleteProtectionResponse = UpdateFirewallDeleteProtectionResponse' (Maybe Bool) (Maybe Text) (Maybe Text) (Maybe Text) Int
- newUpdateFirewallDeleteProtectionResponse :: Int -> UpdateFirewallDeleteProtectionResponse
- data UpdateFirewallDescription = UpdateFirewallDescription' (Maybe Text) (Maybe Text) (Maybe Text) (Maybe Text)
- newUpdateFirewallDescription :: UpdateFirewallDescription
- data UpdateFirewallDescriptionResponse = UpdateFirewallDescriptionResponse' (Maybe Text) (Maybe Text) (Maybe Text) (Maybe Text) Int
- newUpdateFirewallDescriptionResponse :: Int -> UpdateFirewallDescriptionResponse
- data UpdateFirewallEncryptionConfiguration = UpdateFirewallEncryptionConfiguration' (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Text)
- newUpdateFirewallEncryptionConfiguration :: UpdateFirewallEncryptionConfiguration
- data UpdateFirewallEncryptionConfigurationResponse = UpdateFirewallEncryptionConfigurationResponse' (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Text) Int
- newUpdateFirewallEncryptionConfigurationResponse :: Int -> UpdateFirewallEncryptionConfigurationResponse
- data UpdateFirewallPolicy = UpdateFirewallPolicy' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) Text FirewallPolicy
- newUpdateFirewallPolicy :: Text -> FirewallPolicy -> UpdateFirewallPolicy
- data UpdateFirewallPolicyResponse = UpdateFirewallPolicyResponse' Int Text FirewallPolicyResponse
- newUpdateFirewallPolicyResponse :: Int -> Text -> FirewallPolicyResponse -> UpdateFirewallPolicyResponse
- data UpdateFirewallPolicyChangeProtection = UpdateFirewallPolicyChangeProtection' (Maybe Text) (Maybe Text) (Maybe Text) Bool
- newUpdateFirewallPolicyChangeProtection :: Bool -> UpdateFirewallPolicyChangeProtection
- data UpdateFirewallPolicyChangeProtectionResponse = UpdateFirewallPolicyChangeProtectionResponse' (Maybe Text) (Maybe Text) (Maybe Bool) (Maybe Text) Int
- newUpdateFirewallPolicyChangeProtectionResponse :: Int -> UpdateFirewallPolicyChangeProtectionResponse
- data UpdateLoggingConfiguration = UpdateLoggingConfiguration' (Maybe Text) (Maybe Text) (Maybe LoggingConfiguration)
- newUpdateLoggingConfiguration :: UpdateLoggingConfiguration
- data UpdateLoggingConfigurationResponse = UpdateLoggingConfigurationResponse' (Maybe Text) (Maybe Text) (Maybe LoggingConfiguration) Int
- newUpdateLoggingConfigurationResponse :: Int -> UpdateLoggingConfigurationResponse
- data UpdateRuleGroup = UpdateRuleGroup' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe RuleGroup) (Maybe Text) (Maybe Text) (Maybe Text) (Maybe SourceMetadata) (Maybe RuleGroupType) Text
- newUpdateRuleGroup :: Text -> UpdateRuleGroup
- data UpdateRuleGroupResponse = UpdateRuleGroupResponse' Int Text RuleGroupResponse
- newUpdateRuleGroupResponse :: Int -> Text -> RuleGroupResponse -> UpdateRuleGroupResponse
- data UpdateSubnetChangeProtection = UpdateSubnetChangeProtection' (Maybe Text) (Maybe Text) (Maybe Text) Bool
- newUpdateSubnetChangeProtection :: Bool -> UpdateSubnetChangeProtection
- data UpdateSubnetChangeProtectionResponse = UpdateSubnetChangeProtectionResponse' (Maybe Text) (Maybe Text) (Maybe Bool) (Maybe Text) Int
- newUpdateSubnetChangeProtectionResponse :: Int -> UpdateSubnetChangeProtectionResponse
- newtype AttachmentStatus where
- AttachmentStatus' { }
- pattern AttachmentStatus_CREATING :: AttachmentStatus
- pattern AttachmentStatus_DELETING :: AttachmentStatus
- pattern AttachmentStatus_READY :: AttachmentStatus
- pattern AttachmentStatus_SCALING :: AttachmentStatus
- newtype ConfigurationSyncState where
- newtype EncryptionType where
- EncryptionType' { }
- pattern EncryptionType_AWS_OWNED_KMS_KEY :: EncryptionType
- pattern EncryptionType_CUSTOMER_KMS :: EncryptionType
- newtype FirewallStatusValue where
- newtype GeneratedRulesType where
- newtype LogDestinationType where
- newtype LogType where
- LogType' {
- fromLogType :: Text
- pattern LogType_ALERT :: LogType
- pattern LogType_FLOW :: LogType
- LogType' {
- newtype OverrideAction where
- OverrideAction' { }
- pattern OverrideAction_DROP_TO_ALERT :: OverrideAction
- newtype PerObjectSyncStatus where
- newtype ResourceManagedStatus where
- newtype ResourceManagedType where
- newtype ResourceStatus where
- ResourceStatus' { }
- pattern ResourceStatus_ACTIVE :: ResourceStatus
- pattern ResourceStatus_DELETING :: ResourceStatus
- newtype RuleGroupType where
- RuleGroupType' { }
- pattern RuleGroupType_STATEFUL :: RuleGroupType
- pattern RuleGroupType_STATELESS :: RuleGroupType
- newtype RuleOrder where
- RuleOrder' { }
- pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder
- pattern RuleOrder_STRICT_ORDER :: RuleOrder
- newtype StatefulAction where
- StatefulAction' { }
- pattern StatefulAction_ALERT :: StatefulAction
- pattern StatefulAction_DROP :: StatefulAction
- pattern StatefulAction_PASS :: StatefulAction
- newtype StatefulRuleDirection where
- newtype StatefulRuleProtocol where
- StatefulRuleProtocol' { }
- pattern StatefulRuleProtocol_DCERPC :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DHCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DNS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_FTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_HTTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_ICMP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IKEV2 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IMAP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_KRB5 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_MSN :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_NTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMB :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SSH :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TFTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TLS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_UDP :: StatefulRuleProtocol
- newtype StreamExceptionPolicy where
- newtype TCPFlag where
- TCPFlag' {
- fromTCPFlag :: Text
- pattern TCPFlag_ACK :: TCPFlag
- pattern TCPFlag_CWR :: TCPFlag
- pattern TCPFlag_ECE :: TCPFlag
- pattern TCPFlag_FIN :: TCPFlag
- pattern TCPFlag_PSH :: TCPFlag
- pattern TCPFlag_RST :: TCPFlag
- pattern TCPFlag_SYN :: TCPFlag
- pattern TCPFlag_URG :: TCPFlag
- TCPFlag' {
- newtype TargetType where
- TargetType' { }
- pattern TargetType_HTTP_HOST :: TargetType
- pattern TargetType_TLS_SNI :: TargetType
- data ActionDefinition = ActionDefinition' (Maybe PublishMetricAction)
- newActionDefinition :: ActionDefinition
- data Address = Address' Text
- newAddress :: Text -> Address
- data Attachment = Attachment' (Maybe Text) (Maybe AttachmentStatus) (Maybe Text) (Maybe Text)
- newAttachment :: Attachment
- data CIDRSummary = CIDRSummary' (Maybe Natural) (Maybe (HashMap Text IPSetMetadata)) (Maybe Natural)
- newCIDRSummary :: CIDRSummary
- data CapacityUsageSummary = CapacityUsageSummary' (Maybe CIDRSummary)
- newCapacityUsageSummary :: CapacityUsageSummary
- data CustomAction = CustomAction' Text ActionDefinition
- newCustomAction :: Text -> ActionDefinition -> CustomAction
- data Dimension = Dimension' Text
- newDimension :: Text -> Dimension
- data EncryptionConfiguration = EncryptionConfiguration' (Maybe Text) EncryptionType
- newEncryptionConfiguration :: EncryptionType -> EncryptionConfiguration
- data Firewall = Firewall' (Maybe Bool) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Bool) (Maybe Bool) (Maybe (NonEmpty Tag)) Text Text [SubnetMapping] Text
- newFirewall :: Text -> Text -> Text -> Firewall
- data FirewallMetadata = FirewallMetadata' (Maybe Text) (Maybe Text)
- newFirewallMetadata :: FirewallMetadata
- data FirewallPolicy = FirewallPolicy' (Maybe [Text]) (Maybe StatefulEngineOptions) (Maybe [StatefulRuleGroupReference]) (Maybe [CustomAction]) (Maybe [StatelessRuleGroupReference]) [Text] [Text]
- newFirewallPolicy :: FirewallPolicy
- data FirewallPolicyMetadata = FirewallPolicyMetadata' (Maybe Text) (Maybe Text)
- newFirewallPolicyMetadata :: FirewallPolicyMetadata
- data FirewallPolicyResponse = FirewallPolicyResponse' (Maybe Int) (Maybe Int) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe ResourceStatus) (Maybe POSIX) (Maybe Int) (Maybe (NonEmpty Tag)) Text Text Text
- newFirewallPolicyResponse :: Text -> Text -> Text -> FirewallPolicyResponse
- data FirewallStatus = FirewallStatus' (Maybe CapacityUsageSummary) (Maybe (HashMap Text SyncState)) FirewallStatusValue ConfigurationSyncState
- newFirewallStatus :: FirewallStatusValue -> ConfigurationSyncState -> FirewallStatus
- data Header = Header' StatefulRuleProtocol Text Text StatefulRuleDirection Text Text
- newHeader :: StatefulRuleProtocol -> Text -> Text -> StatefulRuleDirection -> Text -> Text -> Header
- data IPSet = IPSet' [Text]
- newIPSet :: IPSet
- data IPSetMetadata = IPSetMetadata' (Maybe Natural)
- newIPSetMetadata :: IPSetMetadata
- data IPSetReference = IPSetReference' (Maybe Text)
- newIPSetReference :: IPSetReference
- data LogDestinationConfig = LogDestinationConfig' LogType LogDestinationType (HashMap Text Text)
- newLogDestinationConfig :: LogType -> LogDestinationType -> LogDestinationConfig
- data LoggingConfiguration = LoggingConfiguration' [LogDestinationConfig]
- newLoggingConfiguration :: LoggingConfiguration
- data MatchAttributes = MatchAttributes' (Maybe [PortRange]) (Maybe [Address]) (Maybe [Natural]) (Maybe [PortRange]) (Maybe [Address]) (Maybe [TCPFlagField])
- newMatchAttributes :: MatchAttributes
- data PerObjectStatus = PerObjectStatus' (Maybe PerObjectSyncStatus) (Maybe Text)
- newPerObjectStatus :: PerObjectStatus
- data PortRange = PortRange' Natural Natural
- newPortRange :: Natural -> Natural -> PortRange
- data PortSet = PortSet' (Maybe [Text])
- newPortSet :: PortSet
- data PublishMetricAction = PublishMetricAction' (NonEmpty Dimension)
- newPublishMetricAction :: NonEmpty Dimension -> PublishMetricAction
- data ReferenceSets = ReferenceSets' (Maybe (HashMap Text IPSetReference))
- newReferenceSets :: ReferenceSets
- data RuleDefinition = RuleDefinition' MatchAttributes [Text]
- newRuleDefinition :: MatchAttributes -> RuleDefinition
- data RuleGroup = RuleGroup' (Maybe ReferenceSets) (Maybe RuleVariables) (Maybe StatefulRuleOptions) RulesSource
- newRuleGroup :: RulesSource -> RuleGroup
- data RuleGroupMetadata = RuleGroupMetadata' (Maybe Text) (Maybe Text)
- newRuleGroupMetadata :: RuleGroupMetadata
- data RuleGroupResponse = RuleGroupResponse' (Maybe Int) (Maybe Int) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe POSIX) (Maybe Int) (Maybe ResourceStatus) (Maybe Text) (Maybe SourceMetadata) (Maybe (NonEmpty Tag)) (Maybe RuleGroupType) Text Text Text
- newRuleGroupResponse :: Text -> Text -> Text -> RuleGroupResponse
- data RuleOption = RuleOption' (Maybe [Text]) Text
- newRuleOption :: Text -> RuleOption
- data RuleVariables = RuleVariables' (Maybe (HashMap Text IPSet)) (Maybe (HashMap Text PortSet))
- newRuleVariables :: RuleVariables
- data RulesSource = RulesSource' (Maybe RulesSourceList) (Maybe Text) (Maybe [StatefulRule]) (Maybe StatelessRulesAndCustomActions)
- newRulesSource :: RulesSource
- data RulesSourceList = RulesSourceList' [Text] [TargetType] GeneratedRulesType
- newRulesSourceList :: GeneratedRulesType -> RulesSourceList
- data SourceMetadata = SourceMetadata' (Maybe Text) (Maybe Text)
- newSourceMetadata :: SourceMetadata
- data StatefulEngineOptions = StatefulEngineOptions' (Maybe RuleOrder) (Maybe StreamExceptionPolicy)
- newStatefulEngineOptions :: StatefulEngineOptions
- data StatefulRule = StatefulRule' StatefulAction Header [RuleOption]
- newStatefulRule :: StatefulAction -> Header -> StatefulRule
- data StatefulRuleGroupOverride = StatefulRuleGroupOverride' (Maybe OverrideAction)
- newStatefulRuleGroupOverride :: StatefulRuleGroupOverride
- data StatefulRuleGroupReference = StatefulRuleGroupReference' (Maybe StatefulRuleGroupOverride) (Maybe Natural) Text
- newStatefulRuleGroupReference :: Text -> StatefulRuleGroupReference
- data StatefulRuleOptions = StatefulRuleOptions' (Maybe RuleOrder)
- newStatefulRuleOptions :: StatefulRuleOptions
- data StatelessRule = StatelessRule' RuleDefinition Natural
- newStatelessRule :: RuleDefinition -> Natural -> StatelessRule
- data StatelessRuleGroupReference = StatelessRuleGroupReference' Text Natural
- newStatelessRuleGroupReference :: Text -> Natural -> StatelessRuleGroupReference
- data StatelessRulesAndCustomActions = StatelessRulesAndCustomActions' (Maybe [CustomAction]) [StatelessRule]
- newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions
- data SubnetMapping = SubnetMapping' Text
- newSubnetMapping :: Text -> SubnetMapping
- data SyncState = SyncState' (Maybe Attachment) (Maybe (HashMap Text PerObjectStatus))
- newSyncState :: SyncState
- data TCPFlagField = TCPFlagField' (Maybe [TCPFlag]) [TCPFlag]
- newTCPFlagField :: TCPFlagField
- data Tag = Tag' Text Text
- newTag :: Text -> Text -> Tag
Service Configuration
defaultService :: Service Source #
API version 2020-11-12
of the Amazon Network Firewall SDK configuration.
