diff --git a/clients/client-fms/src/commands/GetViolationDetailsCommand.ts b/clients/client-fms/src/commands/GetViolationDetailsCommand.ts index 18ba48137fda..79b68d5f3c84 100644 --- a/clients/client-fms/src/commands/GetViolationDetailsCommand.ts +++ b/clients/client-fms/src/commands/GetViolationDetailsCommand.ts @@ -147,6 +147,7 @@ export interface GetViolationDetailsCommandOutput extends GetViolationDetailsRes * // ], * // StatefulEngineOptions: { // StatefulEngineOptions * // RuleOrder: "STRICT_ORDER" || "DEFAULT_ACTION_ORDER", + * // StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT" || "FMS_IGNORE", * // }, * // }, * // ExpectedPolicyDescription: { @@ -175,6 +176,7 @@ export interface GetViolationDetailsCommandOutput extends GetViolationDetailsRes * // StatefulDefaultActions: "", * // StatefulEngineOptions: { * // RuleOrder: "STRICT_ORDER" || "DEFAULT_ACTION_ORDER", + * // StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT" || "FMS_IGNORE", * // }, * // }, * // }, diff --git a/clients/client-fms/src/models/models_0.ts b/clients/client-fms/src/models/models_0.ts index df55abe02adb..85cbba24a3a7 100644 --- a/clients/client-fms/src/models/models_0.ts +++ b/clients/client-fms/src/models/models_0.ts @@ -1221,10 +1221,10 @@ export type NetworkAclRuleAction = (typeof NetworkAclRuleAction)[keyof typeof Ne *

Describes a rule in a network ACL.

*

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining * whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the - * entries in the network ACL according to the rule numbers, in ascending order.

+ * entries in the network ACL according to the rule numbers, in ascending order.

*

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, - * you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order - * that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

+ * you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order + * that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

* @public */ export interface NetworkAclEntry { @@ -1283,17 +1283,18 @@ export interface NetworkAclEntrySet { *

Provide these in the order in which you want them to run. Firewall Manager will assign * the specific rule numbers for you, in the network ACLs that it creates.

* + *

You must specify at least one first entry or one last entry in any network ACL policy.

* @public */ FirstEntries?: NetworkAclEntry[]; /** *

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy - * violations that involve conflicts between the custom entries and the policy entries.

+ * violations that involve conflicts between the custom entries and the policy entries.

*

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to - * remediate. For more information about the remediation behavior, see - * Network access control list (ACL) policies - * in the Firewall Manager Developer Guide.

+ * remediate. For more information about the remediation behavior, see + * Network access control list (ACL) policies + * in the Firewall Manager Developer Guide.

* @public */ ForceRemediateForFirstEntries: boolean | undefined; @@ -1304,17 +1305,18 @@ export interface NetworkAclEntrySet { *

Provide these in the order in which you want them to run. Firewall Manager will assign * the specific rule numbers for you, in the network ACLs that it creates.

* + *

You must specify at least one first entry or one last entry in any network ACL policy.

* @public */ LastEntries?: NetworkAclEntry[]; /** *

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy - * violations that involve conflicts between the custom entries and the policy entries.

+ * violations that involve conflicts between the custom entries and the policy entries.

*

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to - * remediate. For more information about the remediation behavior, see - * Network access control list (ACL) policies - * in the Firewall Manager Developer Guide.

+ * remediate. For more information about the remediation behavior, see + * Network access control list (ACL) policies + * in the Firewall Manager Developer Guide.

* @public */ ForceRemediateForLastEntries: boolean | undefined; @@ -1788,8 +1790,8 @@ export interface Policy { /** *

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources - * that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL - * from a protected customer resource when the customer resource leaves policy scope.

+ * that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL + * from a protected customer resource when the customer resource leaves policy scope.

*

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

*

This option is not available for Shield Advanced or WAF Classic policies.

* @public @@ -2671,10 +2673,10 @@ export interface EntryDescription { *

Describes a rule in a network ACL.

