From 033426bc414dee40781eb31daae89e4fd6e213ee Mon Sep 17 00:00:00 2001
From: awstools <awstools@amazon.com>
Date: Fri, 15 Nov 2024 19:12:00 +0000
Subject: [PATCH] feat(client-route53resolver): Route 53 Resolver DNS Firewall
 Advanced Rules allows you to monitor and block suspicious DNS traffic based
 on anomalies detected in the queries, such as DNS tunneling and Domain
 Generation Algorithms (DGAs).

---
 .../src/commands/CreateFirewallRuleCommand.ts |   7 +-
 .../src/commands/DeleteFirewallRuleCommand.ts |  10 +-
 .../src/commands/ListFirewallRulesCommand.ts  |   3 +
 .../src/commands/UpdateFirewallRuleCommand.ts |   8 +-
 .../src/models/models_0.ts                    | 250 +++++++++++++-----
 .../src/protocols/Aws_json1_1.ts              |   2 +
 .../aws-models/route53resolver.json           | 126 +++++++--
 7 files changed, 328 insertions(+), 78 deletions(-)

diff --git a/clients/client-route53resolver/src/commands/CreateFirewallRuleCommand.ts b/clients/client-route53resolver/src/commands/CreateFirewallRuleCommand.ts
index fe05988b8c50..10887347de98 100644
--- a/clients/client-route53resolver/src/commands/CreateFirewallRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/CreateFirewallRuleCommand.ts
@@ -38,7 +38,7 @@ export interface CreateFirewallRuleCommandOutput extends CreateFirewallRuleRespo
  * const input = { // CreateFirewallRuleRequest
  *   CreatorRequestId: "STRING_VALUE", // required
  *   FirewallRuleGroupId: "STRING_VALUE", // required
- *   FirewallDomainListId: "STRING_VALUE", // required
+ *   FirewallDomainListId: "STRING_VALUE",
  *   Priority: Number("int"), // required
  *   Action: "ALLOW" || "BLOCK" || "ALERT", // required
  *   BlockResponse: "NODATA" || "NXDOMAIN" || "OVERRIDE",
@@ -48,6 +48,8 @@ export interface CreateFirewallRuleCommandOutput extends CreateFirewallRuleRespo
  *   Name: "STRING_VALUE", // required
  *   FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  *   Qtype: "STRING_VALUE",
+ *   DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ *   ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * };
  * const command = new CreateFirewallRuleCommand(input);
  * const response = await client.send(command);
@@ -55,6 +57,7 @@ export interface CreateFirewallRuleCommandOutput extends CreateFirewallRuleRespo
  * //   FirewallRule: { // FirewallRule
  * //     FirewallRuleGroupId: "STRING_VALUE",
  * //     FirewallDomainListId: "STRING_VALUE",
+ * //     FirewallThreatProtectionId: "STRING_VALUE",
  * //     Name: "STRING_VALUE",
  * //     Priority: Number("int"),
  * //     Action: "ALLOW" || "BLOCK" || "ALERT",
@@ -67,6 +70,8 @@ export interface CreateFirewallRuleCommandOutput extends CreateFirewallRuleRespo
  * //     ModificationTime: "STRING_VALUE",
  * //     FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  * //     Qtype: "STRING_VALUE",
+ * //     DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ * //     ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * //   },
  * // };
  *
diff --git a/clients/client-route53resolver/src/commands/DeleteFirewallRuleCommand.ts b/clients/client-route53resolver/src/commands/DeleteFirewallRuleCommand.ts
index e856e5b8323f..e0c6ee9e0895 100644
--- a/clients/client-route53resolver/src/commands/DeleteFirewallRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/DeleteFirewallRuleCommand.ts
@@ -37,7 +37,8 @@ export interface DeleteFirewallRuleCommandOutput extends DeleteFirewallRuleRespo
  * const client = new Route53ResolverClient(config);
  * const input = { // DeleteFirewallRuleRequest
  *   FirewallRuleGroupId: "STRING_VALUE", // required
- *   FirewallDomainListId: "STRING_VALUE", // required
+ *   FirewallDomainListId: "STRING_VALUE",
+ *   FirewallThreatProtectionId: "STRING_VALUE",
  *   Qtype: "STRING_VALUE",
  * };
  * const command = new DeleteFirewallRuleCommand(input);
@@ -46,6 +47,7 @@ export interface DeleteFirewallRuleCommandOutput extends DeleteFirewallRuleRespo
  * //   FirewallRule: { // FirewallRule
  * //     FirewallRuleGroupId: "STRING_VALUE",
  * //     FirewallDomainListId: "STRING_VALUE",
+ * //     FirewallThreatProtectionId: "STRING_VALUE",
  * //     Name: "STRING_VALUE",
  * //     Priority: Number("int"),
  * //     Action: "ALLOW" || "BLOCK" || "ALERT",
@@ -58,6 +60,8 @@ export interface DeleteFirewallRuleCommandOutput extends DeleteFirewallRuleRespo
  * //     ModificationTime: "STRING_VALUE",
  * //     FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  * //     Qtype: "STRING_VALUE",
+ * //     DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ * //     ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * //   },
