lib/aws-sdk-fms/client.rb in aws-sdk-fms-1.55.0 vs lib/aws-sdk-fms/client.rb in aws-sdk-fms-1.56.0

- old
+ new

@@ -376,22 +376,30 @@ super end # @!group API Operations - # Sets the Firewall Manager administrator account. The account must be a - # member of the organization in Organizations whose resources you want - # to protect. Firewall Manager sets the permissions that allow the - # account to administer your Firewall Manager policies. + # Sets a Firewall Manager default administrator account. The Firewall + # Manager default administrator account can manage third-party firewalls + # and has full administrative scope that allows administration of all + # policy types, accounts, organizational units, and Regions. This + # account must be a member account of the organization in Organizations + # whose resources you want to protect. # - # The account that you associate with Firewall Manager is called the - # Firewall Manager administrator account. + # For information about working with Firewall Manager administrator + # accounts, see [Managing Firewall Manager administrators][1] in the + # *Firewall Manager Developer Guide*. # + # + # + # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/fms-administrators.html + # # @option params [required, String] :admin_account # The Amazon Web Services account ID to associate with Firewall Manager - # as the Firewall Manager administrator account. This must be an - # Organizations member account. For more information about + # as the Firewall Manager default administrator account. This account + # must be a member account of the organization in Organizations whose + # resources you want to protect. For more information about # Organizations, see [Managing the Amazon Web Services Accounts in Your # Organization][1]. # # # @@ -446,12 +454,12 @@ end # Associate resources to a Firewall Manager resource set. # # @option params [required, String] :resource_set_identifier - # A unique identifier for the resource set, used in a TODO to refer to - # the resource set. + # A unique identifier for the resource set, used in a request to refer + # to the resource set. # # @option params [required, Array<String>] :items # The uniform resource identifiers (URIs) of resources that should be # associated to the resource set. The URIs must be Amazon Resource Names # (ARNs). @@ -485,12 +493,12 @@ end # Disassociates resources from a Firewall Manager resource set. # # @option params [required, String] :resource_set_identifier - # A unique identifier for the resource set, used in a TODO to refer to - # the resource set. + # A unique identifier for the resource set, used in a request to refer + # to the resource set. # # @option params [required, Array<String>] :items # The uniform resource identifiers (URI) of resources that should be # disassociated from the resource set. The URIs must be Amazon Resource # Names (ARNs). @@ -640,12 +648,12 @@ end # Deletes the specified ResourceSet. # # @option params [required, String] :identifier - # A unique identifier for the resource set, used in a TODO to refer to - # the resource set. + # A unique identifier for the resource set, used in a request to refer + # to the resource set. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # @@ -660,14 +668,20 @@ def delete_resource_set(params = {}, options = {}) req = build_request(:delete_resource_set, params) req.send_request(options) end - # Disassociates the account that has been set as the Firewall Manager - # administrator account. To set a different account as the administrator - # account, you must submit an `AssociateAdminAccount` request. + # Disassociates an Firewall Manager administrator account. To set a + # different account as an Firewall Manager administrator, submit a + # PutAdminAccount request. To set an account as a default administrator + # account, you must submit an AssociateAdminAccount request. # + # Disassociation of the default administrator account follows the first + # in, last out principle. If you are the default administrator, all + # Firewall Manager administrators within the organization must first + # disassociate their accounts before you can disassociate your account. + # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateAdminAccount AWS API Documentation # # @overload disassociate_admin_account(params = {}) @@ -707,11 +721,11 @@ req = build_request(:disassociate_third_party_firewall, params) req.send_request(options) end # Returns the Organizations