Errors
Error matchers are designed for use with the functions provided by
Control.Exception.Lens.
This allows catching (and rethrowing) service specific errors returned
by NetworkFirewall
.
InsufficientCapacityException
_InsufficientCapacityException :: AsError a => Fold a ServiceError Source #
Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your request later.
InternalServerError
_InternalServerError :: AsError a => Fold a ServiceError Source #
Your request is valid, but Network Firewall couldn’t perform the operation because of a system problem. Retry your request.
InvalidOperationException
_InvalidOperationException :: AsError a => Fold a ServiceError Source #
The operation failed because it's not valid. For example, you might have tried to delete a rule group or firewall policy that's in use.
InvalidRequestException
_InvalidRequestException :: AsError a => Fold a ServiceError Source #
The operation failed because of a problem with your request. Examples include:
- You specified an unsupported parameter name or value.
- You tried to update a property with a value that isn't among the available types.
- Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in the context of the request.
InvalidResourcePolicyException
_InvalidResourcePolicyException :: AsError a => Fold a ServiceError Source #
The policy statement failed validation.
InvalidTokenException
_InvalidTokenException :: AsError a => Fold a ServiceError Source #
The token you provided is stale or isn't valid for the operation.
LimitExceededException
_LimitExceededException :: AsError a => Fold a ServiceError Source #
Unable to perform the operation because doing so would violate a limit setting.
LogDestinationPermissionException
_LogDestinationPermissionException :: AsError a => Fold a ServiceError Source #
Unable to send logs to a configured logging destination.
ResourceNotFoundException
_ResourceNotFoundException :: AsError a => Fold a ServiceError Source #
Unable to locate a resource using the parameters that you provided.
ResourceOwnerCheckException
_ResourceOwnerCheckException :: AsError a => Fold a ServiceError Source #
Unable to change the resource because your account doesn't own it.
ThrottlingException
_ThrottlingException :: AsError a => Fold a ServiceError Source #
Unable to process the request due to throttling limitations.
UnsupportedOperationException
_UnsupportedOperationException :: AsError a => Fold a ServiceError Source #
The operation you requested isn't supported by Network Firewall.
Waiters
Waiters poll by repeatedly sending a request until some remote success condition
configured by the Wait
specification is fulfilled. The Wait
specification
determines how many attempts should be made, in addition to delay and retry strategies.
Operations
Some AWS operations return results that are incomplete and require subsequent
requests in order to obtain the entire result set. The process of sending
subsequent requests to continue where a previous request left off is called
pagination. For example, the ListObjects
operation of Amazon S3 returns up to
1000 objects at a time, and you must send subsequent requests with the
appropriate Marker in order to retrieve the next page of results.
Operations that have an AWSPager
instance can transparently perform subsequent
requests, correctly setting Markers and other request facets to iterate through
the entire result set of a truncated API operation. Operations which support
this have an additional note in the documentation.
Many operations have the ability to filter results on the server side. See the individual operation parameters for details.
AssociateFirewallPolicy
data AssociateFirewallPolicy Source #
See: newAssociateFirewallPolicy
smart constructor.
Instances
newAssociateFirewallPolicy Source #
Create a value of AssociateFirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
AssociateFirewallPolicy
, associateFirewallPolicy_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
AssociateFirewallPolicy
, associateFirewallPolicy_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
AssociateFirewallPolicy
, associateFirewallPolicy_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
AssociateFirewallPolicy
, associateFirewallPolicy_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
data AssociateFirewallPolicyResponse Source #
See: newAssociateFirewallPolicyResponse
smart constructor.
Instances
newAssociateFirewallPolicyResponse Source #
Create a value of AssociateFirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
AssociateFirewallPolicy
, associateFirewallPolicyResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
AssociateFirewallPolicy
, associateFirewallPolicyResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
AssociateFirewallPolicy
, associateFirewallPolicyResponse_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
AssociateFirewallPolicy
, associateFirewallPolicyResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:AssociateFirewallPolicyResponse'
, associateFirewallPolicyResponse_httpStatus
- The response's http status code.
AssociateSubnets
data AssociateSubnets Source #
See: newAssociateSubnets
smart constructor.
AssociateSubnets' (Maybe Text) (Maybe Text) (Maybe Text) [SubnetMapping] |
Instances
newAssociateSubnets :: AssociateSubnets Source #
Create a value of AssociateSubnets
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
AssociateSubnets
, associateSubnets_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
AssociateSubnets
, associateSubnets_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
AssociateSubnets
, associateSubnets_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
AssociateSubnets
, associateSubnets_subnetMappings
- The IDs of the subnets that you want to associate with the firewall.
data AssociateSubnetsResponse Source #
See: newAssociateSubnetsResponse
smart constructor.
AssociateSubnetsResponse' (Maybe Text) (Maybe Text) (Maybe [SubnetMapping]) (Maybe Text) Int |
Instances
newAssociateSubnetsResponse Source #
Create a value of AssociateSubnetsResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
AssociateSubnets
, associateSubnetsResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
AssociateSubnets
, associateSubnetsResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
AssociateSubnets
, associateSubnetsResponse_subnetMappings
- The IDs of the subnets that are associated with the firewall.
AssociateSubnets
, associateSubnetsResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:AssociateSubnetsResponse'
, associateSubnetsResponse_httpStatus
- The response's http status code.
CreateFirewall
data CreateFirewall Source #
See: newCreateFirewall
smart constructor.
CreateFirewall' (Maybe Bool) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe Bool) (Maybe Bool) (Maybe (NonEmpty Tag)) Text Text Text [SubnetMapping] |
Instances
Create a value of CreateFirewall
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
CreateFirewall
, createFirewall_deleteProtection
- A flag indicating whether it is possible to delete the firewall. A
setting of TRUE
indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE
.
CreateFirewall
, createFirewall_description
- A description of the firewall.
CreateFirewall
, createFirewall_encryptionConfiguration
- A complex type that contains settings for encryption of your firewall
resources.
CreateFirewall
, createFirewall_firewallPolicyChangeProtection
- A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
CreateFirewall
, createFirewall_subnetChangeProtection
- A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
CreateFirewall
, createFirewall_tags
- The key:value pairs to associate with the resource.
CreateFirewall
, createFirewall_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
CreateFirewall
, createFirewall_firewallPolicyArn
- The Amazon Resource Name (ARN) of the FirewallPolicy that you want to
use for the firewall.
CreateFirewall
, createFirewall_vpcId
- The unique identifier of the VPC where Network Firewall should create
the firewall.
You can't change this setting after you create the firewall.
CreateFirewall
, createFirewall_subnetMappings
- The public subnets to use for your Network Firewall firewalls. Each
subnet must belong to a different Availability Zone in the VPC. Network
Firewall creates a firewall endpoint in each subnet.
data CreateFirewallResponse Source #
See: newCreateFirewallResponse
smart constructor.
Instances
newCreateFirewallResponse Source #
Create a value of CreateFirewallResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewall:CreateFirewallResponse'
, createFirewallResponse_firewall
- The configuration settings for the firewall. These settings include the
firewall policy and the subnets in your VPC to use for the firewall
endpoints.
$sel:firewallStatus:CreateFirewallResponse'
, createFirewallResponse_firewallStatus
- Detailed information about the current status of a Firewall. You can
retrieve this for a firewall by calling DescribeFirewall and providing
the firewall name and ARN.
$sel:httpStatus:CreateFirewallResponse'
, createFirewallResponse_httpStatus
- The response's http status code.
CreateFirewallPolicy
data CreateFirewallPolicy Source #
See: newCreateFirewallPolicy
smart constructor.
CreateFirewallPolicy' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe (NonEmpty Tag)) Text FirewallPolicy |
Instances
newCreateFirewallPolicy Source #
Create a value of CreateFirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
CreateFirewallPolicy
, createFirewallPolicy_description
- A description of the firewall policy.
$sel:dryRun:CreateFirewallPolicy'
, createFirewallPolicy_dryRun
- Indicates whether you want Network Firewall to just check the validity
of the request, rather than run the request.
If set to TRUE
, Network Firewall checks whether the request can run
successfully, but doesn't actually make the requested changes. The call
returns the value that the request would return if you ran it with dry
run set to FALSE
, but doesn't make additions or changes to your
resources. This option allows you to make sure that you have the
required permissions to run the request and that your request parameters
are valid.
If set to FALSE
, Network Firewall makes the requested changes to your
resources.
CreateFirewallPolicy
, createFirewallPolicy_encryptionConfiguration
- A complex type that contains settings for encryption of your firewall
policy resources.
CreateFirewallPolicy
, createFirewallPolicy_tags
- The key:value pairs to associate with the resource.
CreateFirewallPolicy
, createFirewallPolicy_firewallPolicyName
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
$sel:firewallPolicy:CreateFirewallPolicy'
, createFirewallPolicy_firewallPolicy
- The rule groups and policy actions to use in the firewall policy.
data CreateFirewallPolicyResponse Source #
See: newCreateFirewallPolicyResponse
smart constructor.
Instances
newCreateFirewallPolicyResponse Source #
Create a value of CreateFirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:CreateFirewallPolicyResponse'
, createFirewallPolicyResponse_httpStatus
- The response's http status code.
CreateFirewallPolicyResponse
, createFirewallPolicyResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the firewall policy. The token marks the state
of the policy resource at the time of the request.
To make changes to the policy, you provide the token in your request.
Network Firewall uses the token to ensure that the policy hasn't
changed since you last retrieved it. If it has changed, the operation
fails with an InvalidTokenException
. If this happens, retrieve the
firewall policy again to get a current copy of it with current token.
Reapply your changes as needed, then try the operation again using the
new token.
$sel:firewallPolicyResponse:CreateFirewallPolicyResponse'
, createFirewallPolicyResponse_firewallPolicyResponse
- The high-level properties of a firewall policy. This, along with the
FirewallPolicy, define the policy. You can retrieve all objects for a
firewall policy by calling DescribeFirewallPolicy.
CreateRuleGroup
data CreateRuleGroup Source #
See: newCreateRuleGroup
smart constructor.
CreateRuleGroup' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe RuleGroup) (Maybe Text) (Maybe SourceMetadata) (Maybe (NonEmpty Tag)) Text RuleGroupType Int |
Instances
Create a value of CreateRuleGroup
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
CreateRuleGroup
, createRuleGroup_description
- A description of the rule group.
$sel:dryRun:CreateRuleGroup'
, createRuleGroup_dryRun
- Indicates whether you want Network Firewall to just check the validity
of the request, rather than run the request.
If set to TRUE
, Network Firewall checks whether the request can run
successfully, but doesn't actually make the requested changes. The call
returns the value that the request would return if you ran it with dry
run set to FALSE
, but doesn't make additions or changes to your
resources. This option allows you to make sure that you have the
required permissions to run the request and that your request parameters
are valid.
If set to FALSE
, Network Firewall makes the requested changes to your
resources.
CreateRuleGroup
, createRuleGroup_encryptionConfiguration
- A complex type that contains settings for encryption of your rule group
resources.
$sel:ruleGroup:CreateRuleGroup'
, createRuleGroup_ruleGroup
- An object that defines the rule group rules.
You must provide either this rule group setting or a Rules
setting,
but not both.
$sel:rules:CreateRuleGroup'
, createRuleGroup_rules
- A string containing stateful rule group rules specifications in Suricata
flat format, with one rule per line. Use this to import your existing
Suricata compatible rule groups.
You must provide either this rules setting or a populated RuleGroup
setting, but not both.
You can provide your rule group specification in Suricata flat format through this setting when you create or update your rule group. The call response returns a RuleGroup object that Network Firewall has populated from your string.
CreateRuleGroup
, createRuleGroup_sourceMetadata
- A complex type that contains metadata about the rule group that your own
rule group is copied from. You can use the metadata to keep track of
updates made to the originating rule group.
CreateRuleGroup
, createRuleGroup_tags
- The key:value pairs to associate with the resource.
CreateRuleGroup
, createRuleGroup_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
CreateRuleGroup
, createRuleGroup_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
CreateRuleGroup
, createRuleGroup_capacity
- The maximum operating resources that this rule group can use. Rule group
capacity is fixed at creation. When you update a rule group, you are
limited to this capacity. When you reference a rule group from a
firewall policy, Network Firewall reserves this capacity for the rule
group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun
set to TRUE
.
You can't change or exceed this capacity when you update the rule group, so leave room for your rule group to grow.
Capacity for a stateless rule group
For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules that you expect to have in the rule group.
To calculate the capacity requirement of a single rule, multiply the capacity requirement values of each of the rule's match settings:
- A match setting with no criteria specified has a value of 1.
- A match setting with
Any
specified has a value of 1. - All other match settings have a value equal to the number of elements provided in the setting. For example, a protocol setting ["UDP"] and a source setting ["10.0.0.0/24"] each have a value of 1. A protocol setting ["UDP","TCP"] has a value of 2. A source setting ["10.0.0.0/24","10.0.0.1/24","10.0.0.2/24"] has a value of 3.
A rule with no criteria specified in any of its match settings has a capacity requirement of 1. A rule with protocol setting ["UDP","TCP"], source setting ["10.0.0.0/24","10.0.0.1/24","10.0.0.2/24"], and a single specification or no specification for each of the other match settings has a capacity requirement of 6.
Capacity for a stateful rule group
For a stateful rule group, the minimum capacity required is the number of individual rules that you expect to have in the rule group.
data CreateRuleGroupResponse Source #
See: newCreateRuleGroupResponse
smart constructor.
Instances
newCreateRuleGroupResponse Source #
:: Int | |
-> Text | |
-> RuleGroupResponse | |
-> CreateRuleGroupResponse |
Create a value of CreateRuleGroupResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:CreateRuleGroupResponse'
, createRuleGroupResponse_httpStatus
- The response's http status code.
CreateRuleGroupResponse
, createRuleGroupResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the rule group. The token marks the state of
the rule group resource at the time of the request.
To make changes to the rule group, you provide the token in your
request. Network Firewall uses the token to ensure that the rule group
hasn't changed since you last retrieved it. If it has changed, the
operation fails with an InvalidTokenException
. If this happens,
retrieve the rule group again to get a current copy of it with a current
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:ruleGroupResponse:CreateRuleGroupResponse'
, createRuleGroupResponse_ruleGroupResponse
- The high-level properties of a rule group. This, along with the
RuleGroup, define the rule group. You can retrieve all objects for a
rule group by calling DescribeRuleGroup.