  * // };
  *
@@ -83,6 +87,10 @@ export interface DeleteFirewallRuleCommandOutput extends DeleteFirewallRuleRespo
  * @throws {@link ThrottlingException} (client fault)
  *  <p>The request was throttled. Try again in a few minutes.</p>
  *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>You have provided an invalid command. If you ran the <code>UpdateFirewallDomains</code> request. supported values are <code>ADD</code>,
+ * 			<code>REMOVE</code>, or <code>REPLACE</code> a domain.</p>
+ *
  * @throws {@link Route53ResolverServiceException}
  * <p>Base exception class for all service exceptions from Route53Resolver service.</p>
  *
diff --git a/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts b/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts
index aa3ddce4015c..e28c6906c471 100644
--- a/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts
+++ b/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts
@@ -51,6 +51,7 @@ export interface ListFirewallRulesCommandOutput extends ListFirewallRulesRespons
  * //     { // FirewallRule
  * //       FirewallRuleGroupId: "STRING_VALUE",
  * //       FirewallDomainListId: "STRING_VALUE",
+ * //       FirewallThreatProtectionId: "STRING_VALUE",
  * //       Name: "STRING_VALUE",
  * //       Priority: Number("int"),
  * //       Action: "ALLOW" || "BLOCK" || "ALERT",
@@ -63,6 +64,8 @@ export interface ListFirewallRulesCommandOutput extends ListFirewallRulesRespons
  * //       ModificationTime: "STRING_VALUE",
  * //       FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  * //       Qtype: "STRING_VALUE",
+ * //       DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ * //       ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * //     },
  * //   ],
  * // };
diff --git a/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts b/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts
index 407a363a4536..6e249700c5cc 100644
--- a/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts
@@ -37,7 +37,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo
  * const client = new Route53ResolverClient(config);
  * const input = { // UpdateFirewallRuleRequest
  *   FirewallRuleGroupId: "STRING_VALUE", // required
- *   FirewallDomainListId: "STRING_VALUE", // required
+ *   FirewallDomainListId: "STRING_VALUE",
+ *   FirewallThreatProtectionId: "STRING_VALUE",
  *   Priority: Number("int"),
  *   Action: "ALLOW" || "BLOCK" || "ALERT",
  *   BlockResponse: "NODATA" || "NXDOMAIN" || "OVERRIDE",
@@ -47,6 +48,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo
  *   Name: "STRING_VALUE",
  *   FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  *   Qtype: "STRING_VALUE",
+ *   DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ *   ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * };
  * const command = new UpdateFirewallRuleCommand(input);
  * const response = await client.send(command);
@@ -54,6 +57,7 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo
  * //   FirewallRule: { // FirewallRule
  * //     FirewallRuleGroupId: "STRING_VALUE",
  * //     FirewallDomainListId: "STRING_VALUE",
+ * //     FirewallThreatProtectionId: "STRING_VALUE",
  * //     Name: "STRING_VALUE",
  * //     Priority: Number("int"),
  * //     Action: "ALLOW" || "BLOCK" || "ALERT",
@@ -66,6 +70,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo
  * //     ModificationTime: "STRING_VALUE",
  * //     FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN",
  * //     Qtype: "STRING_VALUE",
+ * //     DnsThreatProtection: "DGA" || "DNS_TUNNELING",
+ * //     ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH",
  * //   },
  * // };
  *
diff --git a/clients/client-route53resolver/src/models/models_0.ts b/clients/client-route53resolver/src/models/models_0.ts
index 4dcc955f4bdf..26a77aefb214 100644
--- a/clients/client-route53resolver/src/models/models_0.ts
+++ b/clients/client-route53resolver/src/models/models_0.ts
@@ -906,7 +906,7 @@ export interface ResolverQueryLogConfigAssociation {
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>CREATED</code>: The association between an Amazon VPC and a query logging configuration
+   *                   <code>ACTIVE</code>: The association between an Amazon VPC and a query logging configuration
    * 				was successfully created. Resolver is logging queries that originate in the specified VPC.</p>
    *             </li>
    *             <li>
@@ -1137,6 +1137,21 @@ export const BlockResponse = {
  */
 export type BlockResponse = (typeof BlockResponse)[keyof typeof BlockResponse];
 