account that is associated with Firewall - # Manager as the Firewall Manager administrator. + # Manager as the Firewall Manager default administrator. # # @return [Types::GetAdminAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetAdminAccountResponse#admin_account #admin_account} => String # * {Types::GetAdminAccountResponse#role_status #role_status} => String @@ -728,10 +742,55 @@ def get_admin_account(params = {}, options = {}) req = build_request(:get_admin_account, params) req.send_request(options) end + # Returns information about the specified account's administrative + # scope. The admistrative scope defines the resources that an Firewall + # Manager administrator can manage. + # + # @option params [required, String] :admin_account + # The administator account that you want to get the details for. + # + # @return [Types::GetAdminScopeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::GetAdminScopeResponse#admin_scope #admin_scope} => Types::AdminScope + # * {Types::GetAdminScopeResponse#status #status} => String + # + # @example Request syntax with placeholder values + # + # resp = client.get_admin_scope({ + # admin_account: "AWSAccountId", # required + # }) + # + # @example Response structure + # + # resp.admin_scope.account_scope.accounts #=> Array + # resp.admin_scope.account_scope.accounts[0] #=> String + # resp.admin_scope.account_scope.all_accounts_enabled #=> Boolean + # resp.admin_scope.account_scope.exclude_specified_accounts #=> Boolean + # resp.admin_scope.organizational_unit_scope.organizational_units #=> Array + # resp.admin_scope.organizational_unit_scope.organizational_units[0] #=> String + # resp.admin_scope.organizational_unit_scope.all_organizational_units_enabled #=> Boolean + # resp.admin_scope.organizational_unit_scope.exclude_specified_organizational_units #=> Boolean + # resp.admin_scope.region_scope.regions #=> Array + # resp.admin_scope.region_scope.regions[0] #=> String + # resp.admin_scope.region_scope.all_regions_enabled #=> Boolean + # resp.admin_scope.policy_type_scope.policy_types #=> Array + # resp.admin_scope.policy_type_scope.policy_types[0] #=> String, one of "WAF", "WAFV2", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT", "NETWORK_FIREWALL", "DNS_FIREWALL", "THIRD_PARTY_FIREWALL", "IMPORT_NETWORK_FIREWALL" + # resp.admin_scope.policy_type_scope.all_policy_types_enabled #=> Boolean + # resp.status #=> String, one of "ONBOARDING", "ONBOARDING_COMPLETE", "OFFBOARDING", "OFFBOARDING_COMPLETE" + # + # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScope AWS API Documentation + # + # @overload get_admin_scope(params = {}) + # @param [Hash] params ({}) + def get_admin_scope(params = {}, options = {}) + req = build_request(:get_admin_scope, params) + req.send_request(options) + end + # Returns information about the specified Firewall Manager applications # list. # # @option params [required, String] :list_id # The ID of the Firewall Manager applications list that you want the @@ -909,10 +968,11 @@ # resp.policy.exclude_map["CustomerPolicyScopeIdType"] #=> Array # resp.policy.exclude_map["CustomerPolicyScopeIdType"][0] #=> String # resp.policy.resource_set_ids #=> Array # resp.policy.resource_set_ids[0] #=> String # resp.policy.policy_description #=> String + # resp.policy.policy_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.policy_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetPolicy AWS API Documentation # # @overload get_policy(params = {}) @@ -1041,12 +1101,12 @@ end # Gets information about a specific resource set. # # @option params [required, String] :identifier - # A unique identifier for the resource set, used in a TODO to refer to - # the resource set. + # A unique identifier for the resource set, used in a request to refer + # to the resource set. # # @return [Types::GetResourceSetResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetResourceSetResponse#resource_set #resource_set} => Types::ResourceSet # * {Types::GetResourceSetResponse#resource_set_arn #resource_set_arn} => String @@ -1064,10 +1124,11 @@ # resp.resource_set.description #=> String # resp.resource_set.update_token #=> String # resp.resource_set.resource_type_list #=> Array # resp.resource_set.resource_type_list[0] #=> String # resp.resource_set.last_update_time #=> Time + # resp.resource_set.resource_set_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.resource_set_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetResourceSet AWS