Class: AWSCDK::NetworkFirewall::CfnFirewallPolicy::FirewallPolicyProperty
- Inherits:
-
Jsii::Struct
- Object
- Jsii::Struct
- AWSCDK::NetworkFirewall::CfnFirewallPolicy::FirewallPolicyProperty
- Defined in:
- network_firewall/cfn_firewall_policy.rb
Overview
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Instance Attribute Summary collapse
-
#enable_tls_session_holding ⇒ Boolean, ...
readonly
When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules.
-
#policy_variables ⇒ AWSCDK::IResolvable, ...
readonly
Contains variables that you can use to override default Suricata settings in your firewall policy.
-
#stateful_default_actions ⇒ Array<String>?
readonly
The default actions to take on a packet that doesn't match any stateful rules.
-
#stateful_engine_options ⇒ AWSCDK::IResolvable, ...
readonly
Additional options governing how Network Firewall handles stateful rules.
-
#stateful_rule_group_references ⇒ AWSCDK::IResolvable, ...
readonly
References to the stateful rule groups that are used in the policy.
-
#stateless_custom_actions ⇒ AWSCDK::IResolvable, ...
readonly
The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActionssetting. -
#stateless_default_actions ⇒ Array<String>
readonly
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
-
#stateless_fragment_default_actions ⇒ Array<String>
readonly
The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.
-
#stateless_rule_group_references ⇒ AWSCDK::IResolvable, ...
readonly
References to the stateless rule groups that are used in the policy.
-
#tls_inspection_configuration_arn ⇒ String?
readonly
The Amazon Resource Name (ARN) of the TLS inspection configuration.
Class Method Summary collapse
Instance Method Summary collapse
-
#initialize(stateless_default_actions:, stateless_fragment_default_actions:, enable_tls_session_holding: nil, policy_variables: nil, stateful_default_actions: nil, stateful_engine_options: nil, stateful_rule_group_references: nil, stateless_custom_actions: nil, stateless_rule_group_references: nil, tls_inspection_configuration_arn: nil) ⇒ FirewallPolicyProperty
constructor
A new instance of FirewallPolicyProperty.
- #to_jsii ⇒ Object
Constructor Details
#initialize(stateless_default_actions:, stateless_fragment_default_actions:, enable_tls_session_holding: nil, policy_variables: nil, stateful_default_actions: nil, stateful_engine_options: nil, stateful_rule_group_references: nil, stateless_custom_actions: nil, stateless_rule_group_references: nil, tls_inspection_configuration_arn: nil) ⇒ FirewallPolicyProperty
Returns a new instance of FirewallPolicyProperty.
706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 |
# File 'network_firewall/cfn_firewall_policy.rb', line 706 def initialize(stateless_default_actions:, stateless_fragment_default_actions:, enable_tls_session_holding: nil, policy_variables: nil, stateful_default_actions: nil, stateful_engine_options: nil, stateful_rule_group_references: nil, stateless_custom_actions: nil, stateless_rule_group_references: nil, tls_inspection_configuration_arn: nil) @stateless_default_actions = stateless_default_actions Jsii::Type.check_type(@stateless_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statelessDefaultActions") @stateless_fragment_default_actions = stateless_fragment_default_actions Jsii::Type.check_type(@stateless_fragment_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statelessFragmentDefaultActions") @enable_tls_session_holding = enable_tls_session_holding Jsii::Type.check_type(@enable_tls_session_holding, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3sicHJpbWl0aXZlIjoiYm9vbGVhbiJ9LHsiZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifV19fQ==")), "enableTlsSessionHolding") unless @enable_tls_session_holding.nil? @policy_variables = policy_variables.is_a?(Hash) ? ::AWSCDK::NetworkFirewall::CfnFirewallPolicy::PolicyVariablesProperty.new(**policy_variables.transform_keys(&:to_sym)) : policy_variables Jsii::Type.check_type(@policy_variables, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19uZXR3b3JrZmlyZXdhbGwuQ2ZuRmlyZXdhbGxQb2xpY3kuUG9saWN5VmFyaWFibGVzUHJvcGVydHkifV19fQ==")), "policyVariables") unless @policy_variables.nil? @stateful_default_actions = stateful_default_actions Jsii::Type.check_type(@stateful_default_actions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "statefulDefaultActions") unless @stateful_default_actions.nil? @stateful_engine_options = .is_a?(Hash) ? ::AWSCDK::NetworkFirewall::CfnFirewallPolicy::StatefulEngineOptionsProperty.new(**.transform_keys(&:to_sym)) : Jsii::Type.check_type(@stateful_engine_options, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c19uZXR3b3JrZmlyZXdhbGwuQ2ZuRmlyZXdhbGxQb2xpY3kuU3RhdGVmdWxFbmdpbmVPcHRpb25zUHJvcGVydHkifV19fQ==")), "statefulEngineOptions") unless @stateful_engine_options.nil? @stateful_rule_group_references = stateful_rule_group_references Jsii::Type.check_type(@stateful_rule_group_references, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LlN0YXRlZnVsUnVsZUdyb3VwUmVmZXJlbmNlUHJvcGVydHkifV19fSwia2luZCI6ImFycmF5In19XX19")), "statefulRuleGroupReferences") unless @stateful_rule_group_references.nil? @stateless_custom_actions = stateless_custom_actions Jsii::Type.check_type(@stateless_custom_actions, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LkN1c3RvbUFjdGlvblByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "statelessCustomActions") unless @stateless_custom_actions.nil? @stateless_rule_group_references = stateless_rule_group_references Jsii::Type.check_type(@stateless_rule_group_references, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbmV0d29ya2ZpcmV3YWxsLkNmbkZpcmV3YWxsUG9saWN5LlN0YXRlbGVzc1J1bGVHcm91cFJlZmVyZW5jZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "statelessRuleGroupReferences") unless @stateless_rule_group_references.nil? @tls_inspection_configuration_arn = tls_inspection_configuration_arn Jsii::Type.check_type(@tls_inspection_configuration_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "tlsInspectionConfigurationArn") unless @tls_inspection_configuration_arn.nil? end |
Instance Attribute Details
#enable_tls_session_holding ⇒ Boolean, ... (readonly)
When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules.