+/**
+ * @public
+ * @enum
+ */
+export const ConfidenceThreshold = {
+  HIGH: "HIGH",
+  LOW: "LOW",
+  MEDIUM: "MEDIUM",
+} as const;
+
+/**
+ * @public
+ */
+export type ConfidenceThreshold = (typeof ConfidenceThreshold)[keyof typeof ConfidenceThreshold];
+
 /**
  * @public
  */
@@ -1259,6 +1274,20 @@ export interface CreateFirewallDomainListResponse {
   FirewallDomainList?: FirewallDomainList | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const DnsThreatProtection = {
+  DGA: "DGA",
+  DNS_TUNNELING: "DNS_TUNNELING",
+} as const;
+
+/**
+ * @public
+ */
+export type DnsThreatProtection = (typeof DnsThreatProtection)[keyof typeof DnsThreatProtection];
+
 /**
  * @public
  * @enum
@@ -1293,10 +1322,10 @@ export interface CreateFirewallRuleRequest {
   FirewallRuleGroupId: string | undefined;
 
   /**
-   * <p>The ID of the domain list that you want to use in the rule. </p>
+   * <p>The ID of the domain list that you want to use in the rule. Can't be used together with <code>DnsThreatProtecton</code>.</p>
    * @public
    */
-  FirewallDomainListId: string | undefined;
+  FirewallDomainListId?: string | undefined;
 
   /**
    * <p>The setting that determines the processing order of the rule in the rule group. DNS Firewall
@@ -1309,11 +1338,11 @@ export interface CreateFirewallRuleRequest {
   Priority: number | undefined;
 
   /**
-   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>
+   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>ALLOW</code> - Permit the request to go through.</p>
+   *                   <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -1382,10 +1411,10 @@ export interface CreateFirewallRuleRequest {
    * 			How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
    * 		</p>
    *          <p>
-   *             <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+   *             <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
    * 			added to the domain list.</p>
    *          <p>
-   *             <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+   *             <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
    * 			the domain list.</p>
    * @public
    */
@@ -1447,6 +1476,37 @@ export interface CreateFirewallRuleRequest {
    * @public
    */
   Qtype?: string | undefined;
+
+  /**
+   * <p>
+   * 			Use to create a DNS Firewall Advanced rule.
+   * 		</p>
+   * @public
+   */
+  DnsThreatProtection?: DnsThreatProtection | undefined;
+
+  /**
+   * <p>
+   * 			The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence
+   * 			level values mean:
+   * 		</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  ConfidenceThreshold?: ConfidenceThreshold | undefined;
 }
 
 /**
@@ -1455,7 +1515,7 @@ export interface CreateFirewallRuleRequest {
  */
 export interface FirewallRule {
   /**
-   * <p>The unique identifier of the firewall rule group of the rule. </p>
+   * <p>The unique identifier of the Firewall rule group of the rule. </p>
    * @public
    */
   FirewallRuleGroupId?: string | undefined;
@@ -1466,6 +1526,14 @@ export interface FirewallRule {
    */
   FirewallDomainListId?: string | undefined;
 
+  /**
+   * <p>
+   * 			ID of the DNS Firewall Advanced rule.
+   * 		</p>
+   * @public
+   */
+  FirewallThreatProtectionId?: string | undefined;
+
   /**
    * <p>The name of the rule. </p>
    * @public
@@ -1479,11 +1547,11 @@ export interface FirewallRule {
   Priority?: number | undefined;
 