DeleteFirewall
data DeleteFirewall Source #
See: newDeleteFirewall
smart constructor.
Instances
newDeleteFirewall :: DeleteFirewall Source #
Create a value of DeleteFirewall
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DeleteFirewall
, deleteFirewall_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
DeleteFirewall
, deleteFirewall_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
data DeleteFirewallResponse Source #
See: newDeleteFirewallResponse
smart constructor.
Instances
newDeleteFirewallResponse Source #
Create a value of DeleteFirewallResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewall:DeleteFirewallResponse'
, deleteFirewallResponse_firewall
- Undocumented member.
$sel:firewallStatus:DeleteFirewallResponse'
, deleteFirewallResponse_firewallStatus
- Undocumented member.
$sel:httpStatus:DeleteFirewallResponse'
, deleteFirewallResponse_httpStatus
- The response's http status code.
DeleteFirewallPolicy
data DeleteFirewallPolicy Source #
See: newDeleteFirewallPolicy
smart constructor.
Instances
newDeleteFirewallPolicy :: DeleteFirewallPolicy Source #
Create a value of DeleteFirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DeleteFirewallPolicy
, deleteFirewallPolicy_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
You must specify the ARN or the name, and you can specify both.
DeleteFirewallPolicy
, deleteFirewallPolicy_firewallPolicyName
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
You must specify the ARN or the name, and you can specify both.
data DeleteFirewallPolicyResponse Source #
See: newDeleteFirewallPolicyResponse
smart constructor.
Instances
newDeleteFirewallPolicyResponse Source #
Create a value of DeleteFirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:DeleteFirewallPolicyResponse'
, deleteFirewallPolicyResponse_httpStatus
- The response's http status code.
$sel:firewallPolicyResponse:DeleteFirewallPolicyResponse'
, deleteFirewallPolicyResponse_firewallPolicyResponse
- The object containing the definition of the FirewallPolicyResponse that
you asked to delete.
DeleteResourcePolicy
data DeleteResourcePolicy Source #
See: newDeleteResourcePolicy
smart constructor.
Instances
newDeleteResourcePolicy Source #
Create a value of DeleteResourcePolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DeleteResourcePolicy
, deleteResourcePolicy_resourceArn
- The Amazon Resource Name (ARN) of the rule group or firewall policy
whose resource policy you want to delete.
data DeleteResourcePolicyResponse Source #
See: newDeleteResourcePolicyResponse
smart constructor.
Instances
newDeleteResourcePolicyResponse Source #
Create a value of DeleteResourcePolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:DeleteResourcePolicyResponse'
, deleteResourcePolicyResponse_httpStatus
- The response's http status code.
DeleteRuleGroup
data DeleteRuleGroup Source #
See: newDeleteRuleGroup
smart constructor.
Instances
newDeleteRuleGroup :: DeleteRuleGroup Source #
Create a value of DeleteRuleGroup
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DeleteRuleGroup
, deleteRuleGroup_ruleGroupArn
- The Amazon Resource Name (ARN) of the rule group.
You must specify the ARN or the name, and you can specify both.
DeleteRuleGroup
, deleteRuleGroup_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DeleteRuleGroup
, deleteRuleGroup_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
This setting is required for requests that do not include the
RuleGroupARN
.
data DeleteRuleGroupResponse Source #
See: newDeleteRuleGroupResponse
smart constructor.
Instances
newDeleteRuleGroupResponse Source #
Create a value of DeleteRuleGroupResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:DeleteRuleGroupResponse'
, deleteRuleGroupResponse_httpStatus
- The response's http status code.
$sel:ruleGroupResponse:DeleteRuleGroupResponse'
, deleteRuleGroupResponse_ruleGroupResponse
- The high-level properties of a rule group. This, along with the
RuleGroup, define the rule group. You can retrieve all objects for a
rule group by calling DescribeRuleGroup.
DescribeFirewall
data DescribeFirewall Source #
See: newDescribeFirewall
smart constructor.
Instances
newDescribeFirewall :: DescribeFirewall Source #
Create a value of DescribeFirewall
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeFirewall
, describeFirewall_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
DescribeFirewall
, describeFirewall_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
data DescribeFirewallResponse Source #
See: newDescribeFirewallResponse
smart constructor.
Instances
newDescribeFirewallResponse Source #
Create a value of DescribeFirewallResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewall:DescribeFirewallResponse'
, describeFirewallResponse_firewall
- The configuration settings for the firewall. These settings include the
firewall policy and the subnets in your VPC to use for the firewall
endpoints.
$sel:firewallStatus:DescribeFirewallResponse'
, describeFirewallResponse_firewallStatus
- Detailed information about the current status of a Firewall. You can
retrieve this for a firewall by calling DescribeFirewall and providing
the firewall name and ARN.
DescribeFirewallResponse
, describeFirewallResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:DescribeFirewallResponse'
, describeFirewallResponse_httpStatus
- The response's http status code.
DescribeFirewallPolicy
data DescribeFirewallPolicy Source #
See: newDescribeFirewallPolicy
smart constructor.
Instances
newDescribeFirewallPolicy :: DescribeFirewallPolicy Source #
Create a value of DescribeFirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeFirewallPolicy
, describeFirewallPolicy_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
You must specify the ARN or the name, and you can specify both.
DescribeFirewallPolicy
, describeFirewallPolicy_firewallPolicyName
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
You must specify the ARN or the name, and you can specify both.
data DescribeFirewallPolicyResponse Source #
See: newDescribeFirewallPolicyResponse
smart constructor.
Instances
newDescribeFirewallPolicyResponse Source #
Create a value of DescribeFirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallPolicy:DescribeFirewallPolicyResponse'
, describeFirewallPolicyResponse_firewallPolicy
- The policy for the specified firewall policy.
$sel:httpStatus:DescribeFirewallPolicyResponse'
, describeFirewallPolicyResponse_httpStatus
- The response's http status code.
DescribeFirewallPolicyResponse
, describeFirewallPolicyResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the firewall policy. The token marks the state
of the policy resource at the time of the request.
To make changes to the policy, you provide the token in your request.
Network Firewall uses the token to ensure that the policy hasn't
changed since you last retrieved it. If it has changed, the operation
fails with an InvalidTokenException
. If this happens, retrieve the
firewall policy again to get a current copy of it with current token.
Reapply your changes as needed, then try the operation again using the
new token.
$sel:firewallPolicyResponse:DescribeFirewallPolicyResponse'
, describeFirewallPolicyResponse_firewallPolicyResponse
- The high-level properties of a firewall policy. This, along with the
FirewallPolicy, define the policy. You can retrieve all objects for a
firewall policy by calling DescribeFirewallPolicy.
DescribeLoggingConfiguration
data DescribeLoggingConfiguration Source #
See: newDescribeLoggingConfiguration
smart constructor.
Instances
newDescribeLoggingConfiguration :: DescribeLoggingConfiguration Source #
Create a value of DescribeLoggingConfiguration
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeLoggingConfiguration
, describeLoggingConfiguration_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
DescribeLoggingConfiguration
, describeLoggingConfiguration_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
data DescribeLoggingConfigurationResponse Source #
See: newDescribeLoggingConfigurationResponse
smart constructor.
Instances
newDescribeLoggingConfigurationResponse Source #
Create a value of DescribeLoggingConfigurationResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeLoggingConfiguration
, describeLoggingConfigurationResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
$sel:loggingConfiguration:DescribeLoggingConfigurationResponse'
, describeLoggingConfigurationResponse_loggingConfiguration
- Undocumented member.
$sel:httpStatus:DescribeLoggingConfigurationResponse'
, describeLoggingConfigurationResponse_httpStatus
- The response's http status code.
DescribeResourcePolicy
data DescribeResourcePolicy Source #
See: newDescribeResourcePolicy
smart constructor.
Instances
newDescribeResourcePolicy Source #
Create a value of DescribeResourcePolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeResourcePolicy
, describeResourcePolicy_resourceArn
- The Amazon Resource Name (ARN) of the rule group or firewall policy
whose resource policy you want to retrieve.
data DescribeResourcePolicyResponse Source #
See: newDescribeResourcePolicyResponse
smart constructor.
Instances
Generic DescribeResourcePolicyResponse Source # | |
Read DescribeResourcePolicyResponse Source # | |
Show DescribeResourcePolicyResponse Source # | |
NFData DescribeResourcePolicyResponse Source # | |
Defined in Amazonka.NetworkFirewall.DescribeResourcePolicy rnf :: DescribeResourcePolicyResponse -> () # | |
Eq DescribeResourcePolicyResponse Source # | |
type Rep DescribeResourcePolicyResponse Source # | |
Defined in Amazonka.NetworkFirewall.DescribeResourcePolicy type Rep DescribeResourcePolicyResponse = D1 ('MetaData "DescribeResourcePolicyResponse" "Amazonka.NetworkFirewall.DescribeResourcePolicy" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "DescribeResourcePolicyResponse'" 'PrefixI 'True) (S1 ('MetaSel ('Just "policy") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "httpStatus") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Int))) |
newDescribeResourcePolicyResponse Source #
Create a value of DescribeResourcePolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:policy:DescribeResourcePolicyResponse'
, describeResourcePolicyResponse_policy
- The IAM policy for the resource.
$sel:httpStatus:DescribeResourcePolicyResponse'
, describeResourcePolicyResponse_httpStatus
- The response's http status code.
DescribeRuleGroup
data DescribeRuleGroup Source #
See: newDescribeRuleGroup
smart constructor.
Instances
newDescribeRuleGroup :: DescribeRuleGroup Source #
Create a value of DescribeRuleGroup
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeRuleGroup
, describeRuleGroup_ruleGroupArn
- The Amazon Resource Name (ARN) of the rule group.
You must specify the ARN or the name, and you can specify both.
DescribeRuleGroup
, describeRuleGroup_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DescribeRuleGroup
, describeRuleGroup_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
This setting is required for requests that do not include the
RuleGroupARN
.
data DescribeRuleGroupResponse Source #
See: newDescribeRuleGroupResponse
smart constructor.
Instances
newDescribeRuleGroupResponse Source #
Create a value of DescribeRuleGroupResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleGroup:DescribeRuleGroupResponse'
, describeRuleGroupResponse_ruleGroup
- The object that defines the rules in a rule group. This, along with
RuleGroupResponse, define the rule group. You can retrieve all objects
for a rule group by calling DescribeRuleGroup.
Network Firewall uses a rule group to inspect and control network traffic. You define stateless rule groups to inspect individual packets and you define stateful rule groups to inspect packets in the context of their traffic flow.
To use a rule group, you include it by reference in an Network Firewall firewall policy, then you use the policy in a firewall. You can reference a rule group from more than one firewall policy, and you can use a firewall policy in more than one firewall.
$sel:httpStatus:DescribeRuleGroupResponse'
, describeRuleGroupResponse_httpStatus
- The response's http status code.
DescribeRuleGroupResponse
, describeRuleGroupResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the rule group. The token marks the state of
the rule group resource at the time of the request.
To make changes to the rule group, you provide the token in your
request. Network Firewall uses the token to ensure that the rule group
hasn't changed since you last retrieved it. If it has changed, the
operation fails with an InvalidTokenException
. If this happens,
retrieve the rule group again to get a current copy of it with a current
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:ruleGroupResponse:DescribeRuleGroupResponse'
, describeRuleGroupResponse_ruleGroupResponse
- The high-level properties of a rule group. This, along with the
RuleGroup, define the rule group. You can retrieve all objects for a
rule group by calling DescribeRuleGroup.
DescribeRuleGroupMetadata
data DescribeRuleGroupMetadata Source #
See: newDescribeRuleGroupMetadata
smart constructor.
Instances
newDescribeRuleGroupMetadata :: DescribeRuleGroupMetadata Source #
Create a value of DescribeRuleGroupMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeRuleGroupMetadata
, describeRuleGroupMetadata_ruleGroupArn
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DescribeRuleGroupMetadata
, describeRuleGroupMetadata_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DescribeRuleGroupMetadata
, describeRuleGroupMetadata_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
This setting is required for requests that do not include the
RuleGroupARN
.
data DescribeRuleGroupMetadataResponse Source #
See: newDescribeRuleGroupMetadataResponse
smart constructor.
DescribeRuleGroupMetadataResponse' (Maybe Int) (Maybe Text) (Maybe POSIX) (Maybe StatefulRuleOptions) (Maybe RuleGroupType) Int Text Text |
Instances
newDescribeRuleGroupMetadataResponse Source #
:: Int | |
-> Text | |
-> Text | |
-> DescribeRuleGroupMetadataResponse |
Create a value of DescribeRuleGroupMetadataResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DescribeRuleGroupMetadataResponse
, describeRuleGroupMetadataResponse_capacity
- The maximum operating resources that this rule group can use. Rule group
capacity is fixed at creation. When you update a rule group, you are
limited to this capacity. When you reference a rule group from a
firewall policy, Network Firewall reserves this capacity for the rule
group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun
set to TRUE
.
DescribeRuleGroupMetadataResponse
, describeRuleGroupMetadataResponse_description
- Returns the metadata objects for the specified rule group.
DescribeRuleGroupMetadataResponse
, describeRuleGroupMetadataResponse_lastModifiedTime
- The last time that the rule group was changed.
DescribeRuleGroupMetadataResponse
, describeRuleGroupMetadataResponse_statefulRuleOptions
- Undocumented member.
DescribeRuleGroupMetadata
, describeRuleGroupMetadataResponse_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
This setting is required for requests that do not include the
RuleGroupARN
.
$sel:httpStatus:DescribeRuleGroupMetadataResponse'
, describeRuleGroupMetadataResponse_httpStatus
- The response's http status code.
DescribeRuleGroupMetadata
, describeRuleGroupMetadataResponse_ruleGroupArn
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DescribeRuleGroupMetadata
, describeRuleGroupMetadataResponse_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
DisassociateSubnets
data DisassociateSubnets Source #
See: newDisassociateSubnets
smart constructor.
Instances
newDisassociateSubnets :: DisassociateSubnets Source #
Create a value of DisassociateSubnets
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DisassociateSubnets
, disassociateSubnets_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
DisassociateSubnets
, disassociateSubnets_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
DisassociateSubnets
, disassociateSubnets_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:subnetIds:DisassociateSubnets'
, disassociateSubnets_subnetIds
- The unique identifiers for the subnets that you want to disassociate.
data DisassociateSubnetsResponse Source #
See: newDisassociateSubnetsResponse
smart constructor.
