lib/aws-sdk-fms/client.rb in aws-sdk-fms-1.18.0 vs lib/aws-sdk-fms/client.rb in aws-sdk-fms-1.19.0
- old
+ new
@@ -263,11 +263,11 @@
end
# @!group API Operations
# Sets the AWS Firewall Manager administrator account. AWS Firewall
- # Manager must be associated with the master account your AWS
+ # Manager must be associated with the master account of your AWS
# organization or associated with a member account that has the
# appropriate permissions. If the account ID that you submit is not an
# AWS Organizations master account, AWS Firewall Manager will set the
# appropriate permissions for the given member account.
#
@@ -322,26 +322,39 @@
# @option params [required, String] :policy_id
# The ID of the policy that you want to delete. `PolicyId` is returned
# by `PutPolicy` and by `ListPolicies`.
#
# @option params [Boolean] :delete_all_policy_resources
- # If `True`, the request will also perform a clean-up process that will:
+ # If `True`, the request performs cleanup according to the policy type.
#
- # * Delete rule groups created by AWS Firewall Manager
+ # For AWS WAF and Shield Advanced policies, the cleanup does the
+ # following:
#
- # * Remove web ACLs from in-scope resources
+ # * Deletes rule groups created by AWS Firewall Manager
#
- # * Delete web ACLs that contain no rules or rule groups
+ # * Removes web ACLs from in-scope resources
#
- # After the cleanup, in-scope resources will no longer be protected by
- # web ACLs in this policy. Protection of out-of-scope resources will
- # remain unchanged. Scope is determined by tags and accounts associated
- # with the policy. When creating the policy, if you specified that only
- # resources in specific accounts or with specific tags be protected by
- # the policy, those resources are in-scope. All others are out of scope.
- # If you did not specify tags or accounts, all resources are in-scope.
+ # * Deletes web ACLs that contain no rules or rule groups
#
+ # For security group policies, the cleanup does the following for each
+ # security group in the policy:
+ #
+ # * Disassociates the security group from in-scope resources
+ #
+ # * Deletes the security group if it was created through Firewall
+ # Manager and if it's no longer associated with any resources through
+ # another policy
+ #
+ # After the cleanup, in-scope resources are no longer protected by web
+ # ACLs in this policy. Protection of out-of-scope resources remains
+ # unchanged. Scope is determined by tags that you create and accounts
+ # that you associate with the policy. When creating the policy, if you
+ # specify that only resources in specific accounts or with specific tags
+ # are in scope of the policy, those accounts and resources are handled
+ # by the policy. All others are out of scope. If you don't specify tags
+ # or accounts, all resources are in scope.
+ #
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
#
# @example Request syntax with placeholder values
#
# resp = client.delete_policy({
@@ -359,11 +372,11 @@
end
# Disassociates the account that has been set as the AWS Firewall
# Manager administrator account. To set a different account as the
# administrator account, you must submit an `AssociateAdminAccount`
- # request .
+ # request.
#
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
#
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateAdminAccount AWS API Documentation
#
@@ -396,12 +409,16 @@
req.send_request(options)
end
# Returns detailed compliance information about the specified member
# account. Details include resources that are in and out of compliance
- # with the specified policy. Resources are considered non-compliant if
- # the specified policy has not been applied to them.
+ # with the specified policy. Resources are considered noncompliant for
+ # AWS WAF and Shield Advanced policies if the specified policy has not
+ # been applied to them. Resources are considered noncompliant for
+ # security group policies if they are in scope of the policy, they
+ # violate one or more of the policy rules, and remediation is disabled
+ # or not possible.
#
# @option params [required, String] :policy_id
# The ID of the policy that you want to get the details for. `PolicyId`
# is returned by `PutPolicy` and by `ListPolicies`.
#
@@ -425,11 +442,11 @@
# resp.policy_compliance_detail.policy_owner #=> String
# resp.policy_compliance_detail.policy_id #=> String
# resp.policy_compliance_detail.member_account #=> String
# resp.policy_compliance_detail.violators #=> Array
# resp.policy_compliance_detail.violators[0].resource_id #=> String
- # resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION"
+ # resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT"
# resp.policy_compliance_detail.violators[0].resource_type #=> String
# resp.policy_compliance_detail.evaluation_limit_exceeded #=> Boolean
# resp.policy_compliance_detail.expired_at #=> Time
# resp.policy_compliance_detail.issue_info_map #=> Hash
# resp.policy_compliance_detail.issue_info_map["DependentServiceName"] #=> String
@@ -441,12 +458,12 @@
def get_compliance_detail(params = {}, options = {})
req = build_request(:get_compliance_detail, params)
req.send_request(options)
end
- # Returns information about the Amazon Simple Notification Service (SNS)
- # topic that is used to record AWS Firewall Manager SNS logs.
+ # Information about the Amazon Simple Notification Service (SNS) topic
+ # that is used to record AWS Firewall Manager SNS logs.
#
# @return [Types::GetNotificationChannelResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
#
# * {Types::GetNotificationChannelResponse#sns_topic_arn #sns_topic_arn} => String
# * {Types::GetNotificationChannelResponse#sns_role_name #sns_role_name} => String
@@ -485,11 +502,11 @@
# @example Response structure
#
# resp.policy.policy_id #=> String
# resp.policy.policy_name #=> String
# resp.policy.policy_update_token #=> String
- # resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED"
+ # resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
# resp.policy.security_service_policy_data.managed_service_data #=> String
# resp.policy.resource_type #=> String
# resp.policy.resource_type_list #=> Array
# resp.policy.resource_type_list[0] #=> String
# resp.policy.resource_tags #=> Array
@@ -513,36 +530,37 @@
req = build_request(:get_policy, params)
req.send_request(options)
end
# If you created a Shield Advanced policy, returns policy-level attack
- # summary information in the event of a potential DDoS attack.