   /**
-   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>
+   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>ALLOW</code> - Permit the request to go through.</p>
+   *                   <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -1560,10 +1628,10 @@ export interface FirewallRule {
    * 			How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
    * 		</p>
    *          <p>
-   *             <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+   *             <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
    * 			added to the domain list.</p>
    *          <p>
-   *             <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+   *             <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
    * 			the domain list.</p>
    * @public
    */
@@ -1625,6 +1693,49 @@ export interface FirewallRule {
    * @public
    */
   Qtype?: string | undefined;
+
+  /**
+   * <p>
+   * 			The type of the DNS Firewall Advanced rule. Valid values are:
+   * 		</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>DGA</code>: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains
+   * 				to to launch malware attacks.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>DNS_TUNNELING</code>: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without
+   * 				making a network connection to the client.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  DnsThreatProtection?: DnsThreatProtection | undefined;
+
+  /**
+   * <p>
+   * 			The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence
+   * 			level values mean:
+   * 		</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  ConfidenceThreshold?: ConfidenceThreshold | undefined;
 }
 
 /**
@@ -2366,45 +2477,7 @@ export interface TargetAddress {
 
   /**
    * <p>
-   * 			The protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.
-   *
-   * 		</p>
-   *          <p>For an inbound endpoint you can apply the protocols as follows:</p>
-   *          <ul>
-   *             <li>
-   *                <p> Do53  and DoH in combination.</p>
-   *             </li>
-   *             <li>
-   *                <p>Do53  and DoH-FIPS in combination.</p>
-   *             </li>
-   *             <li>
-   *                <p>Do53 alone.</p>
-   *             </li>
-   *             <li>
-   *                <p>DoH alone.</p>
-   *             </li>
-   *             <li>
-   *                <p>DoH-FIPS alone.</p>
-   *             </li>
-   *             <li>
-   *                <p>None, which is treated as Do53.</p>
-   *             </li>
-   *          </ul>
-   *          <p>For an outbound endpoint you can apply the protocols as follows:</p>
-   *          <ul>
-   *             <li>
-   *                <p> Do53  and DoH in combination.</p>
-   *             </li>
-   *             <li>
-   *                <p>Do53 alone.</p>
-   *             </li>
-   *             <li>
-   *                <p>DoH alone.</p>
-   *             </li>
-   *             <li>
-   *                <p>None, which is treated as Do53.</p>
-   *             </li>
-   *          </ul>
+   * 			The protocols for the target address. The protocol you choose needs to be supported by the outbound endpoint of the Resolver rule.</p>
    * @public
    */
   Protocol?: Protocol | undefined;
@@ -2651,7 +2724,15 @@ export interface DeleteFirewallRuleRequest {
    * <p>The ID of the domain list that's used in the rule.  </p>
    * @public
    */
-  FirewallDomainListId: string | undefined;
+  FirewallDomainListId?: string | undefined;
+
+  /**
+   * <p>
+   * 			The ID that is created for a DNS Firewall Advanced rule.
+   * 		</p>
+   * @public
+   */
+  FirewallThreatProtectionId?: string | undefined;
 
   /**
    * <p>
@@ -4374,11 +4455,11 @@ export interface ListFirewallRulesRequest {
 
   /**
    * <p>Optional additional filter for the rules to retrieve.</p>
-   *          <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>
+   *          <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>ALLOW</code> - Permit the request to go through.</p>
+   *                   <code>ALLOW</code> - Permit the request to go through. Not availabe for DNS Firewall Advanced rules.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -5579,7 +5660,15 @@ export interface UpdateFirewallRuleRequest {
    * <p>The ID of the domain list to use in the rule.  </p>
    * @public
    */
-  FirewallDomainListId: string | undefined;
+  FirewallDomainListId?: string | undefined;
+
+  /**
+   * <p>
+   * 			The DNS Firewall Advanced rule ID.
+   * 		</p>
+   * @public
+   */
+  FirewallThreatProtectionId?: string | undefined;
 
   /**
    * <p>The setting that determines the processing order of the rule in the rule group. DNS Firewall
@@ -5592,11 +5681,11 @@ export interface UpdateFirewallRuleRequest {
   Priority?: number | undefined;
 
