Class: AWSCDK::NetworkFirewall::CfnFirewallPolicy::FirewallPolicyProperty

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
network_firewall/cfn_firewall_policy.rb

Overview

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(stateless_default_actions:, stateless_fragment_default_actions:, enable_tls_session_holding: nil, policy_variables: nil, stateful_default_actions: nil, stateful_engine_options: nil, stateful_rule_group_references: nil, stateless_custom_actions: nil, stateless_rule_group_references: nil, tls_inspection_configuration_arn: nil) ⇒ FirewallPolicyProperty

Returns a new instance of FirewallPolicyProperty.

Parameters:



706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
# File 'network_firewall/cfn_firewall_policy.rb', line 706

def initialize(stateless_default_actions:, stateless_fragment_default_actions:, enable_tls_session_holding: nil, policy_variables: nil, stateful_default_actions: nil, stateful_engine_options: nil, stateful_rule_group_references: nil, stateless_custom_actions: nil, stateless_rule_group_references: nil, tls_inspection_configuration_arn: nil)
  @stateless_default_actions = stateless_default_actions
  Jsii::Type.check_type(@stateless_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statelessDefaultActions")
  @stateless_fragment_default_actions = stateless_fragment_default_actions
  Jsii::Type.check_type(@stateless_fragment_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statelessFragmentDefaultActions")
  @enable_tls_session_holding = enable_tls_session_holding
  Jsii::Type.check_type(@enable_tls_session_holding, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "enableTlsSessionHolding") unless @enable_tls_session_holding.nil?
  @policy_variables = policy_variables.is_a?(Hash) ? ::AWSCDK::NetworkFirewall::CfnFirewallPolicy::PolicyVariablesProperty.new(**policy_variables.transform_keys(&:to_sym)) : policy_variables
  Jsii::Type.check_type(@policy_variables, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19uZXR3b3JrZmlyZXdhbGwuQ2ZuRmlyZXdhbGxQb2xpY3kuUG9saWN5VmFyaWFibGVzUHJvcGVydHkifV19fQ==")), "policyVariables") unless @policy_variables.nil?
  @stateful_default_actions = stateful_default_actions
  Jsii::Type.check_type(@stateful_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statefulDefaultActions") unless @stateful_default_actions.nil?
  @stateful_engine_options = stateful_engine_options.is_a?(Hash) ? ::AWSCDK::NetworkFirewall::CfnFirewallPolicy::StatefulEngineOptionsProperty.new(**stateful_engine_options.transform_keys(&:to_sym)) : stateful_engine_options
  Jsii::Type.check_type(@stateful_engine_options, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19uZXR3b3JrZmlyZXdhbGwuQ2ZuRmlyZXdhbGxQb2xpY3kuU3RhdGVmdWxFbmdpbmVPcHRpb25zUHJvcGVydHkifV19fQ==")), "statefulEngineOptions") unless @stateful_engine_options.nil?
  @stateful_rule_group_references = stateful_rule_group_references
  Jsii::Type.check_type(@stateful_rule_group_references, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LlN0YXRlZnVsUnVsZUdyb3VwUmVmZXJlbmNlUHJvcGVydHkifV19fSwia2luZCI6ImFycmF5In19XX19")), "statefulRuleGroupReferences") unless @stateful_rule_group_references.nil?
  @stateless_custom_actions = stateless_custom_actions
  Jsii::Type.check_type(@stateless_custom_actions, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LkN1c3RvbUFjdGlvblByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "statelessCustomActions") unless @stateless_custom_actions.nil?
  @stateless_rule_group_references = stateless_rule_group_references
  Jsii::Type.check_type(@stateless_rule_group_references, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LlN0YXRlbGVzc1J1bGVHcm91cFJlZmVyZW5jZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "statelessRuleGroupReferences") unless @stateless_rule_group_references.nil?
  @tls_inspection_configuration_arn = tls_inspection_configuration_arn
  Jsii::Type.check_type(@tls_inspection_configuration_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "tlsInspectionConfigurationArn") unless @tls_inspection_configuration_arn.nil?
end

Instance Attribute Details

#enable_tls_session_holdingBoolean, ... (readonly)

When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules.

Requires an associated TLS Inspection configuration.



757
758
759
# File 'network_firewall/cfn_firewall_policy.rb', line 757

def enable_tls_session_holding
  @enable_tls_session_holding
end

#policy_variablesAWSCDK::IResolvable, ... (readonly)

Contains variables that you can use to override default Suricata settings in your firewall policy.