DisassociateSubnetsResponse' (Maybe Text) (Maybe Text) (Maybe [SubnetMapping]) (Maybe Text) Int |
Instances
newDisassociateSubnetsResponse Source #
Create a value of DisassociateSubnetsResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DisassociateSubnets
, disassociateSubnetsResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
DisassociateSubnets
, disassociateSubnetsResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
DisassociateSubnetsResponse
, disassociateSubnetsResponse_subnetMappings
- The IDs of the subnets that are associated with the firewall.
DisassociateSubnets
, disassociateSubnetsResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:DisassociateSubnetsResponse'
, disassociateSubnetsResponse_httpStatus
- The response's http status code.
ListFirewallPolicies (Paginated)
data ListFirewallPolicies Source #
See: newListFirewallPolicies
smart constructor.
Instances
newListFirewallPolicies :: ListFirewallPolicies Source #
Create a value of ListFirewallPolicies
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:maxResults:ListFirewallPolicies'
, listFirewallPolicies_maxResults
- The maximum number of objects that you want Network Firewall to return
for this request. If more objects are available, in the response,
Network Firewall provides a NextToken
value that you can use in a
subsequent call to get the next batch of objects.
ListFirewallPolicies
, listFirewallPolicies_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
data ListFirewallPoliciesResponse Source #
See: newListFirewallPoliciesResponse
smart constructor.
Instances
newListFirewallPoliciesResponse Source #
Create a value of ListFirewallPoliciesResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallPolicies:ListFirewallPoliciesResponse'
, listFirewallPoliciesResponse_firewallPolicies
- The metadata for the firewall policies. Depending on your setting for
max results and the number of firewall policies that you have, this
might not be the full list.
ListFirewallPolicies
, listFirewallPoliciesResponse_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
$sel:httpStatus:ListFirewallPoliciesResponse'
, listFirewallPoliciesResponse_httpStatus
- The response's http status code.
ListFirewalls (Paginated)
data ListFirewalls Source #
See: newListFirewalls
smart constructor.
Instances
newListFirewalls :: ListFirewalls Source #
Create a value of ListFirewalls
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:maxResults:ListFirewalls'
, listFirewalls_maxResults
- The maximum number of objects that you want Network Firewall to return
for this request. If more objects are available, in the response,
Network Firewall provides a NextToken
value that you can use in a
subsequent call to get the next batch of objects.
ListFirewalls
, listFirewalls_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
$sel:vpcIds:ListFirewalls'
, listFirewalls_vpcIds
- The unique identifiers of the VPCs that you want Network Firewall to
retrieve the firewalls for. Leave this blank to retrieve all firewalls
that you have defined.
data ListFirewallsResponse Source #
See: newListFirewallsResponse
smart constructor.
Instances
newListFirewallsResponse Source #
Create a value of ListFirewallsResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewalls:ListFirewallsResponse'
, listFirewallsResponse_firewalls
- The firewall metadata objects for the VPCs that you specified. Depending
on your setting for max results and the number of firewalls you have, a
single call might not be the full list.
ListFirewalls
, listFirewallsResponse_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
$sel:httpStatus:ListFirewallsResponse'
, listFirewallsResponse_httpStatus
- The response's http status code.
ListRuleGroups (Paginated)
data ListRuleGroups Source #
See: newListRuleGroups
smart constructor.
ListRuleGroups' (Maybe ResourceManagedType) (Maybe Natural) (Maybe Text) (Maybe ResourceManagedStatus) (Maybe RuleGroupType) |
Instances
newListRuleGroups :: ListRuleGroups Source #
Create a value of ListRuleGroups
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:managedType:ListRuleGroups'
, listRuleGroups_managedType
- Indicates the general category of the Amazon Web Services managed rule
group.
$sel:maxResults:ListRuleGroups'
, listRuleGroups_maxResults
- The maximum number of objects that you want Network Firewall to return
for this request. If more objects are available, in the response,
Network Firewall provides a NextToken
value that you can use in a
subsequent call to get the next batch of objects.
ListRuleGroups
, listRuleGroups_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
$sel:scope:ListRuleGroups'
, listRuleGroups_scope
- The scope of the request. The default setting of ACCOUNT
or a setting
of NULL
returns all of the rule groups in your account. A setting of
MANAGED
returns all available managed rule groups.
ListRuleGroups
, listRuleGroups_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
data ListRuleGroupsResponse Source #
See: newListRuleGroupsResponse
smart constructor.
Instances
newListRuleGroupsResponse Source #
Create a value of ListRuleGroupsResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
ListRuleGroups
, listRuleGroupsResponse_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
$sel:ruleGroups:ListRuleGroupsResponse'
, listRuleGroupsResponse_ruleGroups
- The rule group metadata objects that you've defined. Depending on your
setting for max results and the number of rule groups, this might not be
the full list.
$sel:httpStatus:ListRuleGroupsResponse'
, listRuleGroupsResponse_httpStatus
- The response's http status code.
ListTagsForResource (Paginated)
data ListTagsForResource Source #
See: newListTagsForResource
smart constructor.
Instances
newListTagsForResource Source #
Create a value of ListTagsForResource
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:maxResults:ListTagsForResource'
, listTagsForResource_maxResults
- The maximum number of objects that you want Network Firewall to return
for this request. If more objects are available, in the response,
Network Firewall provides a NextToken
value that you can use in a
subsequent call to get the next batch of objects.
ListTagsForResource
, listTagsForResource_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
ListTagsForResource
, listTagsForResource_resourceArn
- The Amazon Resource Name (ARN) of the resource.
data ListTagsForResourceResponse Source #
See: newListTagsForResourceResponse
smart constructor.
Instances
newListTagsForResourceResponse Source #
Create a value of ListTagsForResourceResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
ListTagsForResource
, listTagsForResourceResponse_nextToken
- When you request a list of objects with a MaxResults
setting, if the
number of objects that are still available for retrieval exceeds the
maximum you requested, Network Firewall returns a NextToken
value in
the response. To retrieve the next batch of objects, use the token
returned from the prior request in your next request.
ListTagsForResourceResponse
, listTagsForResourceResponse_tags
- The tags that are associated with the resource.
$sel:httpStatus:ListTagsForResourceResponse'
, listTagsForResourceResponse_httpStatus
- The response's http status code.
PutResourcePolicy
data PutResourcePolicy Source #
See: newPutResourcePolicy
smart constructor.
Instances
Create a value of PutResourcePolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
PutResourcePolicy
, putResourcePolicy_resourceArn
- The Amazon Resource Name (ARN) of the account that you want to share
rule groups and firewall policies with.
$sel:policy:PutResourcePolicy'
, putResourcePolicy_policy
- The IAM policy statement that lists the accounts that you want to share
your rule group or firewall policy with and the operations that you want
the accounts to be able to perform.
For a rule group resource, you can specify the following operations in the Actions section of the statement:
- network-firewall:CreateFirewallPolicy
- network-firewall:UpdateFirewallPolicy
- network-firewall:ListRuleGroups
For a firewall policy resource, you can specify the following operations in the Actions section of the statement:
- network-firewall:CreateFirewall
- network-firewall:UpdateFirewall
- network-firewall:AssociateFirewallPolicy
- network-firewall:ListFirewallPolicies
In the Resource section of the statement, you specify the ARNs for the
rule groups and firewall policies that you want to share with the
account that you specified in Arn
.
data PutResourcePolicyResponse Source #
See: newPutResourcePolicyResponse
smart constructor.
Instances
newPutResourcePolicyResponse Source #
Create a value of PutResourcePolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:PutResourcePolicyResponse'
, putResourcePolicyResponse_httpStatus
- The response's http status code.
TagResource
data TagResource Source #
See: newTagResource
smart constructor.
Instances
Create a value of TagResource
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
TagResource
, tagResource_resourceArn
- The Amazon Resource Name (ARN) of the resource.
data TagResourceResponse Source #
See: newTagResourceResponse
smart constructor.
Instances
newTagResourceResponse Source #
Create a value of TagResourceResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:TagResourceResponse'
, tagResourceResponse_httpStatus
- The response's http status code.
UntagResource
data UntagResource Source #
See: newUntagResource
smart constructor.
Instances
Create a value of UntagResource
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UntagResource
, untagResource_resourceArn
- The Amazon Resource Name (ARN) of the resource.
data UntagResourceResponse Source #
See: newUntagResourceResponse
smart constructor.
Instances
newUntagResourceResponse Source #
Create a value of UntagResourceResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:UntagResourceResponse'
, untagResourceResponse_httpStatus
- The response's http status code.
UpdateFirewallDeleteProtection
data UpdateFirewallDeleteProtection Source #
See: newUpdateFirewallDeleteProtection
smart constructor.
Instances
newUpdateFirewallDeleteProtection Source #
Create a value of UpdateFirewallDeleteProtection
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtection_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtection_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtection_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtection_deleteProtection
- A flag indicating whether it is possible to delete the firewall. A
setting of TRUE
indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE
.
data UpdateFirewallDeleteProtectionResponse Source #
See: newUpdateFirewallDeleteProtectionResponse
smart constructor.
Instances
newUpdateFirewallDeleteProtectionResponse Source #
Create a value of UpdateFirewallDeleteProtectionResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtectionResponse_deleteProtection
- A flag indicating whether it is possible to delete the firewall. A
setting of TRUE
indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE
.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtectionResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtectionResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateFirewallDeleteProtection
, updateFirewallDeleteProtectionResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:UpdateFirewallDeleteProtectionResponse'
, updateFirewallDeleteProtectionResponse_httpStatus
- The response's http status code.
UpdateFirewallDescription
data UpdateFirewallDescription Source #
See: newUpdateFirewallDescription
smart constructor.
Instances
newUpdateFirewallDescription :: UpdateFirewallDescription Source #
Create a value of UpdateFirewallDescription
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallDescription
, updateFirewallDescription_description
- The new description for the firewall. If you omit this setting, Network
Firewall removes the description for the firewall.
UpdateFirewallDescription
, updateFirewallDescription_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallDescription
, updateFirewallDescription_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallDescription
, updateFirewallDescription_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
data UpdateFirewallDescriptionResponse Source #
See: newUpdateFirewallDescriptionResponse
smart constructor.
Instances
newUpdateFirewallDescriptionResponse Source #
Create a value of UpdateFirewallDescriptionResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallDescription
, updateFirewallDescriptionResponse_description
- A description of the firewall.
UpdateFirewallDescription
, updateFirewallDescriptionResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateFirewallDescription
, updateFirewallDescriptionResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateFirewallDescription
, updateFirewallDescriptionResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:UpdateFirewallDescriptionResponse'
, updateFirewallDescriptionResponse_httpStatus
- The response's http status code.
UpdateFirewallEncryptionConfiguration
data UpdateFirewallEncryptionConfiguration Source #
See: newUpdateFirewallEncryptionConfiguration
smart constructor.
UpdateFirewallEncryptionConfiguration' (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Text) |
Instances
newUpdateFirewallEncryptionConfiguration :: UpdateFirewallEncryptionConfiguration Source #
Create a value of UpdateFirewallEncryptionConfiguration
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfiguration_encryptionConfiguration
- Undocumented member.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfiguration_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfiguration_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfiguration_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
data UpdateFirewallEncryptionConfigurationResponse Source #
See: newUpdateFirewallEncryptionConfigurationResponse
smart constructor.
UpdateFirewallEncryptionConfigurationResponse' (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Text) Int |
Instances
newUpdateFirewallEncryptionConfigurationResponse Source #
:: Int |
|
-> UpdateFirewallEncryptionConfigurationResponse |
Create a value of UpdateFirewallEncryptionConfigurationResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfigurationResponse_encryptionConfiguration
- Undocumented member.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfigurationResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfigurationResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateFirewallEncryptionConfiguration
, updateFirewallEncryptionConfigurationResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:UpdateFirewallEncryptionConfigurationResponse'
, updateFirewallEncryptionConfigurationResponse_httpStatus
- The response's http status code.
UpdateFirewallPolicy
data UpdateFirewallPolicy Source #
See: newUpdateFirewallPolicy
smart constructor.
UpdateFirewallPolicy' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) Text FirewallPolicy |
Instances
newUpdateFirewallPolicy Source #
Create a value of UpdateFirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallPolicy
, updateFirewallPolicy_description
- A description of the firewall policy.
$sel:dryRun:UpdateFirewallPolicy'
, updateFirewallPolicy_dryRun
- Indicates whether you want Network Firewall to just check the validity
of the request, rather than run the request.
If set to TRUE
, Network Firewall checks whether the request can run
successfully, but doesn't actually make the requested changes. The call
returns the value that the request would return if you ran it with dry
run set to FALSE
, but doesn't make additions or changes to your
resources. This option allows you to make sure that you have the
required permissions to run the request and that your request parameters
are valid.
If set to FALSE
, Network Firewall makes the requested changes to your
resources.
UpdateFirewallPolicy
, updateFirewallPolicy_encryptionConfiguration
- A complex type that contains settings for encryption of your firewall
policy resources.
UpdateFirewallPolicy
, updateFirewallPolicy_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallPolicy
, updateFirewallPolicy_firewallPolicyName
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallPolicy
, updateFirewallPolicy_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the firewall policy. The token marks the state
of the policy resource at the time of the request.
To make changes to the policy, you provide the token in your request.
Network Firewall uses the token to ensure that the policy hasn't
changed since you last retrieved it. If it has changed, the operation
fails with an InvalidTokenException
. If this happens, retrieve the
firewall policy again to get a current copy of it with current token.
Reapply your changes as needed, then try the operation again using the
new token.
$sel:firewallPolicy:UpdateFirewallPolicy'
, updateFirewallPolicy_firewallPolicy
- The updated firewall policy to use for the firewall.
data UpdateFirewallPolicyResponse Source #
See: newUpdateFirewallPolicyResponse
smart constructor.
Instances
newUpdateFirewallPolicyResponse Source #
Create a value of UpdateFirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:UpdateFirewallPolicyResponse'
, updateFirewallPolicyResponse_httpStatus
- The response's http status code.
UpdateFirewallPolicy
, updateFirewallPolicyResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the firewall policy. The token marks the state
of the policy resource at the time of the request.
To make changes to the policy, you provide the token in your request.
Network Firewall uses the token to ensure that the policy hasn't
changed since you last retrieved it. If it has changed, the operation
fails with an InvalidTokenException
. If this happens, retrieve the
firewall policy again to get a current copy of it with current token.
Reapply your changes as needed, then try the operation again using the
new token.
$sel:firewallPolicyResponse:UpdateFirewallPolicyResponse'
, updateFirewallPolicyResponse_firewallPolicyResponse
- The high-level properties of a firewall policy. This, along with the
FirewallPolicy, define the policy. You can retrieve all objects for a
firewall policy by calling DescribeFirewallPolicy.