   /**
-   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>
+   * <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>ALLOW</code> - Permit the request to go through.</p>
+   *                   <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -5660,10 +5749,10 @@ export interface UpdateFirewallRuleRequest {
    * 			How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
    * 		</p>
    *          <p>
-   *             <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+   *             <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
    * 			added to the domain list.</p>
    *          <p>
-   *             <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+   *             <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
    * 			the domain list.</p>
    * @public
    */
@@ -5729,6 +5818,49 @@ export interface UpdateFirewallRuleRequest {
    * @public
    */
   Qtype?: string | undefined;
+
+  /**
+   * <p>
+   * 			The type of the DNS Firewall Advanced rule. Valid values are:
+   * 		</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>DGA</code>: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains
+   * 				to to launch malware attacks.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>DNS_TUNNELING</code>: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without
+   * 				making a network connection to the client.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  DnsThreatProtection?: DnsThreatProtection | undefined;
+
+  /**
+   * <p>
+   * 			The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence
+   * 			level values mean:
+   * 		</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  ConfidenceThreshold?: ConfidenceThreshold | undefined;
 }
 
 /**
diff --git a/clients/client-route53resolver/src/protocols/Aws_json1_1.ts b/clients/client-route53resolver/src/protocols/Aws_json1_1.ts
index 4b0c23d3b71d..027698917dbd 100644
--- a/clients/client-route53resolver/src/protocols/Aws_json1_1.ts
+++ b/clients/client-route53resolver/src/protocols/Aws_json1_1.ts
@@ -2974,7 +2974,9 @@ const se_CreateFirewallRuleRequest = (input: CreateFirewallRuleRequest, context:
     BlockOverrideDomain: [],
     BlockOverrideTtl: [],
     BlockResponse: [],
+    ConfidenceThreshold: [],
     CreatorRequestId: [true, (_) => _ ?? generateIdempotencyToken()],
+    DnsThreatProtection: [],
     FirewallDomainListId: [],
     FirewallDomainRedirectionAction: [],
     FirewallRuleGroupId: [],
diff --git a/codegen/sdk-codegen/aws-models/route53resolver.json b/codegen/sdk-codegen/aws-models/route53resolver.json
index 756403c2d6e2..11c15c4553db 100644
--- a/codegen/sdk-codegen/aws-models/route53resolver.json
+++ b/codegen/sdk-codegen/aws-models/route53resolver.json
@@ -493,6 +493,29 @@
         "smithy.api#default": false
       }
     },
+    "com.amazonaws.route53resolver#ConfidenceThreshold": {
+      "type": "enum",
+      "members": {
+        "LOW": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "LOW"
+          }
+        },
+        "MEDIUM": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "MEDIUM"
+          }
+        },
+        "HIGH": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "HIGH"
+          }
+        }
+      }
+    },
     "com.amazonaws.route53resolver#ConflictException": {
       "type": "structure",
       "members": {
@@ -708,8 +731,7 @@
         "FirewallDomainListId": {
           "target": "com.amazonaws.route53resolver#ResourceId",
           "traits": {
-            "smithy.api#documentation": "<p>The ID of the domain list that you want to use in the rule. </p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The ID of the domain list that you want to use in the rule. Can't be used together with <code>DnsThreatProtecton</code>.</p>"
           }
         },
         "Priority": {
@@ -722,7 +744,7 @@
         "Action": {
           "target": "com.amazonaws.route53resolver#Action",
           "traits": {
-            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request and send metrics and logs to Cloud Watch.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. This option requires additional details in the rule's <code>BlockResponse</code>. </p>\n            </li>\n         </ul>",
+            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request and send metrics and logs to Cloud Watch.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. This option requires additional details in the rule's <code>BlockResponse</code>. </p>\n            </li>\n         </ul>",
             "smithy.api#required": {}
           }
         },
@@ -760,7 +782,7 @@
         "FirewallDomainRedirectionAction": {
           "target": "com.amazonaws.route53resolver#FirewallDomainRedirectionAction",
           "traits": {
-            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
+            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
           }
         },
         "Qtype": {
@@ -768,6 +790,18 @@
           "traits": {