*

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining * whether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the - * entries in the network ACL according to the rule numbers, in ascending order.

+ * entries in the network ACL according to the rule numbers, in ascending order.

*

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, - * you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order - * that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

+ * you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order + * that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

* @public */ EntryDetail?: NetworkAclEntry; @@ -3263,6 +3265,22 @@ export const RuleOrder = { */ export type RuleOrder = (typeof RuleOrder)[keyof typeof RuleOrder]; +/** + * @public + * @enum + */ +export const StreamExceptionPolicy = { + CONTINUE: "CONTINUE", + DROP: "DROP", + FMS_IGNORE: "FMS_IGNORE", + REJECT: "REJECT", +} as const; + +/** + * @public + */ +export type StreamExceptionPolicy = (typeof StreamExceptionPolicy)[keyof typeof StreamExceptionPolicy]; + /** *

Configuration settings for the handling of the stateful rule groups in a Network Firewall firewall policy.

* @public @@ -3270,12 +3288,44 @@ export type RuleOrder = (typeof RuleOrder)[keyof typeof RuleOrder]; export interface StatefulEngineOptions { /** *

Indicates how to manage the order of stateful rule evaluation for the policy. - * DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine + * Stateful rules are provided to the rule engine * as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more * information, see Evaluation order for stateful rules in the Network Firewall Developer Guide.

+ *

Default: DEFAULT_ACTION_ORDER + *

* @public */ RuleOrder?: RuleOrder; + + /** + *

Indicates how Network Firewall should handle traffic when a network connection breaks midstream.

+ * + *

For more information, see + * Stream exception policy in your firewall policy + * in the Network Firewall Developer Guide.

+ *

Default: FMS_IGNORE + *

+ * @public + */ + StreamExceptionPolicy?: StreamExceptionPolicy; } /** @@ -4426,16 +4476,16 @@ export interface GetViolationDetailsResponse { export interface ListAdminAccountsForOrganizationRequest { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; /** *

The maximum number of objects that you want Firewall Manager to return for this request. If more - * objects are available, in the response, Firewall Manager provides a - * NextToken value that you can use in a subsequent call to get the next batch of objects.

+ * objects are available, in the response, Firewall Manager provides a + * NextToken value that you can use in a subsequent call to get the next batch of objects.

* @public */ MaxResults?: number; @@ -4453,8 +4503,8 @@ export interface ListAdminAccountsForOrganizationResponse { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -4466,16 +4516,16 @@ export interface ListAdminAccountsForOrganizationResponse { export interface ListAdminsManagingAccountRequest { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; /** *

The maximum number of objects that you want Firewall Manager to return for this request. If more - * objects are available, in the response, Firewall Manager provides a - * NextToken value that you can use in a subsequent call to get the next batch of objects.

+ * objects are available, in the response, Firewall Manager provides a + * NextToken value that you can use in a subsequent call to get the next batch of objects.

* @public */ MaxResults?: number; @@ -4493,8 +4543,8 @@ export interface ListAdminsManagingAccountResponse { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -4715,16 +4765,16 @@ export interface ListDiscoveredResourcesRequest { /** *

The maximum number of objects that you want Firewall Manager to return for this request. If more - * objects are available, in the response, Firewall Manager provides a - * NextToken value that you can use in a subsequent call to get the next batch of objects.

+ * objects are available, in the response, Firewall Manager provides a + * NextToken value that you can use in a subsequent call to get the next batch of objects.

* @public */ MaxResults?: number; /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -4772,8 +4822,8 @@ export interface ListDiscoveredResourcesResponse { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -4897,8 +4947,8 @@ export interface PolicySummary { /** *

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources - * that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL - * from a protected customer resource when the customer resource leaves policy scope.

+ * that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL + * from a protected customer resource when the customer resource leaves policy scope.

*

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

*

This option is not available for Shield Advanced or WAF Classic policies.