+ # summary information in the event of a potential DDoS attack. Other
+ # policy types are currently unsupported.
#
# @option params [required, String] :policy_id
# The ID of the policy for which you want to get the attack information.
#
# @option params [String] :member_account_id
# The AWS account that is in scope of the policy that you want to get
# the details for.
#
# @option params [Time,DateTime,Date,Integer,String] :start_time
# The start of the time period to query for the attacks. This is a
- # `timestamp` type. The sample request above indicates a number type
+ # `timestamp` type. The request syntax listing indicates a `number` type
# because the default used by AWS Firewall Manager is Unix time in
# seconds. However, any valid `timestamp` format is allowed.
#
# @option params [Time,DateTime,Date,Integer,String] :end_time
# The end of the time period to query for the attacks. This is a
- # `timestamp` type. The sample request above indicates a number type
+ # `timestamp` type. The request syntax listing indicates a `number` type
# because the default used by AWS Firewall Manager is Unix time in
# seconds. However, any valid `timestamp` format is allowed.
#
# @option params [String] :next_token
# If you specify a value for `MaxResults` and you have more objects than
# the number that you specify for `MaxResults`, AWS Firewall Manager
- # returns a `NextToken` value in the response that allows you to list
- # another group of objects. For the second and subsequent
+ # returns a `NextToken` value in the response, which you can use to
+ # retrieve another group of objects. For the second and subsequent
# `GetProtectionStatus` requests, specify the value of `NextToken` from
# the previous response to get information about another batch of
# objects.
#
# @option params [Integer] :max_results
@@ -570,11 +588,11 @@
# })
#
# @example Response structure
#
# resp.admin_account_id #=> String
- # resp.service_type #=> String, one of "WAF", "SHIELD_ADVANCED"
+ # resp.service_type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
# resp.data #=> String
# resp.next_token #=> String
#
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetProtectionStatus AWS API Documentation
#
@@ -732,11 +750,11 @@
# resp.policy_list #=> Array
# resp.policy_list[0].policy_arn #=> String
# resp.policy_list[0].policy_id #=> String
# resp.policy_list[0].policy_name #=> String
# resp.policy_list[0].resource_type #=> String
- # resp.policy_list[0].security_service_type #=> String, one of "WAF", "SHIELD_ADVANCED"
+ # resp.policy_list[0].security_service_type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
# resp.policy_list[0].remediation_enabled #=> Boolean
# resp.next_token #=> String
#
# @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListPolicies AWS API Documentation
#
@@ -776,21 +794,27 @@
req.send_request(options)
end
# Creates an AWS Firewall Manager policy.
#
- # Firewall Manager provides two types of policies: A Shield Advanced
- # policy, which applies Shield Advanced protection to specified accounts
- # and resources, or a WAF policy, which contains a rule group and
- # defines which resources are to be protected by that rule group. A
- # policy is specific to either WAF or Shield Advanced. If you want to
- # enforce both WAF rules and Shield Advanced protection across accounts,
- # you can create multiple policies. You can create one or more policies
- # for WAF rules, and one or more policies for Shield Advanced.
+ # Firewall Manager provides the following types of policies:
#
+ # * A Shield Advanced policy, which applies Shield Advanced protection
+ # to specified accounts and resources
+ #
+ # * An AWS WAF policy, which contains a rule group and defines which
+ # resources are to be protected by that rule group
+ #
+ # * A security group policy, which manages VPC security groups across
+ # your AWS organization.
+ #
+ # Each policy is specific to one of the three types. If you want to
+ # enforce more than one policy type across accounts, you can create
+ # multiple policies. You can create multiple policies for each type.
+ #
# You must be subscribed to Shield Advanced to create a Shield Advanced
- # policy. For more information on subscribing to Shield Advanced, see
+ # policy. For more information about subscribing to Shield Advanced, see
# [CreateSubscription][1].
#
#
#
# [1]: https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_CreateSubscription.html
@@ -809,11 +833,11 @@
# policy: { # required
# policy_id: "PolicyId",
# policy_name: "ResourceName", # required
# policy_update_token: "PolicyUpdateToken",
# security_service_policy_data: { # required
- # type: "WAF", # required, accepts WAF, SHIELD_ADVANCED
+ # type: "WAF", # required, accepts WAF, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
# managed_service_data: "ManagedServiceData",
# },
# resource_type: "ResourceType", # required
# resource_type_list: ["ResourceType"],
# resource_tags: [
@@ -836,11 +860,11 @@
# @example Response structure
#
# resp.policy.policy_id #=> String
# resp.policy.policy_name #=> String
# resp.policy.policy_update_token #=> String
- # resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED"
+ # resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
# resp.policy.security_service_policy_data.managed_service_data #=> String
# resp.policy.resource_type #=> String
# resp.policy.resource_type_list #=> Array
# resp.policy.resource_type_list[0] #=> String
# resp.policy.resource_tags #=> Array
@@ -876,10 +900,10 @@
operation: config.api.operation(operation_name),
client: self,
params: params,
config: config)
context[:gem_name] = 'aws-sdk-fms'
- context[:gem_version] = '1.18.0'
+ context[:gem_version] = '1.19.0'
Seahorse::Client::Request.new(handlers, context)
end
# @api private
# @deprecated