UpdateFirewallPolicyChangeProtection
data UpdateFirewallPolicyChangeProtection Source #
See: newUpdateFirewallPolicyChangeProtection
smart constructor.
Instances
newUpdateFirewallPolicyChangeProtection Source #
Create a value of UpdateFirewallPolicyChangeProtection
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtection_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtection_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtection_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtection_firewallPolicyChangeProtection
- A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
data UpdateFirewallPolicyChangeProtectionResponse Source #
See: newUpdateFirewallPolicyChangeProtectionResponse
smart constructor.
UpdateFirewallPolicyChangeProtectionResponse' (Maybe Text) (Maybe Text) (Maybe Bool) (Maybe Text) Int |
Instances
newUpdateFirewallPolicyChangeProtectionResponse Source #
:: Int |
|
-> UpdateFirewallPolicyChangeProtectionResponse |
Create a value of UpdateFirewallPolicyChangeProtectionResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtectionResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtectionResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtectionResponse_firewallPolicyChangeProtection
- A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
UpdateFirewallPolicyChangeProtection
, updateFirewallPolicyChangeProtectionResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:UpdateFirewallPolicyChangeProtectionResponse'
, updateFirewallPolicyChangeProtectionResponse_httpStatus
- The response's http status code.
UpdateLoggingConfiguration
data UpdateLoggingConfiguration Source #
See: newUpdateLoggingConfiguration
smart constructor.
Instances
newUpdateLoggingConfiguration :: UpdateLoggingConfiguration Source #
Create a value of UpdateLoggingConfiguration
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateLoggingConfiguration
, updateLoggingConfiguration_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
UpdateLoggingConfiguration
, updateLoggingConfiguration_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateLoggingConfiguration
, updateLoggingConfiguration_loggingConfiguration
- Defines how Network Firewall performs logging for a firewall. If you
omit this setting, Network Firewall disables logging for the firewall.
data UpdateLoggingConfigurationResponse Source #
See: newUpdateLoggingConfigurationResponse
smart constructor.
Instances
newUpdateLoggingConfigurationResponse Source #
Create a value of UpdateLoggingConfigurationResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateLoggingConfiguration
, updateLoggingConfigurationResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateLoggingConfiguration
, updateLoggingConfigurationResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateLoggingConfiguration
, updateLoggingConfigurationResponse_loggingConfiguration
- Undocumented member.
$sel:httpStatus:UpdateLoggingConfigurationResponse'
, updateLoggingConfigurationResponse_httpStatus
- The response's http status code.
UpdateRuleGroup
data UpdateRuleGroup Source #
See: newUpdateRuleGroup
smart constructor.
UpdateRuleGroup' (Maybe Text) (Maybe Bool) (Maybe EncryptionConfiguration) (Maybe RuleGroup) (Maybe Text) (Maybe Text) (Maybe Text) (Maybe SourceMetadata) (Maybe RuleGroupType) Text |
Instances
Create a value of UpdateRuleGroup
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateRuleGroup
, updateRuleGroup_description
- A description of the rule group.
$sel:dryRun:UpdateRuleGroup'
, updateRuleGroup_dryRun
- Indicates whether you want Network Firewall to just check the validity
of the request, rather than run the request.
If set to TRUE
, Network Firewall checks whether the request can run
successfully, but doesn't actually make the requested changes. The call
returns the value that the request would return if you ran it with dry
run set to FALSE
, but doesn't make additions or changes to your
resources. This option allows you to make sure that you have the
required permissions to run the request and that your request parameters
are valid.
If set to FALSE
, Network Firewall makes the requested changes to your
resources.
UpdateRuleGroup
, updateRuleGroup_encryptionConfiguration
- A complex type that contains settings for encryption of your rule group
resources.
$sel:ruleGroup:UpdateRuleGroup'
, updateRuleGroup_ruleGroup
- An object that defines the rule group rules.
You must provide either this rule group setting or a Rules
setting,
but not both.
UpdateRuleGroup
, updateRuleGroup_ruleGroupArn
- The Amazon Resource Name (ARN) of the rule group.
You must specify the ARN or the name, and you can specify both.
UpdateRuleGroup
, updateRuleGroup_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
You must specify the ARN or the name, and you can specify both.
$sel:rules:UpdateRuleGroup'
, updateRuleGroup_rules
- A string containing stateful rule group rules specifications in Suricata
flat format, with one rule per line. Use this to import your existing
Suricata compatible rule groups.
You must provide either this rules setting or a populated RuleGroup
setting, but not both.
You can provide your rule group specification in Suricata flat format through this setting when you create or update your rule group. The call response returns a RuleGroup object that Network Firewall has populated from your string.
UpdateRuleGroup
, updateRuleGroup_sourceMetadata
- A complex type that contains metadata about the rule group that your own
rule group is copied from. You can use the metadata to keep track of
updates made to the originating rule group.
UpdateRuleGroup
, updateRuleGroup_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
This setting is required for requests that do not include the
RuleGroupARN
.
UpdateRuleGroup
, updateRuleGroup_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the rule group. The token marks the state of
the rule group resource at the time of the request.
To make changes to the rule group, you provide the token in your
request. Network Firewall uses the token to ensure that the rule group
hasn't changed since you last retrieved it. If it has changed, the
operation fails with an InvalidTokenException
. If this happens,
retrieve the rule group again to get a current copy of it with a current
token. Reapply your changes as needed, then try the operation again
using the new token.
data UpdateRuleGroupResponse Source #
See: newUpdateRuleGroupResponse
smart constructor.
Instances
newUpdateRuleGroupResponse Source #
:: Int | |
-> Text | |
-> RuleGroupResponse | |
-> UpdateRuleGroupResponse |
Create a value of UpdateRuleGroupResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:UpdateRuleGroupResponse'
, updateRuleGroupResponse_httpStatus
- The response's http status code.
UpdateRuleGroup
, updateRuleGroupResponse_updateToken
- A token used for optimistic locking. Network Firewall returns a token to
your requests that access the rule group. The token marks the state of
the rule group resource at the time of the request.
To make changes to the rule group, you provide the token in your
request. Network Firewall uses the token to ensure that the rule group
hasn't changed since you last retrieved it. If it has changed, the
operation fails with an InvalidTokenException
. If this happens,
retrieve the rule group again to get a current copy of it with a current
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:ruleGroupResponse:UpdateRuleGroupResponse'
, updateRuleGroupResponse_ruleGroupResponse
- The high-level properties of a rule group. This, along with the
RuleGroup, define the rule group. You can retrieve all objects for a
rule group by calling DescribeRuleGroup.
UpdateSubnetChangeProtection
data UpdateSubnetChangeProtection Source #
See: newUpdateSubnetChangeProtection
smart constructor.
Instances
newUpdateSubnetChangeProtection Source #
Create a value of UpdateSubnetChangeProtection
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateSubnetChangeProtection
, updateSubnetChangeProtection_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
You must specify the ARN or the name, and you can specify both.
UpdateSubnetChangeProtection
, updateSubnetChangeProtection_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
You must specify the ARN or the name, and you can specify both.
UpdateSubnetChangeProtection
, updateSubnetChangeProtection_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
UpdateSubnetChangeProtection
, updateSubnetChangeProtection_subnetChangeProtection
- A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
data UpdateSubnetChangeProtectionResponse Source #
See: newUpdateSubnetChangeProtectionResponse
smart constructor.
Instances
newUpdateSubnetChangeProtectionResponse Source #
Create a value of UpdateSubnetChangeProtectionResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateSubnetChangeProtection
, updateSubnetChangeProtectionResponse_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
UpdateSubnetChangeProtection
, updateSubnetChangeProtectionResponse_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
UpdateSubnetChangeProtection
, updateSubnetChangeProtectionResponse_subnetChangeProtection
- A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
UpdateSubnetChangeProtection
, updateSubnetChangeProtectionResponse_updateToken
- An optional token that you can use for optimistic locking. Network
Firewall returns a token to your requests that access the firewall. The
token marks the state of the firewall resource at the time of the
request.
To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.
To make a conditional change to the firewall, provide the token in your
update request. Network Firewall uses the token to ensure that the
firewall hasn't changed since you last retrieved it. If it has changed,
the operation fails with an InvalidTokenException
. If this happens,
retrieve the firewall again to get a current copy of it with a new
token. Reapply your changes as needed, then try the operation again
using the new token.
$sel:httpStatus:UpdateSubnetChangeProtectionResponse'
, updateSubnetChangeProtectionResponse_httpStatus
- The response's http status code.
Types
AttachmentStatus
newtype AttachmentStatus Source #
pattern AttachmentStatus_CREATING :: AttachmentStatus | |
pattern AttachmentStatus_DELETING :: AttachmentStatus | |
pattern AttachmentStatus_READY :: AttachmentStatus | |
pattern AttachmentStatus_SCALING :: AttachmentStatus |
Instances
ConfigurationSyncState
newtype ConfigurationSyncState Source #
Instances
EncryptionType
newtype EncryptionType Source #
pattern EncryptionType_AWS_OWNED_KMS_KEY :: EncryptionType | |
pattern EncryptionType_CUSTOMER_KMS :: EncryptionType |
Instances
FirewallStatusValue
newtype FirewallStatusValue Source #
pattern FirewallStatusValue_DELETING :: FirewallStatusValue | |
pattern FirewallStatusValue_PROVISIONING :: FirewallStatusValue | |
pattern FirewallStatusValue_READY :: FirewallStatusValue |
Instances
GeneratedRulesType
newtype GeneratedRulesType Source #
pattern GeneratedRulesType_ALLOWLIST :: GeneratedRulesType | |
pattern GeneratedRulesType_DENYLIST :: GeneratedRulesType |
Instances
LogDestinationType
newtype LogDestinationType Source #
pattern LogDestinationType_CloudWatchLogs :: LogDestinationType | |
pattern LogDestinationType_KinesisDataFirehose :: LogDestinationType | |
pattern LogDestinationType_S3 :: LogDestinationType |
Instances
LogType
pattern LogType_ALERT :: LogType | |
pattern LogType_FLOW :: LogType |
Instances
OverrideAction
newtype OverrideAction Source #
pattern OverrideAction_DROP_TO_ALERT :: OverrideAction |
Instances
PerObjectSyncStatus
newtype PerObjectSyncStatus Source #
pattern PerObjectSyncStatus_CAPACITY_CONSTRAINED :: PerObjectSyncStatus | |
pattern PerObjectSyncStatus_IN_SYNC :: PerObjectSyncStatus | |
pattern PerObjectSyncStatus_PENDING :: PerObjectSyncStatus |
Instances
ResourceManagedStatus
newtype ResourceManagedStatus Source #
pattern ResourceManagedStatus_ACCOUNT :: ResourceManagedStatus | |
pattern ResourceManagedStatus_MANAGED :: ResourceManagedStatus |
Instances
ResourceManagedType
newtype ResourceManagedType Source #
pattern ResourceManagedType_AWS_MANAGED_DOMAIN_LISTS :: ResourceManagedType | |
pattern ResourceManagedType_AWS_MANAGED_THREAT_SIGNATURES :: ResourceManagedType |
Instances
ResourceStatus
newtype ResourceStatus Source #
pattern ResourceStatus_ACTIVE :: ResourceStatus | |
pattern ResourceStatus_DELETING :: ResourceStatus |
Instances
RuleGroupType
newtype RuleGroupType Source #
pattern RuleGroupType_STATEFUL :: RuleGroupType | |
pattern RuleGroupType_STATELESS :: RuleGroupType |
Instances
RuleOrder
pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder | |
pattern RuleOrder_STRICT_ORDER :: RuleOrder |
Instances
StatefulAction
newtype StatefulAction Source #
pattern StatefulAction_ALERT :: StatefulAction | |
pattern StatefulAction_DROP :: StatefulAction | |
pattern StatefulAction_PASS :: StatefulAction |
Instances
StatefulRuleDirection
newtype StatefulRuleDirection Source #
pattern StatefulRuleDirection_ANY :: StatefulRuleDirection | |
pattern StatefulRuleDirection_FORWARD :: StatefulRuleDirection |
Instances
StatefulRuleProtocol
newtype StatefulRuleProtocol Source #
Instances
StreamExceptionPolicy
newtype StreamExceptionPolicy Source #
pattern StreamExceptionPolicy_CONTINUE :: StreamExceptionPolicy | |
pattern StreamExceptionPolicy_DROP :: StreamExceptionPolicy |
Instances
TCPFlag
pattern TCPFlag_ACK :: TCPFlag | |
pattern TCPFlag_CWR :: TCPFlag | |
pattern TCPFlag_ECE :: TCPFlag | |
pattern TCPFlag_FIN :: TCPFlag | |
pattern TCPFlag_PSH :: TCPFlag | |
pattern TCPFlag_RST :: TCPFlag | |
pattern TCPFlag_SYN :: TCPFlag | |
pattern TCPFlag_URG :: TCPFlag |
Instances
TargetType
newtype TargetType Source #
pattern TargetType_HTTP_HOST :: TargetType | |
pattern TargetType_TLS_SNI :: TargetType |
Instances
ActionDefinition
data ActionDefinition Source #
A custom action to use in stateless rule actions settings. This is used in CustomAction.
See: newActionDefinition
smart constructor.
Instances
newActionDefinition :: ActionDefinition Source #
Create a value of ActionDefinition
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:publishMetricAction:ActionDefinition'
, actionDefinition_publishMetricAction
- Stateless inspection criteria that publishes the specified metrics to
Amazon CloudWatch for the matching packet. This setting defines a
CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
Address
A single IP address specification. This is used in the MatchAttributes source and destination specifications.
See: newAddress
smart constructor.
Instances
FromJSON Address Source # | |
ToJSON Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
Generic Address Source # | |
Read Address Source # | |
Show Address Source # | |
NFData Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
Eq Address Source # | |
Hashable Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
type Rep Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address type Rep Address = D1 ('MetaData "Address" "Amazonka.NetworkFirewall.Types.Address" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "Address'" 'PrefixI 'True) (S1 ('MetaSel ('Just "addressDefinition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) |
Create a value of Address
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:addressDefinition:Address'
, address_addressDefinition
- Specify an IP address or a block of IP addresses in Classless
Inter-Domain Routing (CIDR) notation. Network Firewall supports all
address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32
. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24
.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
Attachment
data Attachment Source #
The configuration and status for a single subnet that you've specified for use by the Network Firewall firewall. This is part of the FirewallStatus.
See: newAttachment
smart constructor.
