Interface ShieldConfig

Interface for Shield Configuration in the Firewall Factory

interface ShieldConfig {
    defaultActionType:
        | "COUNT"
        | "NONE"
        | "ALLOW"
        | "DENY";
    excludeMap?: IEMapProperty;
    excludeResourceTags: boolean;
    General: {
        CreateDashboard?: boolean;
        DeployHash?: string;
        FireHoseKeyArn?: string;
        LoggingConfiguration: "S3" | "Firehose";
        Prefix: string;
        S3LoggingBucketName: string;
        SecuredDomain: string[];
        Stage: string;
    };
    includeMap?: IEMapProperty;
    policyName: string;
    remediationEnabled: boolean | IResolvable;
    resourceType?: string;
    resourceTypeList?: string[];
    WebAcl: {
        OverrideCustomerWebACLAssociation?: boolean;
    };
}

Properties

defaultActionType excludeMap? excludeResourceTags General includeMap? policyName remediationEnabled resourceType? resourceTypeList? WebAcl

Properties

defaultActionType

defaultActionType:
    | "COUNT"
    | "NONE"
    | "ALLOW"
    | "DENY"

Optional ReadonlyexcludeMap

excludeMap?: IEMapProperty

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap , AWS Firewall Manager applies the policy to all accounts specified by the IncludeMap , and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap , then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap .

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT . For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]} .
  • Specify OUs by setting the key to ORGUNIT . For example, the following is a valid map: {“ORGUNIT” : [“ouid111”, “ouid112”]} .
  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]} .

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-excludemap

ReadonlyexcludeResourceTags

excludeResourceTags: boolean

Used only when tags are specified in the ResourceTags property.

If this property is True , resources with the specified tags are not in scope of the policy. If it's False , only resources with the specified tags are in scope of the policy.

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-excluderesourcetags

ReadonlyGeneral

General: {
    CreateDashboard?: boolean;
    DeployHash?: string;
    FireHoseKeyArn?: string;
    LoggingConfiguration: "S3" | "Firehose";
    Prefix: string;
    S3LoggingBucketName: string;
    SecuredDomain: string[];
    Stage: string;
}

Type declaration

  • Optional ReadonlyCreateDashboard?: boolean

    Defines whether to set up a dashboard for your firewall in the central security account. To use this feature, cross-account functionality must be enabled in CloudWatch.

  • Optional ReadonlyDeployHash?: string
  • Optional ReadonlyFireHoseKeyArn?: string

    Define KMS Key to be used for Kinesis Firehose.

  • ReadonlyLoggingConfiguration: "S3" | "Firehose"

    Defines the selected logging option for the WAF.

  • ReadonlyPrefix: string

    Defines a Prefix which will be added to all resources.

  • ReadonlyS3LoggingBucketName: string

    Define Name of the S3 Bucket where the Firewall logs will be stored.

  • ReadonlySecuredDomain: string[]

    Defines the domain(s) that can be checked to audit your WAF.

  • ReadonlyStage: string

    Defines a Stage which will be added to all resources.

Optional ReadonlyincludeMap

includeMap?: IEMapProperty

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap , AWS Firewall Manager applies the policy to all accounts specified by the IncludeMap , and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap , then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap .

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT . For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]} .
  • Specify OUs by setting the key to ORGUNIT . For example, the following is a valid map: {“ORGUNIT” : [“ouid111”, “ouid112”]} .
  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORGUNIT” : [“ouid111”, “ouid112”]} .

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-includemap

ReadonlypolicyName

policyName: string

The name of the AWS Firewall Manager policy.

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-policyname

ReadonlyremediationEnabled

remediationEnabled: boolean | IResolvable

Indicates if the policy should be automatically applied to new resources.

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-remediationenabled

Optional ReadonlyresourceType

resourceType?: string

The type of resource protected by or in scope of the policy.

This is in the format shown in the AWS Resource Types Reference . To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList .

The following are valid resource types for each Firewall Manager policy type:

  • AWS WAF Classic - AWS::ApiGateway::Stage , AWS::CloudFront::Distribution , and AWS::ElasticLoadBalancingV2::LoadBalancer .
  • AWS WAF - AWS::ApiGateway::Stage , AWS::ElasticLoadBalancingV2::LoadBalancer , and AWS::CloudFront::Distribution .
  • DNS Firewall, AWS Network Firewall , and third-party firewall - AWS::EC2::VPC .
  • AWS Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer , AWS::ElasticLoadBalancing::LoadBalancer , AWS::EC2::EIP , and AWS::CloudFront::Distribution .
  • Security group content audit - AWS::EC2::SecurityGroup , AWS::EC2::NetworkInterface , and AWS::EC2::Instance .
  • Security group usage audit - AWS::EC2::SecurityGroup .

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-resourcetype

Optional ReadonlyresourceTypeList

resourceTypeList?: string[]

An array of ResourceType objects.

Use this only to specify multiple resource types. To specify a single resource type, use ResourceType .

See

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html#cfn-fms-policy-resourcetypelist

ReadonlyWebAcl

WebAcl: {
    OverrideCustomerWebACLAssociation?: boolean;
}

Type declaration

  • Optional ReadonlyOverrideCustomerWebACLAssociation?: boolean

    Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy - Default is False

Settings

Member Visibility

On This Page

Properties