API Documentation # # @overload get_resource_set(params = {}) @@ -1471,10 +1532,109 @@ def get_violation_details(params = {}, options = {}) req = build_request(:get_violation_details, params) req.send_request(options) end + # Returns a `AdminAccounts` object that lists the Firewall Manager + # administrators within the organization that are onboarded to Firewall + # Manager by AssociateAdminAccount. + # + # This operation can be called only from the organization's management + # account. + # + # @option params [String] :next_token + # When you request a list of objects with a `MaxResults` setting, if the + # number of objects that are still available for retrieval exceeds the + # maximum you requested, Firewall Manager returns a `NextToken` value in + # the response. To retrieve the next batch of objects, use the token + # returned from the prior request in your next request. + # + # @option params [Integer] :max_results + # The maximum number of objects that you want Firewall Manager to return + # for this request. If more objects are available, in the response, + # Firewall Manager provides a `NextToken` value that you can use in a + # subsequent call to get the next batch of objects. + # + # @return [Types::ListAdminAccountsForOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::ListAdminAccountsForOrganizationResponse#admin_accounts #admin_accounts} => Array&lt;Types::AdminAccountSummary&gt; + # * {Types::ListAdminAccountsForOrganizationResponse#next_token #next_token} => String + # + # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. + # + # @example Request syntax with placeholder values + # + # resp = client.list_admin_accounts_for_organization({ + # next_token: "PaginationToken", + # max_results: 1, + # }) + # + # @example Response structure + # + # resp.admin_accounts #=> Array + # resp.admin_accounts[0].admin_account #=> String + # resp.admin_accounts[0].default_admin #=> Boolean + # resp.admin_accounts[0].status #=> String, one of "ONBOARDING", "ONBOARDING_COMPLETE", "OFFBOARDING", "OFFBOARDING_COMPLETE" + # resp.next_token #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganization AWS API Documentation + # + # @overload list_admin_accounts_for_organization(params = {}) + # @param [Hash] params ({}) + def list_admin_accounts_for_organization(params = {}, options = {}) + req = build_request(:list_admin_accounts_for_organization, params) + req.send_request(options) + end + + # Lists the accounts that are managing the specified Organizations + # member account. This is useful for any member account so that they can + # view the accounts who are managing their account. This operation only + # returns the managing administrators that have the requested account + # within their AdminScope. + # + # @option params [String] :next_token + # When you request a list of objects with a `MaxResults` setting, if the + # number of objects that are still available for retrieval exceeds the + # maximum you requested, Firewall Manager returns a `NextToken` value in + # the response. To retrieve the next batch of objects, use the token + # returned from the prior request in your next request. + # + # @option params [Integer] :max_results + # The maximum number of objects that you want Firewall Manager to return + # for this request. If more objects are available, in the response, + # Firewall Manager provides a `NextToken` value that you can use in a + # subsequent call to get the next batch of objects. + # + # @return [Types::ListAdminsManagingAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::ListAdminsManagingAccountResponse#admin_accounts #admin_accounts} => Array&lt;String&gt; + # * {Types::ListAdminsManagingAccountResponse#next_token #next_token} => String + # + # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. + # + # @example Request syntax with placeholder values + # + # resp = client.list_admins_managing_account({ + # next_token: "PaginationToken", + # max_results: 1, + # }) + # + # @example Response structure + # + # resp.admin_accounts #=> Array + # resp.admin_accounts[0] #=> String + # resp.next_token #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccount AWS API Documentation + # + # @overload list_admins_managing_account(params = {}) + # @param [Hash] params ({}) + def list_admins_managing_account(params = {}, options = {}) + req = build_request(:list_admins_managing_account, params) + req.send_request(options) + end + # Returns an array of `AppsListDataSummary` objects. # # @option params [Boolean] :default_lists # Specifies whether the lists to retrieve are default lists owned by # Firewall Manager. @@ -1652,12 +1812,12 @@ end # Returns a `MemberAccounts` object that lists the member accounts in # the administrator's Amazon Web Services organization. # - # The `ListMemberAccounts` must be submitted by the account that is set - # as the Firewall Manager administrator. + # Either an Firewall Manager administrator or the organization's + # management account can make this request. # # @option params [String] :next_token # If you specify a value for `MaxResults` and you have more account IDs # than the number that you specify for `MaxResults`, Firewall Manager # returns a `NextToken` value in the response that allows you to list @@ -1742,10 +1902,11 @@ # resp.policy_list[0].policy_name #=> String # resp.policy_list[0].resource_type #=> String # resp.policy_list[0].security_service_type #=> String, one of "WAF", "WAFV2", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT", "NETWORK_FIREWALL", "DNS_FIREWALL", "THIRD_PARTY_FIREWALL", "IMPORT_NETWORK_FIREWALL" # resp.policy_list[0].remediation_enabled #=> Boolean # resp.policy_list[0].delete_unused_fm_managed_resources #=> Boolean + # resp.policy_list[0].policy_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListPolicies AWS API Documentation # # @overload list_policies(params = {}) @@ -1813,12 +1974,12 @@ # Returns an array of resources that are currently associated to a # resource set. # # @option params [required, String] :identifier - # A unique identifier for the resource set, used in a TODO to refer to - # the resource set. + # A unique identifier for the resource set, used in a request to refer + # to the resource set. # # @option params [Integer] :max_results # The maximum number of objects that you want Firewall Manager to return # for this request. If more objects are available, in the response, # Firewall Manager provides a `NextToken` value that you can use in a @@ -1892,10 +2053,11 @@ # resp.resource_sets #=> Array # resp.resource_sets[0].id #=> String # resp.resource_sets[0].name #=> String # resp.resource_sets[0].description #=> String # resp.resource_sets[0].last_update_time #=> Time + # resp.resource_sets[0].resource_set_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListResourceSets AWS API Documentation # # @overload list_resource_sets(params = {}) @@ -1993,10 +2155,81 @@ def list_third_party_firewall_firewall_policies(params = {}, options = {}) req = build_request(:list_third_party_firewall_firewall_policies, params) req.send_request(options) end + # Creates or updates an Firewall Manager administrator account. The + # account must be a member of the organization that was onboarded to + # Firewall Manager by AssociateAdminAccount. Only the organization's + # management account can create an Firewall Manager administrator + # account. When you create an Firewall Manager administrator account, + # the service checks to see if the account is already a delegated + # administrator within Organizations. If the account isn't a delegated + # administrator, Firewall Manager calls Organizations to delegate the + # account within Organizations. For more information about administrator + # accounts within Organizations, see [Managing the Amazon Web Services + # Accounts in Your Organization][1]. + # + # + # + # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html + # + # @option params [required, String] :admin_account + # The Amazon Web Services account ID to add as an Firewall Manager + # administrator account. The account must be a member of the + # organization that was onboarded to Firewall Manager by + # AssociateAdminAccount. For more information about Organizations, see + # [Managing the Amazon Web Services Accounts in Your Organization][1]. + # + # + # + # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html + # + # @option params [Types::AdminScope] :admin_scope + # Configures the resources that the specified Firewall Manager + # administrator can manage. As a best practice, set the administrative + # scope according to the principles of least privilege. Only grant the + # administrator the specific resources or permissions that they need to + # perform the duties of their role. + # + # @return [Struct] Returns an empty {Seahorse::Client::Response response}. + # + # @example Request syntax with placeholder values + # + # resp = client.put_admin_account({ + # admin_account: "AWSAccountId", # required + # admin_scope: { + # account_scope: { + # accounts: ["AWSAccountId"], + # all_accounts_enabled: false, + # exclude_specified_accounts: false, + # }, + # organizational_unit_scope: { + # organizational_units: ["OrganizationalUnitId"], + # all_organizational_units_enabled: false, + # exclude_specified_organizational_units: false, + # }, + # region_scope: { + # regions: ["AWSRegion"], + # all_regions_enabled: false, + # }, + # policy_type_scope: { + # policy_types: ["WAF"], # accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL, IMPORT_NETWORK_FIREWALL + # all_policy_types_enabled: false, + # }, + # }, + # }) + # + # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutAdminAccount AWS API Documentation + # + # @overload put_admin_account(params = {}) + # @param [Hash] params ({}) + def put_admin_account(params = {}, options = {}) + req = build_request(:put_admin_account, params) + req.send_request(options) + end + # Creates an Firewall Manager applications list. # # @option params [required, Types::AppsListData] :apps_list # The details of the Firewall Manager applications list to be created. # @@ -2070,19 +2303,22 @@ end # Designates the IAM role and Amazon Simple Notification Service (SNS) # topic that Firewall Manager uses to record SNS logs. # - # To perform this action outside of the console, you must configure the - # SNS topic to allow the Firewall Manager role `AWSServiceRoleForFMS` to - # publish SNS logs. For more information, see [Firewall Manager required - # permissions for API actions][1] in the *Firewall Manager Developer - # Guide*. + # To perform this action outside of the console, you must first + # configure the SNS topic's access policy to allow the `SnsRoleName` to + # publish SNS logs. If the `SnsRoleName` provided is a role other than + # the `AWSServiceRoleForFMS` service-linked role, this role must have a + # trust relationship configured to allow the Firewall Manager service + # principal `fms.amazonaws.com` to assume this role. For information + # about configuring an SNS access policy, see [Service roles for + # Firewall Manager][1] in the *Firewall Manager Developer Guide*. # # # - # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-api-permissions-ref.html + # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/fms-security_iam_service-with-iam.html#fms-security_iam_service-with-iam-roles-service # # @option params [required, String] :sns_topic_arn # The Amazon Resource Name (ARN) of the SNS topic that collects # notifications from Firewall Manager. # @@ -2189,10 +2425,11 @@ # exclude_map: { # "ACCOUNT" => ["CustomerPolicyScopeId"], # }, # resource_set_ids: ["Base62Id"], # policy_description: "ResourceDescription", + # policy_status: "ACTIVE", # accepts ACTIVE, OUT_OF_ADMIN_SCOPE # }, # tag_list: [ # { # key: "TagKey", # required # value: "TagValue", # required @@ -2225,10 +2462,11 @@ # resp.policy.exclude_map["CustomerPolicyScopeIdType"] #=> Array # resp.policy.exclude_map["CustomerPolicyScopeIdType"][0] #=> String # resp.policy.resource_set_ids #=> Array # resp.policy.resource_set_ids[0] #=> String # resp.policy.policy_description #=> String + # resp.policy.policy_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.policy_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutPolicy AWS API Documentation # # @overload put_policy(params = {}) @@ -2325,10 +2563,11 @@ # name: "Name", # required # description: "Description", # update_token: "UpdateToken", # resource_type_list: ["ResourceType"], # required # last_update_time: Time.now, + # resource_set_status: "ACTIVE", # accepts ACTIVE, OUT_OF_ADMIN_SCOPE # }, # tag_list: [ # { # key: "TagKey", # required # value: "TagValue", # required @@ -2343,10 +2582,11 @@ # resp.resource_set.description #=> String # resp.resource_set.update_token #=> String # resp.resource_set.resource_type_list #=> Array # resp.resource_set.resource_type_list[0] #=> String # resp.resource_set.last_update_time #=> Time + # resp.resource_set.resource_set_status #=> String, one of "ACTIVE", "OUT_OF_ADMIN_SCOPE" # resp.resource_set_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutResourceSet AWS API Documentation # # @overload put_resource_set(params = {}) @@ -2428,10 +2668,10 @@ operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-fms' - context[:gem_version] = '1.55.0' + context[:gem_version] = '1.56.0' Seahorse::Client::Request.new(handlers, context) end # @api private # @deprecated