Attachment' (Maybe Text) (Maybe AttachmentStatus) (Maybe Text) (Maybe Text) |
Instances
newAttachment :: Attachment Source #
Create a value of Attachment
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:endpointId:Attachment'
, attachment_endpointId
- The identifier of the firewall endpoint that Network Firewall has
instantiated in the subnet. You use this to identify the firewall
endpoint in the VPC route tables, when you redirect the VPC traffic
through the endpoint.
$sel:status:Attachment'
, attachment_status
- The current status of the firewall endpoint in the subnet. This value
reflects both the instantiation of the endpoint in the VPC subnet and
the sync states that are reported in the Config
settings. When this
value is READY
, the endpoint is available and configured properly to
handle network traffic. When the endpoint isn't available for traffic,
this value will reflect its state, for example CREATING
or DELETING
.
$sel:statusMessage:Attachment'
, attachment_statusMessage
- If Network Firewall fails to create or delete the firewall endpoint in
the subnet, it populates this with the reason for the failure and how to
resolve it. Depending on the error, it can take as many as 15 minutes to
populate this field. For more information about the errors and solutions
available for this field, see
Troubleshooting firewall endpoint failures
in the Network Firewall Developer Guide.
$sel:subnetId:Attachment'
, attachment_subnetId
- The unique identifier of the subnet that you've specified to be used
for a firewall endpoint.
CIDRSummary
data CIDRSummary Source #
Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing.
See: newCIDRSummary
smart constructor.
Instances
newCIDRSummary :: CIDRSummary Source #
Create a value of CIDRSummary
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:availableCIDRCount:CIDRSummary'
, cIDRSummary_availableCIDRCount
- The number of CIDR blocks available for use by the IP set references in
a firewall.
$sel:iPSetReferences:CIDRSummary'
, cIDRSummary_iPSetReferences
- The list of the IP set references used by a firewall.
$sel:utilizedCIDRCount:CIDRSummary'
, cIDRSummary_utilizedCIDRCount
- The number of CIDR blocks used by the IP set references in a firewall.
CapacityUsageSummary
data CapacityUsageSummary Source #
The capacity usage summary of the resources used by the ReferenceSets in a firewall.
See: newCapacityUsageSummary
smart constructor.
Instances
newCapacityUsageSummary :: CapacityUsageSummary Source #
Create a value of CapacityUsageSummary
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:cIDRs:CapacityUsageSummary'
, capacityUsageSummary_cIDRs
- Describes the capacity usage of the CIDR blocks used by the IP set
references in a firewall.
CustomAction
data CustomAction Source #
An optional, non-standard action to use for stateless packet handling. You can define this in addition to the standard action that you must specify.
You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings.
You can use custom actions in the following places:
- In a rule group's StatelessRulesAndCustomActions specification. The
custom actions are available for use by name inside the
StatelessRulesAndCustomActions
where you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule's match attributes. - In a FirewallPolicy specification, in
StatelessCustomActions
. The custom actions are available for use inside the policy where you define them. You can use them for the policy's default stateless actions settings to specify what to do with packets that don't match any of the policy's stateless rules.
See: newCustomAction
smart constructor.
Instances
:: Text | |
-> ActionDefinition | |
-> CustomAction |
Create a value of CustomAction
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:actionName:CustomAction'
, customAction_actionName
- The descriptive name of the custom action. You can't change the name of
a custom action after you create it.
$sel:actionDefinition:CustomAction'
, customAction_actionDefinition
- The custom action associated with the action name.
Dimension
The value to use in an Amazon CloudWatch custom metric dimension. This
is used in the PublishMetrics
CustomAction. A CloudWatch custom metric
dimension is a name/value pair that's part of the identity of a
metric.
Network Firewall sets the dimension name to CustomAction
and you
provide the dimension value.
For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics in the Amazon CloudWatch User Guide.
See: newDimension
smart constructor.
Instances
FromJSON Dimension Source # | |
ToJSON Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
Generic Dimension Source # | |
Read Dimension Source # | |
Show Dimension Source # | |
NFData Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
Eq Dimension Source # | |
Hashable Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
type Rep Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension |
Create a value of Dimension
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:value:Dimension'
, dimension_value
- The value to use in the custom metric dimension.
EncryptionConfiguration
data EncryptionConfiguration Source #
A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service in the Network Firewall Developer Guide.
See: newEncryptionConfiguration
smart constructor.
Instances
newEncryptionConfiguration Source #
Create a value of EncryptionConfiguration
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:keyId:EncryptionConfiguration'
, encryptionConfiguration_keyId
- The ID of the Amazon Web Services Key Management Service (KMS) customer
managed key. You can use any of the key identifiers that KMS supports,
unless you're using a key that's managed by another account. If
you're using a key managed by another account, then specify the key
ARN. For more information, see
Key ID
in the Amazon Web Services KMS Developer Guide.
$sel:type':EncryptionConfiguration'
, encryptionConfiguration_type
- The type of Amazon Web Services KMS key to use for encryption of your
Network Firewall resources.
Firewall
The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.
The status of the firewall, for example whether it's ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.
See: newFirewall
smart constructor.
Firewall' (Maybe Bool) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe Text) (Maybe Text) (Maybe Bool) (Maybe Bool) (Maybe (NonEmpty Tag)) Text Text [SubnetMapping] Text |
Instances
Create a value of Firewall
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:deleteProtection:Firewall'
, firewall_deleteProtection
- A flag indicating whether it is possible to delete the firewall. A
setting of TRUE
indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE
.
$sel:description:Firewall'
, firewall_description
- A description of the firewall.
$sel:encryptionConfiguration:Firewall'
, firewall_encryptionConfiguration
- A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your firewall.
$sel:firewallArn:Firewall'
, firewall_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
$sel:firewallName:Firewall'
, firewall_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
$sel:firewallPolicyChangeProtection:Firewall'
, firewall_firewallPolicyChangeProtection
- A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
$sel:subnetChangeProtection:Firewall'
, firewall_subnetChangeProtection
- A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE
.
$sel:tags:Firewall'
, firewall_tags
-
$sel:firewallPolicyArn:Firewall'
, firewall_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
$sel:vpcId:Firewall'
, firewall_vpcId
- The unique identifier of the VPC where the firewall is in use.
$sel:subnetMappings:Firewall'
, firewall_subnetMappings
- The public subnets that Network Firewall is using for the firewall. Each
subnet must belong to a different Availability Zone.
$sel:firewallId:Firewall'
, firewall_firewallId
- The unique identifier for the firewall.
FirewallMetadata
data FirewallMetadata Source #
High-level information about a firewall, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall.
See: newFirewallMetadata
smart constructor.
Instances
newFirewallMetadata :: FirewallMetadata Source #
Create a value of FirewallMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallArn:FirewallMetadata'
, firewallMetadata_firewallArn
- The Amazon Resource Name (ARN) of the firewall.
$sel:firewallName:FirewallMetadata'
, firewallMetadata_firewallName
- The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
FirewallPolicy
data FirewallPolicy Source #
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicy
smart constructor.
FirewallPolicy' (Maybe [Text]) (Maybe StatefulEngineOptions) (Maybe [StatefulRuleGroupReference]) (Maybe [CustomAction]) (Maybe [StatelessRuleGroupReference]) [Text] [Text] |
Instances
newFirewallPolicy :: FirewallPolicy Source #
Create a value of FirewallPolicy
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:statefulDefaultActions:FirewallPolicy'
, firewallPolicy_statefulDefaultActions
- The default actions to take on a packet that doesn't match any stateful
rules. The stateful default action is optional, and is only valid when
using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
$sel:statefulEngineOptions:FirewallPolicy'
, firewallPolicy_statefulEngineOptions
- Additional options governing how Network Firewall handles stateful
rules. The stateful rule groups that you use in your policy must have
stateful rule options settings that are compatible with these settings.
$sel:statefulRuleGroupReferences:FirewallPolicy'
, firewallPolicy_statefulRuleGroupReferences
- References to the stateful rule groups that are used in the policy.
These define the inspection criteria in stateful rules.
$sel:statelessCustomActions:FirewallPolicy'
, firewallPolicy_statelessCustomActions
- The custom action definitions that are available for use in the firewall
policy's StatelessDefaultActions
setting. You name each custom action
that you define, and then you can use it by name in your default actions
specifications.
$sel:statelessRuleGroupReferences:FirewallPolicy'
, firewallPolicy_statelessRuleGroupReferences
- References to the stateless rule groups that are used in the policy.
These define the matching criteria in stateless rules.
$sel:statelessDefaultActions:FirewallPolicy'
, firewallPolicy_statelessDefaultActions
- The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or
aws:forward_to_sfe
. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify
["aws:pass", “customActionName”]
. For information about
compatibility, see the custom action descriptions under CustomAction.
$sel:statelessFragmentDefaultActions:FirewallPolicy'
, firewallPolicy_statelessFragmentDefaultActions
- The actions to take on a fragmented UDP packet if it doesn't match any
of the stateless rules in the policy. Network Firewall only manages UDP
packet fragments and silently drops packet fragments for other
protocols. If you want non-matching fragmented UDP packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or
aws:forward_to_sfe
. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify
["aws:pass", “customActionName”]
. For information about
compatibility, see the custom action descriptions under CustomAction.
FirewallPolicyMetadata
data FirewallPolicyMetadata Source #
High-level information about a firewall policy, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyMetadata
smart constructor.
Instances
newFirewallPolicyMetadata :: FirewallPolicyMetadata Source #
Create a value of FirewallPolicyMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:FirewallPolicyMetadata'
, firewallPolicyMetadata_arn
- The Amazon Resource Name (ARN) of the firewall policy.
$sel:name:FirewallPolicyMetadata'
, firewallPolicyMetadata_name
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
FirewallPolicyResponse
data FirewallPolicyResponse Source #
The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyResponse
smart constructor.
FirewallPolicyResponse' (Maybe Int) (Maybe Int) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe ResourceStatus) (Maybe POSIX) (Maybe Int) (Maybe (NonEmpty Tag)) Text Text Text |
Instances
newFirewallPolicyResponse Source #
:: Text | |
-> Text | |
-> Text | |
-> FirewallPolicyResponse |
Create a value of FirewallPolicyResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:consumedStatefulRuleCapacity:FirewallPolicyResponse'
, firewallPolicyResponse_consumedStatefulRuleCapacity
- The number of capacity units currently consumed by the policy's
stateful rules.
$sel:consumedStatelessRuleCapacity:FirewallPolicyResponse'
, firewallPolicyResponse_consumedStatelessRuleCapacity
- The number of capacity units currently consumed by the policy's
stateless rules.
$sel:description:FirewallPolicyResponse'
, firewallPolicyResponse_description
- A description of the firewall policy.
$sel:encryptionConfiguration:FirewallPolicyResponse'
, firewallPolicyResponse_encryptionConfiguration
- A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your firewall policy.
$sel:firewallPolicyStatus:FirewallPolicyResponse'
, firewallPolicyResponse_firewallPolicyStatus
- The current status of the firewall policy. You can retrieve this for a
firewall policy by calling DescribeFirewallPolicy and providing the
firewall policy's name or ARN.
$sel:lastModifiedTime:FirewallPolicyResponse'
, firewallPolicyResponse_lastModifiedTime
- The last time that the firewall policy was changed.
$sel:numberOfAssociations:FirewallPolicyResponse'
, firewallPolicyResponse_numberOfAssociations
- The number of firewalls that are associated with this firewall policy.
$sel:tags:FirewallPolicyResponse'
, firewallPolicyResponse_tags
- The key:value pairs to associate with the resource.
$sel:firewallPolicyName:FirewallPolicyResponse'
, firewallPolicyResponse_firewallPolicyName
- The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
$sel:firewallPolicyArn:FirewallPolicyResponse'
, firewallPolicyResponse_firewallPolicyArn
- The Amazon Resource Name (ARN) of the firewall policy.
If this response is for a create request that had DryRun
set to
TRUE
, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:firewallPolicyId:FirewallPolicyResponse'
, firewallPolicyResponse_firewallPolicyId
- The unique identifier for the firewall policy.
FirewallStatus
data FirewallStatus Source #
Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN.
See: newFirewallStatus
smart constructor.
FirewallStatus' (Maybe CapacityUsageSummary) (Maybe (HashMap Text SyncState)) FirewallStatusValue ConfigurationSyncState |
Instances
Create a value of FirewallStatus
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:capacityUsageSummary:FirewallStatus'
, firewallStatus_capacityUsageSummary
- Describes the capacity usage of the resources contained in a firewall's
reference sets. Network Firewall calclulates the capacity usage by
taking an aggregated count of all of the resources used by all of the
reference sets in a firewall.
$sel:syncStates:FirewallStatus'
, firewallStatus_syncStates
- The subnets that you've configured for use by the Network Firewall
firewall. This contains one array element per Availability Zone where
you've configured a subnet. These objects provide details of the
information that is summarized in the ConfigurationSyncStateSummary
and Status
, broken down by zone and configuration object.
$sel:status:FirewallStatus'
, firewallStatus_status
- The readiness of the configured firewall to handle network traffic
across all of the Availability Zones where you've configured it. This
setting is READY
only when the ConfigurationSyncStateSummary
value
is IN_SYNC
and the Attachment
Status
values for all of the
configured subnets are READY
.
$sel:configurationSyncStateSummary:FirewallStatus'
, firewallStatus_configurationSyncStateSummary
- The configuration sync state for the firewall. This summarizes the sync
states reported in the Config
settings for all of the Availability
Zones where you have configured the firewall.
When you create a firewall or update its configuration, for example by adding a rule group to its firewall policy, Network Firewall distributes the configuration changes to all zones where the firewall is in use. This summary indicates whether the configuration changes have been applied everywhere.
This status must be IN_SYNC
for the firewall to be ready for use, but
it doesn't indicate that the firewall is ready. The Status
setting
indicates firewall readiness.
Header
The basic rule criteria for Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule.
See: newHeader
smart constructor.
Instances
:: StatefulRuleProtocol | |
-> Text | |
-> Text | |
-> StatefulRuleDirection | |
-> Text | |
-> Text | |
-> Header |
Create a value of Header
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:protocol:Header'
, header_protocol
- The protocol to inspect for. To specify all, you can use IP
, because
all traffic on Amazon Web Services and on the internet is IP.
$sel:source:Header'
, header_source
- The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY
.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32
. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24
.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:sourcePort:Header'
, header_sourcePort
- The source port to inspect for. You can specify an individual port, for
example 1994
and you can specify a port range, for example
1990:1994
. To match with any port, specify ANY
.
$sel:direction:Header'
, header_direction
- The direction of traffic flow to inspect. If set to ANY
, the
inspection matches bidirectional traffic, both from the source to the
destination and from the destination to the source. If set to FORWARD
,
the inspection only matches traffic going from the source to the
destination.