             "smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n            </li>\n            <li>\n               <p>AAAA: Returns an Ipv6 address.</p>\n            </li>\n            <li>\n               <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n            </li>\n            <li>\n               <p>CNAME: Returns another domain name.</p>\n            </li>\n            <li>\n               <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n            </li>\n            <li>\n               <p>MX: Specifies mail servers.</p>\n            </li>\n            <li>\n               <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n            </li>\n            <li>\n               <p>NS: Authoritative name servers.</p>\n            </li>\n            <li>\n               <p>PTR: Maps an IP address to a domain name.</p>\n            </li>\n            <li>\n               <p>SOA: Start of authority record for the zone.</p>\n            </li>\n            <li>\n               <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n            </li>\n            <li>\n               <p>SRV: Application specific values that identify servers.</p>\n            </li>\n            <li>\n               <p>TXT: Verifies email senders and application-specific values.</p>\n            </li>\n            <li>\n               <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n            </li>\n         </ul>"
           }
+        },
+        "DnsThreatProtection": {
+          "target": "com.amazonaws.route53resolver#DnsThreatProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tUse to create a DNS Firewall Advanced rule.\n\t\t</p>"
+          }
+        },
+        "ConfidenceThreshold": {
+          "target": "com.amazonaws.route53resolver#ConfidenceThreshold",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n                  <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>\n            </li>\n         </ul>"
+          }
         }
       },
       "traits": {
@@ -1288,6 +1322,9 @@
         },
         {
           "target": "com.amazonaws.route53resolver#ThrottlingException"
+        },
+        {
+          "target": "com.amazonaws.route53resolver#ValidationException"
         }
       ],
       "traits": {
@@ -1368,8 +1405,13 @@
         "FirewallDomainListId": {
           "target": "com.amazonaws.route53resolver#ResourceId",
           "traits": {
-            "smithy.api#documentation": "<p>The ID of the domain list that's used in the rule.  </p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The ID of the domain list that's used in the rule.  </p>"
+          }
+        },
+        "FirewallThreatProtectionId": {
+          "target": "com.amazonaws.route53resolver#ResourceId",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe ID that is created for a DNS Firewall Advanced rule.\n\t\t</p>"
           }
         },
         "Qtype": {
@@ -1903,6 +1945,23 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.route53resolver#DnsThreatProtection": {
+      "type": "enum",
+      "members": {
+        "DGA": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "DGA"
+          }
+        },
+        "DNS_TUNNELING": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "DNS_TUNNELING"
+          }
+        }
+      }
+    },
     "com.amazonaws.route53resolver#DomainListFileUrl": {
       "type": "string",
       "traits": {
@@ -2254,7 +2313,7 @@
         "FirewallRuleGroupId": {
           "target": "com.amazonaws.route53resolver#ResourceId",
           "traits": {
-            "smithy.api#documentation": "<p>The unique identifier of the firewall rule group of the rule. </p>"
+            "smithy.api#documentation": "<p>The unique identifier of the Firewall rule group of the rule. </p>"
           }
         },
         "FirewallDomainListId": {
@@ -2263,6 +2322,12 @@
             "smithy.api#documentation": "<p>The ID of the domain list that's used in the rule. </p>"
           }
         },
+        "FirewallThreatProtectionId": {
+          "target": "com.amazonaws.route53resolver#ResourceId",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tID of the DNS Firewall Advanced rule.\n\t\t</p>"
+          }
+        },
         "Name": {
           "target": "com.amazonaws.route53resolver#Name",
           "traits": {
@@ -2278,7 +2343,7 @@
         "Action": {
           "target": "com.amazonaws.route53resolver#Action",
           "traits": {
-            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. If this is specified, additional handling details are provided in the rule's <code>BlockResponse</code> setting. </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. If this is specified, additional handling details are provided in the rule's <code>BlockResponse</code> setting. </p>\n            </li>\n         </ul>"
           }
         },
         "BlockResponse": {
@@ -2326,7 +2391,7 @@
         "FirewallDomainRedirectionAction": {
           "target": "com.amazonaws.route53resolver#FirewallDomainRedirectionAction",
           "traits": {
-            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
+            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
           }
         },
         "Qtype": {
@@ -2334,6 +2399,18 @@
           "traits": {
             "smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n            </li>\n            <li>\n               <p>AAAA: Returns an Ipv6 address.</p>\n            </li>\n            <li>\n               <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n            </li>\n            <li>\n               <p>CNAME: Returns another domain name.</p>\n            </li>\n            <li>\n               <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n            </li>\n            <li>\n               <p>MX: Specifies mail servers.</p>\n            </li>\n            <li>\n               <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n            </li>\n            <li>\n               <p>NS: Authoritative name servers.</p>\n            </li>\n            <li>\n               <p>PTR: Maps an IP address to a domain name.</p>\n            </li>\n            <li>\n               <p>SOA: Start of authority record for the zone.</p>\n            </li>\n            <li>\n               <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n            </li>\n            <li>\n               <p>SRV: Application specific values that identify servers.</p>\n            </li>\n            <li>\n               <p>TXT: Verifies email senders and application-specific values.</p>\n            </li>\n            <li>\n               <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n            </li>\n         </ul>"