* @public @@ -5031,16 +5081,16 @@ export interface ListResourceSetResourcesRequest { /** *

The maximum number of objects that you want Firewall Manager to return for this request. If more - * objects are available, in the response, Firewall Manager provides a - * NextToken value that you can use in a subsequent call to get the next batch of objects.

+ * objects are available, in the response, Firewall Manager provides a + * NextToken value that you can use in a subsequent call to get the next batch of objects.

* @public */ MaxResults?: number; /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -5076,8 +5126,8 @@ export interface ListResourceSetResourcesResponse { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; @@ -5089,16 +5139,16 @@ export interface ListResourceSetResourcesResponse { export interface ListResourceSetsRequest { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; /** *

The maximum number of objects that you want Firewall Manager to return for this request. If more - * objects are available, in the response, Firewall Manager provides a - * NextToken value that you can use in a subsequent call to get the next batch of objects.

+ * objects are available, in the response, Firewall Manager provides a + * NextToken value that you can use in a subsequent call to get the next batch of objects.

* @public */ MaxResults?: number; @@ -5162,8 +5212,8 @@ export interface ListResourceSetsResponse { /** *

When you request a list of objects with a MaxResults setting, if the number of objects that are still available - * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken - * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

+ * for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken + * value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

* @public */ NextToken?: string; diff --git a/codegen/sdk-codegen/aws-models/fms.json b/codegen/sdk-codegen/aws-models/fms.json index 0f6018bc0548..0ea79def8ebf 100644 --- a/codegen/sdk-codegen/aws-models/fms.json +++ b/codegen/sdk-codegen/aws-models/fms.json @@ -2970,7 +2970,7 @@ "EntryDetail": { "target": "com.amazonaws.fms#NetworkAclEntry", "traits": { - "smithy.api#documentation": "

Describes a rule in a network ACL.

\n

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.

\n

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

" + "smithy.api#documentation": "

Describes a rule in a network ACL.

\n

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.

\n

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

" } }, "EntryRuleNumber": { @@ -4310,13 +4310,13 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } }, "MaxResults": { "target": "com.amazonaws.fms#PaginationMaxResults", "traits": { - "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" + "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" } } }, @@ -4336,7 +4336,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4379,13 +4379,13 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } }, "MaxResults": { "target": "com.amazonaws.fms#PaginationMaxResults", "traits": { - "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" + "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" } } }, @@ -4405,7 +4405,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4609,13 +4609,13 @@ "MaxResults": { "target": "com.amazonaws.fms#PaginationMaxResults", "traits": { - "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" + "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" } }, "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4635,7 +4635,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4907,13 +4907,13 @@ "MaxResults": { "target": "com.amazonaws.fms#PaginationMaxResults", "traits": { - "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" + "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" } }, "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4934,7 +4934,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -4971,13 +4971,13 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } }, "MaxResults": { "target": "com.amazonaws.fms#PaginationMaxResults", "traits": { - "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" + "smithy.api#documentation": "

The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.

" } } }, @@ -4997,7 +4997,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" + "smithy.api#documentation": "

When you request a list of objects with a MaxResults setting, if the number of objects that are still available\n for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken\n value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

" } } }, @@ -5260,7 +5260,7 @@ } }, "traits": { - "smithy.api#documentation": "

Describes a rule in a network ACL.

\n

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.

\n

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

" + "smithy.api#documentation": "

Describes a rule in a network ACL.

\n

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining\nwhether a packet should be allowed in or out of a subnet associated with the network ACL, Amazon Web Services processes the\n entries in the network ACL according to the rule numbers, in ascending order.

\n

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, \n you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order \n that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

" } }, "com.amazonaws.fms#NetworkAclEntrySet": { @@ -5269,26 +5269,26 @@ "FirstEntries": { "target": "com.amazonaws.fms#NetworkAclEntries", "traits": { - "smithy.api#documentation": "

The rules that you want to run first in the Firewall Manager managed network ACLs.

\n \n

Provide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.

\n " + "smithy.api#documentation": "

The rules that you want to run first in the Firewall Manager managed network ACLs.