$sel:destination:Header'
, header_destination
- The destination IP address or address range to inspect for, in CIDR
notation. To match with any address, specify ANY
.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32
. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24
.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:destinationPort:Header'
, header_destinationPort
- The destination port to inspect for. You can specify an individual port,
for example 1994
and you can specify a port range, for example
1990:1994
. To match with any port, specify ANY
.
IPSet
A list of IP addresses and address ranges, in CIDR notation. This is part of a RuleVariables.
See: newIPSet
smart constructor.
Instances
FromJSON IPSet Source # | |
ToJSON IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
Generic IPSet Source # | |
Read IPSet Source # | |
Show IPSet Source # | |
NFData IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
Eq IPSet Source # | |
Hashable IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
type Rep IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet |
Create a value of IPSet
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:IPSet'
, iPSet_definition
- The list of IP addresses and address ranges, in CIDR notation.
IPSetMetadata
data IPSetMetadata Source #
General information about the IP set.
See: newIPSetMetadata
smart constructor.
Instances
newIPSetMetadata :: IPSetMetadata Source #
Create a value of IPSetMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:resolvedCIDRCount:IPSetMetadata'
, iPSetMetadata_resolvedCIDRCount
- Describes the total number of CIDR blocks currently in use by the IP set
references in a firewall. To determine how many CIDR blocks are
available for you to use in a firewall, you can call
AvailableCIDRCount
.
IPSetReference
data IPSetReference Source #
Configures one or more IP set references for a Suricata-compatible rule group. This is used in CreateRuleGroup or UpdateRuleGroup. An IP set reference is a rule variable that references a resource that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the IP set you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see Using IP set references in the Network Firewall Developer Guide.
Network Firewall currently supports only Amazon VPC prefix lists as IP set references.
See: newIPSetReference
smart constructor.
Instances
newIPSetReference :: IPSetReference Source #
Create a value of IPSetReference
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:referenceArn:IPSetReference'
, iPSetReference_referenceArn
- The Amazon Resource Name (ARN) of the resource that you are referencing
in your rule group.
LogDestinationConfig
data LogDestinationConfig Source #
Defines where Network Firewall sends logs for the firewall for one log type. This is used in LoggingConfiguration. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data Firehose delivery stream.
Network Firewall generates logs for stateful rule groups. You can save
alert and flow log types. The stateful rules engine records flow logs
for all network traffic that it receives. It records alert logs for
traffic that matches stateful rules that have the rule action set to
DROP
or ALERT
.
See: newLogDestinationConfig
smart constructor.
Instances
newLogDestinationConfig Source #
Create a value of LogDestinationConfig
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logType:LogDestinationConfig'
, logDestinationConfig_logType
- The type of log to send. Alert logs report traffic that matches a
StatefulRule with an action setting that sends an alert log message.
Flow logs are standard network traffic flow logs.
$sel:logDestinationType:LogDestinationConfig'
, logDestinationConfig_logDestinationType
- The type of storage destination to send these logs to. You can send logs
to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
Firehose delivery stream.
$sel:logDestination:LogDestinationConfig'
, logDestinationConfig_logDestination
- The named location for the logs, provided in a key:value mapping that is
specific to the chosen destination type.
For an Amazon S3 bucket, provide the name of the bucket, with key
bucketName
, and optionally provide a prefix, with keyprefix
. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKET
and the prefixalerts
:"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }
For a CloudWatch log group, provide the name of the CloudWatch log group, with key
logGroup
. The following example specifies a log group namedalert-log-group
:"LogDestination": { "logGroup": "alert-log-group" }
For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with key
deliveryStream
. The following example specifies a delivery stream namedalert-delivery-stream
:"LogDestination": { "deliveryStream": "alert-delivery-stream" }
LoggingConfiguration
data LoggingConfiguration Source #
Defines how Network Firewall performs logging for a Firewall.
See: newLoggingConfiguration
smart constructor.
Instances
newLoggingConfiguration :: LoggingConfiguration Source #
Create a value of LoggingConfiguration
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logDestinationConfigs:LoggingConfiguration'
, loggingConfiguration_logDestinationConfigs
- Defines the logging destinations for the logs for a firewall. Network
Firewall generates logs for stateful rule groups.
MatchAttributes
data MatchAttributes Source #
Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.
See: newMatchAttributes
smart constructor.
MatchAttributes' (Maybe [PortRange]) (Maybe [Address]) (Maybe [Natural]) (Maybe [PortRange]) (Maybe [Address]) (Maybe [TCPFlagField]) |
Instances
newMatchAttributes :: MatchAttributes Source #
Create a value of MatchAttributes
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:destinationPorts:MatchAttributes'
, matchAttributes_destinationPorts
- The destination ports to inspect for. If not specified, this matches
with any destination port. This setting is only used for protocols 6
(TCP) and 17 (UDP).
You can specify individual ports, for example 1994
and you can specify
port ranges, for example 1990:1994
.
$sel:destinations:MatchAttributes'
, matchAttributes_destinations
- The destination IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any destination address.
$sel:protocols:MatchAttributes'
, matchAttributes_protocols
- The protocols to inspect for, specified using each protocol's assigned
internet protocol number (IANA). If not specified, this matches with any
protocol.
$sel:sourcePorts:MatchAttributes'
, matchAttributes_sourcePorts
- The source ports to inspect for. If not specified, this matches with any
source port. This setting is only used for protocols 6 (TCP) and 17
(UDP).
You can specify individual ports, for example 1994
and you can specify
port ranges, for example 1990:1994
.
$sel:sources:MatchAttributes'
, matchAttributes_sources
- The source IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any source address.
$sel:tCPFlags:MatchAttributes'
, matchAttributes_tCPFlags
- The TCP flags and masks to inspect for. If not specified, this matches
with any settings. This setting is only used for protocol 6 (TCP).
PerObjectStatus
data PerObjectStatus Source #
Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of a SyncState for a firewall.
See: newPerObjectStatus
smart constructor.
Instances
newPerObjectStatus :: PerObjectStatus Source #
Create a value of PerObjectStatus
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:syncStatus:PerObjectStatus'
, perObjectStatus_syncStatus
- Indicates whether this object is in sync with the version indicated in
the update token.
$sel:updateToken:PerObjectStatus'
, perObjectStatus_updateToken
- The current version of the object that is either in sync or pending
synchronization.
PortRange
A single port range specification. This is used for source and
destination port ranges in the stateless rule MatchAttributes,
SourcePorts
, and DestinationPorts
settings.
See: newPortRange
smart constructor.
Instances
FromJSON PortRange Source # | |
ToJSON PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
Generic PortRange Source # | |
Read PortRange Source # | |
Show PortRange Source # | |
NFData PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
Eq PortRange Source # | |
Hashable PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
type Rep PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange type Rep PortRange = D1 ('MetaData "PortRange" "Amazonka.NetworkFirewall.Types.PortRange" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "PortRange'" 'PrefixI 'True) (S1 ('MetaSel ('Just "fromPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural) :*: S1 ('MetaSel ('Just "toPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural))) |
Create a value of PortRange
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:fromPort:PortRange'
, portRange_fromPort
- The lower limit of the port range. This must be less than or equal to
the ToPort
specification.
$sel:toPort:PortRange'
, portRange_toPort
- The upper limit of the port range. This must be greater than or equal to
the FromPort
specification.
PortSet
A set of port ranges for use in the rules in a rule group.
See: newPortSet
smart constructor.
Instances
FromJSON PortSet Source # | |
ToJSON PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
Generic PortSet Source # | |
Read PortSet Source # | |
Show PortSet Source # | |
NFData PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
Eq PortSet Source # | |
Hashable PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
type Rep PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet type Rep PortSet = D1 ('MetaData "PortSet" "Amazonka.NetworkFirewall.Types.PortSet" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "PortSet'" 'PrefixI 'True) (S1 ('MetaSel ('Just "definition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe [Text])))) |
newPortSet :: PortSet Source #
Create a value of PortSet
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:PortSet'
, portSet_definition
- The set of port ranges.
PublishMetricAction
data PublishMetricAction Source #
Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
See: newPublishMetricAction
smart constructor.
Instances
newPublishMetricAction Source #
Create a value of PublishMetricAction
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:dimensions:PublishMetricAction'
, publishMetricAction_dimensions
-
ReferenceSets
data ReferenceSets Source #
Contains a set of IP set references.
See: newReferenceSets
smart constructor.
Instances
newReferenceSets :: ReferenceSets Source #
Create a value of ReferenceSets
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:iPSetReferences:ReferenceSets'
, referenceSets_iPSetReferences
- The list of IP set references.
RuleDefinition
data RuleDefinition Source #
The inspection criteria and action for a single stateless rule. Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.
See: newRuleDefinition
smart constructor.
Instances
Create a value of RuleDefinition
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:matchAttributes:RuleDefinition'
, ruleDefinition_matchAttributes
- Criteria for Network Firewall to use to inspect an individual packet in
stateless rule inspection. Each match attributes set can include one or
more items such as IP address, CIDR range, port number, protocol, and
TCP flags.
$sel:actions:RuleDefinition'
, ruleDefinition_actions
- The actions to take on a packet that matches one of the stateless rule
definition's match attributes. You must specify a standard action and
you can add custom actions.
Network Firewall only forwards a packet for stateful rule inspection if
you specify aws:forward_to_sfe
for a rule that the packet matches, or
if the packet doesn't match any stateless rule and you specify
aws:forward_to_sfe
for the StatelessDefaultActions
setting for the
FirewallPolicy.
For every rule, you must specify exactly one of the following standard actions.
- aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.
- aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.
- aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
Additionally, you can specify a custom action. To do this, you define a
custom action by name and type, then provide the name you've assigned
to the action in this Actions
setting. For information about the
options, see CustomAction.
To provide more than one action in this setting, separate the settings
with a comma. For example, if you have a custom PublishMetrics
action
that you've named MyMetricsAction
, then you could specify the
standard action aws:pass
and the custom action with
[“aws:pass”, “MyMetricsAction”]
.
RuleGroup
The object that defines the rules in a rule group. This, along with RuleGroupResponse, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
Network Firewall uses a rule group to inspect and control network traffic. You define stateless rule groups to inspect individual packets and you define stateful rule groups to inspect packets in the context of their traffic flow.
To use a rule group, you include it by reference in an Network Firewall firewall policy, then you use the policy in a firewall. You can reference a rule group from more than one firewall policy, and you can use a firewall policy in more than one firewall.
See: newRuleGroup
smart constructor.
Instances
Create a value of RuleGroup
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:referenceSets:RuleGroup'
, ruleGroup_referenceSets
- The list of a rule group's reference sets.
$sel:ruleVariables:RuleGroup'
, ruleGroup_ruleVariables
- Settings that are available for use in the rules in the rule group. You
can only use these for stateful rule groups.
$sel:statefulRuleOptions:RuleGroup'
, ruleGroup_statefulRuleOptions
- Additional options governing how Network Firewall handles stateful
rules. The policies where you use your stateful rule group must have
stateful rule options settings that are compatible with these settings.
$sel:rulesSource:RuleGroup'
, ruleGroup_rulesSource
- The stateful rules or stateless rules for the rule group.
RuleGroupMetadata
data RuleGroupMetadata Source #
High-level information about a rule group, returned by ListRuleGroups. You can use the information provided in the metadata to retrieve and manage a rule group.
See: newRuleGroupMetadata
smart constructor.
Instances
newRuleGroupMetadata :: RuleGroupMetadata Source #
Create a value of RuleGroupMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:RuleGroupMetadata'
, ruleGroupMetadata_arn
- The Amazon Resource Name (ARN) of the rule group.
$sel:name:RuleGroupMetadata'
, ruleGroupMetadata_name
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
RuleGroupResponse
data RuleGroupResponse Source #
The high-level properties of a rule group. This, along with the RuleGroup, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
See: newRuleGroupResponse
smart constructor.
RuleGroupResponse' (Maybe Int) (Maybe Int) (Maybe Text) (Maybe EncryptionConfiguration) (Maybe POSIX) (Maybe Int) (Maybe ResourceStatus) (Maybe Text) (Maybe SourceMetadata) (Maybe (NonEmpty Tag)) (Maybe RuleGroupType) Text Text Text |
Instances
:: Text | |
-> Text | |
-> Text | |
-> RuleGroupResponse |
Create a value of RuleGroupResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:capacity:RuleGroupResponse'
, ruleGroupResponse_capacity
- The maximum operating resources that this rule group can use. Rule group
capacity is fixed at creation. When you update a rule group, you are
limited to this capacity. When you reference a rule group from a
firewall policy, Network Firewall reserves this capacity for the rule
group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun
set to TRUE
.
$sel:consumedCapacity:RuleGroupResponse'
, ruleGroupResponse_consumedCapacity
- The number of capacity units currently consumed by the rule group rules.
$sel:description:RuleGroupResponse'
, ruleGroupResponse_description
- A description of the rule group.
$sel:encryptionConfiguration:RuleGroupResponse'
, ruleGroupResponse_encryptionConfiguration
- A complex type that contains the Amazon Web Services KMS encryption
configuration settings for your rule group.
$sel:lastModifiedTime:RuleGroupResponse'
, ruleGroupResponse_lastModifiedTime
- The last time that the rule group was changed.
$sel:numberOfAssociations:RuleGroupResponse'
, ruleGroupResponse_numberOfAssociations
- The number of firewall policies that use this rule group.
$sel:ruleGroupStatus:RuleGroupResponse'
, ruleGroupResponse_ruleGroupStatus
- Detailed information about the current status of a rule group.
$sel:snsTopic:RuleGroupResponse'
, ruleGroupResponse_snsTopic
- The Amazon resource name (ARN) of the Amazon Simple Notification Service
SNS topic that's used to record changes to the managed rule group. You
can subscribe to the SNS topic to receive notifications when the managed
rule group is modified, such as for new versions and for version
expiration. For more information, see the
Amazon Simple Notification Service Developer Guide..
$sel:sourceMetadata:RuleGroupResponse'
, ruleGroupResponse_sourceMetadata
- A complex type that contains metadata about the rule group that your own
rule group is copied from. You can use the metadata to track the version
updates made to the originating rule group.
$sel:tags:RuleGroupResponse'
, ruleGroupResponse_tags
- The key:value pairs to associate with the resource.
RuleGroupResponse
, ruleGroupResponse_type
- Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
$sel:ruleGroupArn:RuleGroupResponse'
, ruleGroupResponse_ruleGroupArn
- The Amazon Resource Name (ARN) of the rule group.