Requires an associated TLS Inspection configuration.
757 758 759 |
# File 'network_firewall/cfn_firewall_policy.rb', line 757 def enable_tls_session_holding @enable_tls_session_holding end |
#policy_variables ⇒ AWSCDK::IResolvable, ... (readonly)
Contains variables that you can use to override default Suricata settings in your firewall policy.
762 763 764 |
# File 'network_firewall/cfn_firewall_policy.rb', line 762 def policy_variables @policy_variables end |
#stateful_default_actions ⇒ Array<String>? (readonly)
The default actions to take on a packet that doesn't match any stateful rules.
The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
778 779 780 |
# File 'network_firewall/cfn_firewall_policy.rb', line 778 def stateful_default_actions @stateful_default_actions end |
#stateful_engine_options ⇒ AWSCDK::IResolvable, ... (readonly)
Additional options governing how Network Firewall handles stateful rules.
The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
785 786 787 |
# File 'network_firewall/cfn_firewall_policy.rb', line 785 def @stateful_engine_options end |
#stateful_rule_group_references ⇒ AWSCDK::IResolvable, ... (readonly)
References to the stateful rule groups that are used in the policy.
These define the inspection criteria in stateful rules.
792 793 794 |
# File 'network_firewall/cfn_firewall_policy.rb', line 792 def stateful_rule_group_references @stateful_rule_group_references end |
#stateless_custom_actions ⇒ AWSCDK::IResolvable, ... (readonly)
The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting.
You name each custom action that you define, and then you can use it by name in your default actions specifications.
799 800 801 |
# File 'network_firewall/cfn_firewall_policy.rb', line 799 def stateless_custom_actions @stateless_custom_actions end |
#stateless_default_actions ⇒ Array<String> (readonly)
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .
You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.
739 740 741 |
# File 'network_firewall/cfn_firewall_policy.rb', line 739 def stateless_default_actions @stateless_default_actions end |
#stateless_fragment_default_actions ⇒ Array<String> (readonly)
The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.
If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .
You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.
750 751 752 |
# File 'network_firewall/cfn_firewall_policy.rb', line 750 def stateless_fragment_default_actions @stateless_fragment_default_actions end |
#stateless_rule_group_references ⇒ AWSCDK::IResolvable, ... (readonly)
References to the stateless rule groups that are used in the policy.
These define the matching criteria in stateless rules.
806 807 808 |
# File 'network_firewall/cfn_firewall_policy.rb', line 806 def stateless_rule_group_references @stateless_rule_group_references end |
#tls_inspection_configuration_arn ⇒ String? (readonly)
The Amazon Resource Name (ARN) of the TLS inspection configuration.
811 812 813 |
# File 'network_firewall/cfn_firewall_policy.rb', line 811 def tls_inspection_configuration_arn @tls_inspection_configuration_arn end |
Class Method Details
.jsii_properties ⇒ Object
813 814 815 816 817 818 819 820 821 822 823 824 825 826 |
# File 'network_firewall/cfn_firewall_policy.rb', line 813 def self.jsii_properties { :stateless_default_actions => "statelessDefaultActions", :stateless_fragment_default_actions => "statelessFragmentDefaultActions", :enable_tls_session_holding => "enableTlsSessionHolding", :policy_variables => "policyVariables", :stateful_default_actions => "statefulDefaultActions", :stateful_engine_options => "statefulEngineOptions", :stateful_rule_group_references => "statefulRuleGroupReferences", :stateless_custom_actions => "statelessCustomActions", :stateless_rule_group_references => "statelessRuleGroupReferences", :tls_inspection_configuration_arn => "tlsInspectionConfigurationArn", } end |
Instance Method Details
#to_jsii ⇒ Object
828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 |
# File 'network_firewall/cfn_firewall_policy.rb', line 828 def to_jsii result = {} result.merge!({ "statelessDefaultActions" => @stateless_default_actions, "statelessFragmentDefaultActions" => @stateless_fragment_default_actions, "enableTlsSessionHolding" => @enable_tls_session_holding, "policyVariables" => @policy_variables, "statefulDefaultActions" => @stateful_default_actions, "statefulEngineOptions" => @stateful_engine_options, "statefulRuleGroupReferences" => @stateful_rule_group_references, "statelessCustomActions" => @stateless_custom_actions, "statelessRuleGroupReferences" => @stateless_rule_group_references, "tlsInspectionConfigurationArn" => @tls_inspection_configuration_arn, }) result.compact end |