|
13 | 13 | "CreateVpcEndpointAssociation": "<p>Creates a firewall endpoint for an Network Firewall firewall. This type of firewall endpoint is independent of the firewall endpoints that you specify in the <code>Firewall</code> itself, and you define it in addition to those endpoints after the firewall has been created. You can define a VPC endpoint association using a different VPC than the one you used in the firewall specifications. </p>", |
14 | 14 | "DeleteFirewall": "<p>Deletes the specified <a>Firewall</a> and its <a>FirewallStatus</a>. This operation requires the firewall's <code>DeleteProtection</code> flag to be <code>FALSE</code>. You can't revert this operation. </p> <p>You can check whether a firewall is in use by reviewing the route tables for the Availability Zones where you have firewall subnet mappings. Retrieve the subnet mappings by calling <a>DescribeFirewall</a>. You define and update the route tables through Amazon VPC. As needed, update the route tables for the zones to remove the firewall endpoints. When the route tables no longer use the firewall endpoints, you can remove the firewall safely.</p> <p>To delete a firewall, remove the delete protection if you need to using <a>UpdateFirewallDeleteProtection</a>, then delete the firewall by calling <a>DeleteFirewall</a>. </p>", |
15 | 15 | "DeleteFirewallPolicy": "<p>Deletes the specified <a>FirewallPolicy</a>. </p>", |
16 | | - "DeleteNetworkFirewallTransitGatewayAttachment": "<p>Deletes a transit gateway attachment from a Network Firewall. Either the firewall owner or the transit gateway owner can delete the attachment.</p> <important> <p>After you delete a transit gateway attachment, raffic will no longer flow through the firewall endpoints.</p> </important> <p>After you initiate the delete operation, use <a>DescribeFirewall</a> to monitor the deletion status.</p>", |
| 16 | + "DeleteNetworkFirewallTransitGatewayAttachment": "<p>Deletes a transit gateway attachment from a Network Firewall. Either the firewall owner or the transit gateway owner can delete the attachment.</p> <important> <p>After you delete a transit gateway attachment, traffic will no longer flow through the firewall endpoints.</p> </important> <p>After you initiate the delete operation, use <a>DescribeFirewall</a> to monitor the deletion status.</p>", |
17 | 17 | "DeleteResourcePolicy": "<p>Deletes a resource policy that you created in a <a>PutResourcePolicy</a> request. </p>", |
18 | 18 | "DeleteRuleGroup": "<p>Deletes the specified <a>RuleGroup</a>. </p>", |
19 | 19 | "DeleteTLSInspectionConfiguration": "<p>Deletes the specified <a>TLSInspectionConfiguration</a>.</p>", |
|
42 | 42 | "ListTagsForResource": "<p>Retrieves the tags associated with the specified resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing. For example, you might set the tag key to \"customer\" and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.</p> <p>You can tag the Amazon Web Services resources that you manage through Network Firewall: firewalls, firewall policies, and rule groups. </p>", |
43 | 43 | "ListVpcEndpointAssociations": "<p>Retrieves the metadata for the VPC endpoint associations that you have defined. If you specify a fireawll, this returns only the endpoint associations for that firewall. </p> <p>Depending on your setting for max results and the number of associations, a single call might not return the full list. </p>", |
44 | 44 | "PutResourcePolicy": "<p>Creates or updates an IAM policy for your rule group, firewall policy, or firewall. Use this to share these resources between accounts. This operation works in conjunction with the Amazon Web Services Resource Access Manager (RAM) service to manage resource sharing for Network Firewall. </p> <p>For information about using sharing with Network Firewall resources, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/sharing.html\">Sharing Network Firewall resources</a> in the <i>Network Firewall Developer Guide</i>.</p> <p>Use this operation to create or update a resource policy for your Network Firewall rule group, firewall policy, or firewall. In the resource policy, you specify the accounts that you want to share the Network Firewall resource with and the operations that you want the accounts to be able to perform. </p> <p>When you add an account in the resource policy, you then run the following Resource Access Manager (RAM) operations to access and accept the shared resource. </p> <ul> <li> <p> <a href=\"https://docs.aws.amazon.com/ram/latest/APIReference/API_GetResourceShareInvitations.html\">GetResourceShareInvitations</a> - Returns the Amazon Resource Names (ARNs) of the resource share invitations. </p> </li> <li> <p> <a href=\"https://docs.aws.amazon.com/ram/latest/APIReference/API_AcceptResourceShareInvitation.html\">AcceptResourceShareInvitation</a> - Accepts the share invitation for a specified resource share. </p> </li> </ul> <p>For additional information about resource sharing using RAM, see <a href=\"https://docs.aws.amazon.com/ram/latest/userguide/what-is.html\">Resource Access Manager User Guide</a>.</p>", |
45 | | - "RejectNetworkFirewallTransitGatewayAttachment": "<p>Rejects a transit gateway attachment request for Network Firewall. When you reject the attachment request, Network Firewall cancels the creation of routing components between the transit gateway and firewall endpoints.</p> <p>Only the firewall owner can reject the attachment. After rejection, no traffic will flow through the firewall endpoints for this attachment.</p> <p>Use <a>DescribeFirewall</a> to monitor the rejection status. To accept the attachment instead of rejecting it, use <a>AcceptNetworkFirewallTransitGatewayAttachment</a>.</p> <note> <p>Once rejected, you cannot reverse this action. To establish connectivity, you must create a new transit gateway-attached firewall.</p> </note>", |