If this response is for a create request that had DryRun
set to
TRUE
, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:ruleGroupName:RuleGroupResponse'
, ruleGroupResponse_ruleGroupName
- The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
$sel:ruleGroupId:RuleGroupResponse'
, ruleGroupResponse_ruleGroupId
- The unique identifier for the rule group.
RuleOption
data RuleOption Source #
Additional settings for a stateful rule. This is part of the StatefulRule configuration.
See: newRuleOption
smart constructor.
RuleOption' (Maybe [Text]) Text |
Instances
Create a value of RuleOption
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
RuleVariables
data RuleVariables Source #
Settings that are available for use in the rules in the RuleGroup where this is defined.
See: newRuleVariables
smart constructor.
Instances
newRuleVariables :: RuleVariables Source #
Create a value of RuleVariables
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:iPSets:RuleVariables'
, ruleVariables_iPSets
- A list of IP addresses and address ranges, in CIDR notation.
$sel:portSets:RuleVariables'
, ruleVariables_portSets
- A list of port ranges.
RulesSource
data RulesSource Source #
The stateless or stateful rules definitions for use in a single rule
group. Each rule group requires a single RulesSource
. You can use an
instance of this for either stateless rules or stateful rules.
See: newRulesSource
smart constructor.
RulesSource' (Maybe RulesSourceList) (Maybe Text) (Maybe [StatefulRule]) (Maybe StatelessRulesAndCustomActions) |
Instances
newRulesSource :: RulesSource Source #
Create a value of RulesSource
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:rulesSourceList:RulesSource'
, rulesSource_rulesSourceList
- Stateful inspection criteria for a domain list rule group.
$sel:rulesString:RulesSource'
, rulesSource_rulesString
- Stateful inspection criteria, provided in Suricata compatible intrusion
prevention system (IPS) rules. Suricata is an open-source network IPS
that includes a standard rule-based language for network traffic
inspection.
These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.
$sel:statefulRules:RulesSource'
, rulesSource_statefulRules
- An array of individual stateful rules inspection criteria to be used
together in a stateful rule group. Use this option to specify simple
Suricata rules with protocol, source and destination, ports, direction,
and rule options. For information about the Suricata Rules
format, see
Rules Format.
$sel:statelessRulesAndCustomActions:RulesSource'
, rulesSource_statelessRulesAndCustomActions
- Stateless inspection criteria to be used in a stateless rule group.
RulesSourceList
data RulesSourceList Source #
Stateful inspection criteria for a domain list rule group.
For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.
By default, Network Firewall domain list inspection only includes
traffic coming from the VPC where you deploy the firewall. To inspect
traffic from IP addresses outside of the deployment VPC, you set the
HOME_NET
rule variable to include the CIDR range of the deployment VPC
plus the other CIDR ranges. For more information, see RuleVariables in
this guide and
Stateful domain list rule groups in Network Firewall
in the Network Firewall Developer Guide.
See: newRulesSourceList
smart constructor.
Instances
Create a value of RulesSourceList
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:targets:RulesSourceList'
, rulesSourceList_targets
- The domains that you want to inspect for in your traffic flows. Valid
domain specifications are the following:
- Explicit names. For example,
abc.example.com
matches only the domainabc.example.com
. - Names that use a domain wildcard, which you indicate with an initial
'
.
'. For example,.example.com
matchesexample.com
and matches all subdomains ofexample.com
, such asabc.example.com
andwww.example.com
.
$sel:targetTypes:RulesSourceList'
, rulesSourceList_targetTypes
- The protocols you want to inspect. Specify TLS_SNI
for HTTPS
.
Specify HTTP_HOST
for HTTP
. You can specify either or both.
$sel:generatedRulesType:RulesSourceList'
, rulesSourceList_generatedRulesType
- Whether you want to allow or deny access to the domains in your target
list.
SourceMetadata
data SourceMetadata Source #
High-level information about the managed rule group that your own rule group is copied from. You can use the the metadata to track version updates made to the originating rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
See: newSourceMetadata
smart constructor.
Instances
newSourceMetadata :: SourceMetadata Source #
Create a value of SourceMetadata
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:sourceArn:SourceMetadata'
, sourceMetadata_sourceArn
- The Amazon Resource Name (ARN) of the rule group that your own rule
group is copied from.
$sel:sourceUpdateToken:SourceMetadata'
, sourceMetadata_sourceUpdateToken
- The update token of the Amazon Web Services managed rule group that your
own rule group is copied from. To determine the update token for the
managed rule group, call
DescribeRuleGroup.
StatefulEngineOptions
data StatefulEngineOptions Source #
Configuration settings for the handling of the stateful rule groups in a firewall policy.
See: newStatefulEngineOptions
smart constructor.
Instances
newStatefulEngineOptions :: StatefulEngineOptions Source #
Create a value of StatefulEngineOptions
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulEngineOptions'
, statefulEngineOptions_ruleOrder
- Indicates how to manage the order of stateful rule evaluation for the
policy. DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
$sel:streamExceptionPolicy:StatefulEngineOptions'
, statefulEngineOptions_streamExceptionPolicy
- Configures how Network Firewall processes traffic when a network
connection breaks midstream. Network connections can break due to
disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.
StatefulRule
data StatefulRule Source #
A single Suricata rules specification, for use in a stateful rule group.
Use this option to specify a simple Suricata rule with protocol, source
and destination, ports, direction, and rule options. For information
about the Suricata Rules
format, see
Rules Format.
See: newStatefulRule
smart constructor.
Instances
Create a value of StatefulRule
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:action:StatefulRule'
, statefulRule_action
- Defines what Network Firewall should do with the packets in a traffic
flow when the flow matches the stateful rule criteria. For all actions,
Network Firewall performs the specified action and discontinues stateful
inspection of the traffic flow.
The actions for a stateful rule are defined as follows:
- PASS - Permits the packets to go to the intended destination.
- DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with
ALERT
action, verify in the logs that the rule is filtering as you want, then change the action toDROP
.
$sel:header:StatefulRule'
, statefulRule_header
- The stateful inspection criteria for this rule, used to inspect traffic
flows.
$sel:ruleOptions:StatefulRule'
, statefulRule_ruleOptions
- Additional options for the rule. These are the Suricata RuleOptions
settings.
StatefulRuleGroupOverride
data StatefulRuleGroupOverride Source #
The setting that allows the policy owner to change the behavior of the rule group within a policy.
See: newStatefulRuleGroupOverride
smart constructor.
Instances
newStatefulRuleGroupOverride :: StatefulRuleGroupOverride Source #
Create a value of StatefulRuleGroupOverride
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:action:StatefulRuleGroupOverride'
, statefulRuleGroupOverride_action
- The action that changes the rule group from DROP
to ALERT
. This only
applies to managed rule groups.
StatefulRuleGroupReference
data StatefulRuleGroupReference Source #
Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group.
See: newStatefulRuleGroupReference
smart constructor.
Instances
newStatefulRuleGroupReference Source #
Create a value of StatefulRuleGroupReference
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:override:StatefulRuleGroupReference'
, statefulRuleGroupReference_override
- The action that allows the policy owner to override the behavior of the
rule group within a policy.
$sel:priority:StatefulRuleGroupReference'
, statefulRuleGroupReference_priority
- An integer setting that indicates the order in which to run the stateful
rule groups in a single FirewallPolicy. This setting only applies to
firewall policies that specify the STRICT_ORDER
rule order in the
stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
$sel:resourceArn:StatefulRuleGroupReference'
, statefulRuleGroupReference_resourceArn
- The Amazon Resource Name (ARN) of the stateful rule group.
StatefulRuleOptions
data StatefulRuleOptions Source #
Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.
See: newStatefulRuleOptions
smart constructor.
Instances
newStatefulRuleOptions :: StatefulRuleOptions Source #
Create a value of StatefulRuleOptions
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulRuleOptions'
, statefulRuleOptions_ruleOrder
- Indicates how to manage the order of the rule evaluation for the rule
group. DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules
are provided to the rule engine as Suricata compatible strings, and
Suricata evaluates them based on certain settings. For more information,
see
Evaluation order for stateful rules
in the Network Firewall Developer Guide.
StatelessRule
data StatelessRule Source #
A single stateless rule. This is used in StatelessRulesAndCustomActions.
See: newStatelessRule
smart constructor.
Instances
:: RuleDefinition | |
-> Natural | |
-> StatelessRule |
Create a value of StatelessRule
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleDefinition:StatelessRule'
, statelessRule_ruleDefinition
- Defines the stateless 5-tuple packet inspection criteria and the action
to take on a packet that matches the criteria.
$sel:priority:StatelessRule'
, statelessRule_priority
- Indicates the order in which to run this rule relative to all of the
rules that are defined for a stateless rule group. Network Firewall
evaluates the rules in a rule group starting with the lowest priority
setting. You must ensure that the priority settings are unique for the
rule group.
Each stateless rule group uses exactly one
StatelessRulesAndCustomActions
object, and each
StatelessRulesAndCustomActions
contains exactly one StatelessRules
object. To ensure unique priority settings for your rule groups, set
unique priorities for the stateless rules that you define inside any
single StatelessRules
object.
You can change the priority settings of your rules at any time. To make it easier to insert rules later, number them so there's a wide range in between, for example use 100, 200, and so on.
StatelessRuleGroupReference
data StatelessRuleGroupReference Source #
Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group.
See: newStatelessRuleGroupReference
smart constructor.
Instances
newStatelessRuleGroupReference Source #
Create a value of StatelessRuleGroupReference
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:resourceArn:StatelessRuleGroupReference'
, statelessRuleGroupReference_resourceArn
- The Amazon Resource Name (ARN) of the stateless rule group.
$sel:priority:StatelessRuleGroupReference'
, statelessRuleGroupReference_priority
- An integer setting that indicates the order in which to run the
stateless rule groups in a single FirewallPolicy. Network Firewall
applies each stateless rule group to a packet starting with the group
that has the lowest priority setting. You must ensure that the priority
settings are unique within each policy.
StatelessRulesAndCustomActions
data StatelessRulesAndCustomActions Source #
Stateless inspection criteria. Each stateless rule group uses exactly one of these data types to define its stateless rules.
See: newStatelessRulesAndCustomActions
smart constructor.
Instances
newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions Source #
Create a value of StatelessRulesAndCustomActions
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:customActions:StatelessRulesAndCustomActions'
, statelessRulesAndCustomActions_customActions
- Defines an array of individual custom action definitions that are
available for use by the stateless rules in this
StatelessRulesAndCustomActions
specification. You name each custom
action that you define, and then you can use it by name in your
StatelessRule RuleDefinition Actions
specification.
$sel:statelessRules:StatelessRulesAndCustomActions'
, statelessRulesAndCustomActions_statelessRules
- Defines the set of stateless rules for use in a stateless rule group.
SubnetMapping
data SubnetMapping Source #
The ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall and AssociateSubnets. Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.
See: newSubnetMapping
smart constructor.
Instances
Create a value of SubnetMapping
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:subnetId:SubnetMapping'
, subnetMapping_subnetId
- The unique identifier for the subnet.
SyncState
The status of the firewall endpoint and firewall policy configuration for a single VPC subnet.
For each VPC subnet that you associate with a firewall, Network Firewall does the following:
- Instantiates a firewall endpoint in the subnet, ready to take traffic.
- Configures the endpoint with the current firewall policy settings, to provide the filtering behavior for the endpoint.
When you update a firewall, for example to add a subnet association or change a rule group in the firewall policy, the affected sync states reflect out-of-sync or not ready status until the changes are complete.
See: newSyncState
smart constructor.
Instances
FromJSON SyncState Source # | |
Generic SyncState Source # | |
Read SyncState Source # | |
Show SyncState Source # | |
NFData SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
Eq SyncState Source # | |
Hashable SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
type Rep SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState type Rep SyncState = D1 ('MetaData "SyncState" "Amazonka.NetworkFirewall.Types.SyncState" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "SyncState'" 'PrefixI 'True) (S1 ('MetaSel ('Just "attachment") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Attachment)) :*: S1 ('MetaSel ('Just "config") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe (HashMap Text PerObjectStatus))))) |
newSyncState :: SyncState Source #
Create a value of SyncState
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:attachment:SyncState'
, syncState_attachment
- The attachment status of the firewall's association with a single VPC
subnet. For each configured subnet, Network Firewall creates the
attachment by instantiating the firewall endpoint in the subnet so that
it's ready to take traffic. This is part of the FirewallStatus.
$sel:config:SyncState'
, syncState_config
- The configuration status of the firewall endpoint in a single VPC
subnet. Network Firewall provides each endpoint with the rules that are
configured in the firewall policy. Each time you add a subnet or modify
the associated firewall policy, Network Firewall synchronizes the rules
in the endpoint, so it can properly filter network traffic. This is part
of the FirewallStatus.
TCPFlagField
data TCPFlagField Source #
TCP flags and masks to inspect packets for, used in stateless rules MatchAttributes settings.
See: newTCPFlagField
smart constructor.
TCPFlagField' (Maybe [TCPFlag]) [TCPFlag] |
Instances
newTCPFlagField :: TCPFlagField Source #
Create a value of TCPFlagField
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:masks:TCPFlagField'
, tCPFlagField_masks
- The set of flags to consider in the inspection. To inspect all flags in
the valid values list, leave this with no setting.
$sel:flags:TCPFlagField'
, tCPFlagField_flags
- Used in conjunction with the Masks
setting to define the flags that
must be set and flags that must not be set in order for the packet to
match. This setting can only specify values that are also specified in
the Masks
setting.
For the flags that are specified in the masks setting, the following must be true for the packet to match:
- The ones that are set in this flags setting must be set in the packet.
- The ones that are not set in this flags setting must also not be set in the packet.
Tag
A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.
See: newTag
smart constructor.
Instances
FromJSON Tag Source # | |
ToJSON Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
Generic Tag Source # | |
Read Tag Source # | |
Show Tag Source # | |
NFData Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
Eq Tag Source # | |
Hashable Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
type Rep Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag type Rep Tag = D1 ('MetaData "Tag" "Amazonka.NetworkFirewall.Types.Tag" "amazonka-network-firewall-2.0-4y6HybZBSNcEwGPO5AYVfm" 'False) (C1 ('MetaCons "Tag'" 'PrefixI 'True) (S1 ('MetaSel ('Just "key") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Just "value") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) |
Create a value of Tag
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:key:Tag'
, tag_key
- The part of the key:value pair that defines a tag. You can use a tag key
to describe a category of information, such as "customer." Tag keys
are case-sensitive.
$sel:value:Tag'
, tag_value
- The part of the key:value pair that defines a tag. You can use a tag
value to describe a specific value within a category, such as
"companyA" or "companyB." Tag values are case-sensitive.