           }
+        },
+        "DnsThreatProtection": {
+          "target": "com.amazonaws.route53resolver#DnsThreatProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe type of the DNS Firewall Advanced rule. Valid values are:\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n                  <code>DGA</code>: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains \n\t\t\t\tto to launch malware attacks.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DNS_TUNNELING</code>: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without \n\t\t\t\tmaking a network connection to the client.</p>\n            </li>\n         </ul>"
+          }
+        },
+        "ConfidenceThreshold": {
+          "target": "com.amazonaws.route53resolver#ConfidenceThreshold",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n                  <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>\n            </li>\n         </ul>"
+          }
         }
       },
       "traits": {
@@ -4373,7 +4450,7 @@
         "Action": {
           "target": "com.amazonaws.route53resolver#Action",
           "traits": {
-            "smithy.api#documentation": "<p>Optional additional filter for the rules to retrieve.</p>\n         <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. If this is specified, additional handling details are provided in the rule's <code>BlockResponse</code> setting. </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>Optional additional filter for the rules to retrieve.</p>\n         <p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through. Not availabe for DNS Firewall Advanced rules.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. If this is specified, additional handling details are provided in the rule's <code>BlockResponse</code> setting. </p>\n            </li>\n         </ul>"
           }
         },
         "MaxResults": {
@@ -6239,7 +6316,7 @@
         "Status": {
           "target": "com.amazonaws.route53resolver#ResolverQueryLogConfigAssociationStatus",
           "traits": {
-            "smithy.api#documentation": "<p>The status of the specified query logging association. Valid values include the following:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>CREATING</code>: Resolver is creating an association between an Amazon VPC and a query logging configuration.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CREATED</code>: The association between an Amazon VPC and a query logging configuration \n\t\t\t\twas successfully created. Resolver is logging queries that originate in the specified VPC.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DELETING</code>: Resolver is deleting this query logging association.</p>\n            </li>\n            <li>\n               <p>\n                  <code>FAILED</code>: Resolver either couldn't create or couldn't delete the query logging association.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The status of the specified query logging association. Valid values include the following:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>CREATING</code>: Resolver is creating an association between an Amazon VPC and a query logging configuration.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ACTIVE</code>: The association between an Amazon VPC and a query logging configuration \n\t\t\t\twas successfully created. Resolver is logging queries that originate in the specified VPC.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DELETING</code>: Resolver is deleting this query logging association.</p>\n            </li>\n            <li>\n               <p>\n                  <code>FAILED</code>: Resolver either couldn't create or couldn't delete the query logging association.</p>\n            </li>\n         </ul>"
           }
         },
         "Error": {
@@ -8213,7 +8290,7 @@
         "Protocol": {
           "target": "com.amazonaws.route53resolver#Protocol",
           "traits": {
-            "smithy.api#documentation": "<p>\n\t\t\tThe protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.\n\t\t\t\n\t\t</p>\n         <p>For an inbound endpoint you can apply the protocols as follows:</p>\n         <ul>\n            <li>\n               <p> Do53  and DoH in combination.</p>\n            </li>\n            <li>\n               <p>Do53  and DoH-FIPS in combination.</p>\n            </li>\n            <li>\n               <p>Do53 alone.</p>\n            </li>\n            <li>\n               <p>DoH alone.</p>\n            </li>\n            <li>\n               <p>DoH-FIPS alone.</p>\n            </li>\n            <li>\n               <p>None, which is treated as Do53.</p>\n            </li>\n         </ul>\n         <p>For an outbound endpoint you can apply the protocols as follows:</p>\n         <ul>\n            <li>\n               <p> Do53  and DoH in combination.</p>\n            </li>\n            <li>\n               <p>Do53 alone.</p>\n            </li>\n            <li>\n               <p>DoH alone.</p>\n            </li>\n            <li>\n               <p>None, which is treated as Do53.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>\n\t\t\tThe protocols for the target address. The protocol you choose needs to be supported by the outbound endpoint of the Resolver rule.</p>"