| 45 | + "RejectNetworkFirewallTransitGatewayAttachment": "<p>Rejects a transit gateway attachment request for Network Firewall. When you reject the attachment request, Network Firewall cancels the creation of routing components between the transit gateway and firewall endpoints.</p> <p>Only the transit gateway owner can reject the attachment. After rejection, no traffic will flow through the firewall endpoints for this attachment.</p> <p>Use <a>DescribeFirewall</a> to monitor the rejection status. To accept the attachment instead of rejecting it, use <a>AcceptNetworkFirewallTransitGatewayAttachment</a>.</p> <note> <p>Once rejected, you cannot reverse this action. To establish connectivity, you must create a new transit gateway-attached firewall.</p> </note>", |
46 | 46 | "StartAnalysisReport": "<p>Generates a traffic analysis report for the timeframe and traffic type you specify.</p> <p>For information on the contents of a traffic analysis report, see <a>AnalysisReport</a>.</p>", |
47 | 47 | "StartFlowCapture": "<p>Begins capturing the flows in a firewall, according to the filters you define. Captures are similar, but not identical to snapshots. Capture operations provide visibility into flows that are not closed and are tracked by a firewall's flow table. Unlike snapshots, captures are a time-boxed view. </p> <p>A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort. </p> <note> <p>To avoid encountering operation limits, you should avoid starting captures with broad filters, like wide IP ranges. Instead, we recommend you define more specific criteria with <code>FlowFilters</code>, like narrow IP ranges, ports, or protocols.</p> </note>", |
48 | 48 | "StartFlowFlush": "<p>Begins the flushing of traffic from the firewall, according to the filters you define. When the operation starts, impacted flows are temporarily marked as timed out before the Suricata engine prunes, or flushes, the flows from the firewall table.</p> <important> <p>While the flush completes, impacted flows are processed as midstream traffic. This may result in a temporary increase in midstream traffic metrics. We recommend that you double check your stream exception policy before you perform a flush operation.</p> </important>", |
|
259 | 259 | "refs": { |
260 | 260 | "AssociateAvailabilityZonesRequest$AvailabilityZoneMappings": "<p>Required. The Availability Zones where you want to create firewall endpoints. You must specify at least one Availability Zone.</p>", |
261 | 261 | "AssociateAvailabilityZonesResponse$AvailabilityZoneMappings": "<p>The Availability Zones where Network Firewall created firewall endpoints. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>", |
262 | | - "CreateFirewallRequest$AvailabilityZoneMappings": "<p>Required. The Availability Zones where you want to create firewall endpoints for a transit gateway-attached firewall. You must specify at least one Availability Zone. Consider enabling the firewall in every Availability Zone where you have workloads to maintain Availability Zone independence.</p> <p>You can modify Availability Zones later using <a>AssociateAvailabilityZones</a> or <a>DisassociateAvailabilityZones</a>, but this may briefly disrupt traffic. The <code>AvailabilityZoneChangeProtection</code> setting controls whether you can make these modifications.</p>", |
| 262 | + "CreateFirewallRequest$AvailabilityZoneMappings": "<p>Required. The Availability Zones where you want to create firewall endpoints for a transit gateway-attached firewall. You must specify at least one Availability Zone. Consider enabling the firewall in every Availability Zone where you have workloads to maintain Availability Zone isolation.</p> <p>You can modify Availability Zones later using <a>AssociateAvailabilityZones</a> or <a>DisassociateAvailabilityZones</a>, but this may briefly disrupt traffic. The <code>AvailabilityZoneChangeProtection</code> setting controls whether you can make these modifications.</p>", |
263 | 263 | "DisassociateAvailabilityZonesRequest$AvailabilityZoneMappings": "<p>Required. The Availability Zones to remove from the firewall's configuration.</p>", |
264 | 264 | "DisassociateAvailabilityZonesResponse$AvailabilityZoneMappings": "<p>The remaining Availability Zones where the firewall has endpoints after the disassociation.</p>", |
265 | 265 | "Firewall$AvailabilityZoneMappings": "<p>The Availability Zones where the firewall endpoints are created for a transit gateway-attached firewall. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>" |
|
660 | 660 | "UpdateLoggingConfigurationResponse$EnableMonitoringDashboard": "<p>A boolean that reflects whether or not the firewall monitoring dashboard is enabled on a firewall.</p> <p> Returns <code>TRUE</code> when the firewall monitoring dashboard is enabled on the firewall. Returns <code>FALSE</code> when the firewall monitoring dashboard is not enabled on the firewall. </p>" |
661 | 661 | } |
662 | 662 | }, |
| 663 | + "EnableTLSSessionHolding": { |
| 664 | + "base": null, |
| 665 | + "refs": { |
| 666 | + "FirewallPolicy$EnableTLSSessionHolding": "<p>When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules. Requires an associated TLS Inspection configuration.</p>" |
| 667 | + } |
| 668 | + }, |
663 | 669 | "EnabledAnalysisType": { |
664 | 670 | "base": null, |
665 | 671 | "refs": { |
|
0 commit comments