\n \n

Provide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.

\n \n

You must specify at least one first entry or one last entry in any network ACL policy.

" } }, "ForceRemediateForFirstEntries": { "target": "com.amazonaws.fms#BooleanObject", "traits": { - "smithy.api#documentation": "

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.

\n

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \n Network access control list (ACL) policies \n in the Firewall Manager Developer Guide.

", + "smithy.api#documentation": "

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.

\n

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \nNetwork access control list (ACL) policies \n in the Firewall Manager Developer Guide.

", "smithy.api#required": {} } }, "LastEntries": { "target": "com.amazonaws.fms#NetworkAclEntries", "traits": { - "smithy.api#documentation": "

The rules that you want to run last in the Firewall Manager managed network ACLs.

\n \n

Provide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.

\n " + "smithy.api#documentation": "

The rules that you want to run last in the Firewall Manager managed network ACLs.

\n \n

Provide these in the order in which you want them to run. Firewall Manager will assign\n the specific rule numbers for you, in the network ACLs that it creates.

\n \n

You must specify at least one first entry or one last entry in any network ACL policy.

" } }, "ForceRemediateForLastEntries": { "target": "com.amazonaws.fms#BooleanObject", "traits": { - "smithy.api#documentation": "

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.

\n

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \n Network access control list (ACL) policies \n in the Firewall Manager Developer Guide.

", + "smithy.api#documentation": "

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy \n violations that involve conflicts between the custom entries and the policy entries.

\n

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to \n remediate. For more information about the remediation behavior, see \nNetwork access control list (ACL) policies \n in the Firewall Manager Developer Guide.

", "smithy.api#required": {} } } @@ -6121,7 +6121,7 @@ "target": "com.amazonaws.fms#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.

\n

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

\n

This option is not available for Shield Advanced or WAF Classic policies.

" + "smithy.api#documentation": "

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.

\n

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

\n

This option is not available for Shield Advanced or WAF Classic policies.

" } }, "IncludeMap": { @@ -6363,7 +6363,7 @@ "target": "com.amazonaws.fms#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.

\n

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

\n

This option is not available for Shield Advanced or WAF Classic policies.

" + "smithy.api#documentation": "

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.

\n

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

\n

This option is not available for Shield Advanced or WAF Classic policies.

" } }, "PolicyStatus": { @@ -7941,7 +7941,13 @@ "RuleOrder": { "target": "com.amazonaws.fms#RuleOrder", "traits": { - "smithy.api#documentation": "

Indicates how to manage the order of stateful rule evaluation for the policy.\nDEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine\nas Suricata compatible strings, and Suricata evaluates them based on certain settings. For more\ninformation, see Evaluation order for stateful rules in the Network Firewall Developer Guide.

" + "smithy.api#documentation": "

Indicates how to manage the order of stateful rule evaluation for the policy.\nStateful rules are provided to the rule engine\nas Suricata compatible strings, and Suricata evaluates them based on certain settings. For more\ninformation, see Evaluation order for stateful rules in the Network Firewall Developer Guide.

\n

Default: DEFAULT_ACTION_ORDER\n

" + } + }, + "StreamExceptionPolicy": { + "target": "com.amazonaws.fms#StreamExceptionPolicy", + "traits": { + "smithy.api#documentation": "

Indicates how Network Firewall should handle traffic when a network connection breaks midstream.

\n \n

For more information, see \n Stream exception policy in your firewall policy \n in the Network Firewall Developer Guide.

\n

Default: FMS_IGNORE\n

" } } }, @@ -8028,6 +8034,35 @@ } } }, + "com.amazonaws.fms#StreamExceptionPolicy": { + "type": "enum", + "members": { + "DROP": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DROP" + } + }, + "CONTINUE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "CONTINUE" + } + }, + "REJECT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "REJECT" + } + }, + "FMS_IGNORE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "FMS_IGNORE" + } + } + } + }, "com.amazonaws.fms#Tag": { "type": "structure", "members": {