           }
         },
         "ServerNameIndication": {
@@ -8608,8 +8685,13 @@
         "FirewallDomainListId": {
           "target": "com.amazonaws.route53resolver#ResourceId",
           "traits": {
-            "smithy.api#documentation": "<p>The ID of the domain list to use in the rule.  </p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The ID of the domain list to use in the rule.  </p>"
+          }
+        },
+        "FirewallThreatProtectionId": {
+          "target": "com.amazonaws.route53resolver#ResourceId",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe DNS Firewall Advanced rule ID.\n\t\t</p>"
           }
         },
         "Priority": {
@@ -8621,7 +8703,7 @@
         "Action": {
           "target": "com.amazonaws.route53resolver#Action",
           "traits": {
-            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. This option requires additional details in the rule's <code>BlockResponse</code>. </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW</code> - Permit the request to go through. Not available for DNS Firewall Advanced rules.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALERT</code> - Permit the request to go through but send an alert to the logs.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BLOCK</code> - Disallow the request. This option requires additional details in the rule's <code>BlockResponse</code>. </p>\n            </li>\n         </ul>"
           }
         },
         "BlockResponse": {
@@ -8657,7 +8739,7 @@
         "FirewallDomainRedirectionAction": {
           "target": "com.amazonaws.route53resolver#FirewallDomainRedirectionAction",
           "traits": {
-            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>Inspect_Redirection_Domain </code>(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>Trust_Redirection_Domain </code> inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
+            "smithy.api#documentation": "<p>\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t</p>\n         <p>\n            <code>INSPECT_REDIRECTION_DOMAIN</code>: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.</p>\n         <p>\n            <code>TRUST_REDIRECTION_DOMAIN</code>: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.</p>"
           }
         },
         "Qtype": {
@@ -8665,6 +8747,18 @@
           "traits": {
             "smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n            </li>\n            <li>\n               <p>AAAA: Returns an Ipv6 address.</p>\n            </li>\n            <li>\n               <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n            </li>\n            <li>\n               <p>CNAME: Returns another domain name.</p>\n            </li>\n            <li>\n               <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n            </li>\n            <li>\n               <p>MX: Specifies mail servers.</p>\n            </li>\n            <li>\n               <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n            </li>\n            <li>\n               <p>NS: Authoritative name servers.</p>\n            </li>\n            <li>\n               <p>PTR: Maps an IP address to a domain name.</p>\n            </li>\n            <li>\n               <p>SOA: Start of authority record for the zone.</p>\n            </li>\n            <li>\n               <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n            </li>\n            <li>\n               <p>SRV: Application specific values that identify servers.</p>\n            </li>\n            <li>\n               <p>TXT: Verifies email senders and application-specific values.</p>\n            </li>\n            <li>\n               <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n               <note>\n                  <p>If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, \n\t\t\t\t\tthis action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. </p>\n               </note>\n            </li>\n         </ul>"
           }
+        },
+        "DnsThreatProtection": {
+          "target": "com.amazonaws.route53resolver#DnsThreatProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe type of the DNS Firewall Advanced rule. Valid values are:\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n                  <code>DGA</code>: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains \n\t\t\t\tto to launch malware attacks.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DNS_TUNNELING</code>: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without\n\t\t\t\tmaking a network connection to the client.</p>\n            </li>\n         </ul>"
+          }
+        },
+        "ConfidenceThreshold": {
+          "target": "com.amazonaws.route53resolver#ConfidenceThreshold",
+          "traits": {
+            "smithy.api#documentation": "<p>\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t</p>\n         <ul>\n            <li>\n               <p>\n                  <code>LOW</code>: Provides the highest detection rate for threats, but also increases false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code>: Provides a balance between detecting threats and false positives.</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code>: Detects only the most well corroborated threats with a low rate of false positives. </p>\n            </li>\n         </ul>"
+          }
         }
       },
       "traits": {