762
763
764
# File 'network_firewall/cfn_firewall_policy.rb', line 762

def policy_variables
  @policy_variables
end

#stateful_default_actionsArray<String>? (readonly)

The default actions to take on a packet that doesn't match any stateful rules.

The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

  • aws:drop_strict
  • aws:drop_established
  • aws:alert_strict
  • aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .



778
779
780
# File 'network_firewall/cfn_firewall_policy.rb', line 778

def stateful_default_actions
  @stateful_default_actions
end

#stateful_engine_optionsAWSCDK::IResolvable, ... (readonly)

Additional options governing how Network Firewall handles stateful rules.

The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.



785
786
787
# File 'network_firewall/cfn_firewall_policy.rb', line 785

def stateful_engine_options
  @stateful_engine_options
end

#stateful_rule_group_referencesAWSCDK::IResolvable, ... (readonly)

References to the stateful rule groups that are used in the policy.

These define the inspection criteria in stateful rules.



792
793
794
# File 'network_firewall/cfn_firewall_policy.rb', line 792

def stateful_rule_group_references
  @stateful_rule_group_references
end

#stateless_custom_actionsAWSCDK::IResolvable, ... (readonly)

The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting.

You name each custom action that you define, and then you can use it by name in your default actions specifications.



799
800
801
# File 'network_firewall/cfn_firewall_policy.rb', line 799

def stateless_custom_actions
  @stateless_custom_actions
end

#stateless_default_actionsArray<String> (readonly)

The actions to take on a packet if it doesn't match any of the stateless rules in the policy.

If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.



739
740
741
# File 'network_firewall/cfn_firewall_policy.rb', line 739

def stateless_default_actions
  @stateless_default_actions
end

#stateless_fragment_default_actionsArray<String> (readonly)

The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.

If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.



750
751
752
# File 'network_firewall/cfn_firewall_policy.rb', line 750

def stateless_fragment_default_actions
  @stateless_fragment_default_actions
end

#stateless_rule_group_referencesAWSCDK::IResolvable, ... (readonly)

References to the stateless rule groups that are used in the policy.

These define the matching criteria in stateless rules.



806
807
808
# File 'network_firewall/cfn_firewall_policy.rb', line 806

def stateless_rule_group_references
  @stateless_rule_group_references
end

#tls_inspection_configuration_arnString? (readonly)

The Amazon Resource Name (ARN) of the TLS inspection configuration.



811
812
813
# File 'network_firewall/cfn_firewall_policy.rb', line 811

def tls_inspection_configuration_arn
  @tls_inspection_configuration_arn
end

Class Method Details

.jsii_propertiesObject



813
814
815
816
817
818
819
820
821
822
823
824
825
826
# File 'network_firewall/cfn_firewall_policy.rb', line 813

def self.jsii_properties
  {
    :stateless_default_actions => "statelessDefaultActions",
    :stateless_fragment_default_actions => "statelessFragmentDefaultActions",
    :enable_tls_session_holding => "enableTlsSessionHolding",
    :policy_variables => "policyVariables",
    :stateful_default_actions => "statefulDefaultActions",
    :stateful_engine_options => "statefulEngineOptions",
    :stateful_rule_group_references => "statefulRuleGroupReferences",
    :stateless_custom_actions => "statelessCustomActions",
    :stateless_rule_group_references => "statelessRuleGroupReferences",
    :tls_inspection_configuration_arn => "tlsInspectionConfigurationArn",
  }
end

Instance Method Details

#to_jsiiObject



828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
# File 'network_firewall/cfn_firewall_policy.rb', line 828

def to_jsii
  result = {}
  result.merge!({
    "statelessDefaultActions" => @stateless_default_actions,
    "statelessFragmentDefaultActions" => @stateless_fragment_default_actions,
    "enableTlsSessionHolding" => @enable_tls_session_holding,
    "policyVariables" => @policy_variables,
    "statefulDefaultActions" => @stateful_default_actions,
    "statefulEngineOptions" => @stateful_engine_options,
    "statefulRuleGroupReferences" => @stateful_rule_group_references,
    "statelessCustomActions" => @stateless_custom_actions,
    "statelessRuleGroupReferences" => @stateless_rule_group_references,
    "tlsInspectionConfigurationArn" => @tls_inspection_configuration_arn,
  })
  result.compact
end