Package software.amazon.awscdk.services.fms

Class CfnPolicy

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.fms.CfnPolicy
All Implemented Interfaces:
IInspectable, ITaggableV2, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.97.0 (build 729de35)", date="2024-04-18T17:54:17.471Z") @Stability(Stable) public class CfnPolicy extends CfnResource implements IInspectable, ITaggableV2
An AWS Firewall Manager policy.

Firewall Manager provides the following types of policies:

  • An AWS Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources.
  • An AWS WAF policy (type WAFV2), which defines rule groups to run first in the corresponding AWS WAF web ACL and rule groups to run last in the web ACL.
  • An AWS WAF Classic policy, which defines a rule group. AWS WAF Classic doesn't support rule groups in Amazon CloudFront , so, to create AWS WAF Classic policies through CloudFront , you first need to create your rule groups outside of CloudFront .
  • A security group policy, which manages VPC security groups across your AWS organization.
  • An AWS Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs.
  • A DNS Firewall policy, which provides Amazon RouteĀ 53 Resolver DNS Firewall rules to filter DNS queries for specified Amazon VPCs.
  • A third-party firewall policy, which manages a third-party firewall service.

Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type.

These policies require some setup to use. For more information, see the sections on prerequisites and getting started under AWS Firewall Manager .

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.fms.*;
 CfnPolicy cfnPolicy = CfnPolicy.Builder.create(this, "MyCfnPolicy")
         .excludeResourceTags(false)
         .policyName("policyName")
         .remediationEnabled(false)
         .securityServicePolicyData(SecurityServicePolicyDataProperty.builder()
                 .type("type")
                 // the properties below are optional
                 .managedServiceData("managedServiceData")
                 .policyOption(PolicyOptionProperty.builder()
                         .networkFirewallPolicy(NetworkFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .thirdPartyFirewallPolicy(ThirdPartyFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .build())
                 .build())
         // the properties below are optional
         .deleteAllPolicyResources(false)
         .excludeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .includeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .policyDescription("policyDescription")
         .resourcesCleanUp(false)
         .resourceSetIds(List.of("resourceSetIds"))
         .resourceTags(List.of(ResourceTagProperty.builder()
                 .key("key")
                 // the properties below are optional
                 .value("value")
                 .build()))
         .resourceType("resourceType")
         .resourceTypeList(List.of("resourceTypeList"))
         .tags(List.of(PolicyTagProperty.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnPolicy

      protected CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnPolicy

      protected CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnPolicy

      @Stability(Stable) public CfnPolicy(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPolicyProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) of the policy.

    • getAttrId

      @Stability(Stable) @NotNull public String getAttrId()
      The ID of the policy.

    • getCdkTagManager

      @Stability(Stable) @NotNull public TagManager getCdkTagManager()
      Tag Manager which manages the tags for this resource.
      Specified by:
      getCdkTagManager in interface ITaggableV2

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getExcludeResourceTags

      @Stability(Stable) @NotNull public Object getExcludeResourceTags()
      Used only when tags are specified in the ResourceTags property.

    • setExcludeResourceTags

      @Stability(Stable) public void setExcludeResourceTags(@NotNull Boolean value)
      Used only when tags are specified in the ResourceTags property.

    • setExcludeResourceTags

      @Stability(Stable) public void setExcludeResourceTags(@NotNull IResolvable value)
      Used only when tags are specified in the ResourceTags property.

    • getPolicyName

      @Stability(Stable) @NotNull public String getPolicyName()
      The name of the AWS Firewall Manager policy.

    • setPolicyName

      @Stability(Stable) public void setPolicyName(@NotNull String value)
      The name of the AWS Firewall Manager policy.

    • getRemediationEnabled

      @Stability(Stable) @NotNull public Object getRemediationEnabled()
      Indicates if the policy should be automatically applied to new resources.

    • setRemediationEnabled

      @Stability(Stable) public void setRemediationEnabled(@NotNull Boolean value)
      Indicates if the policy should be automatically applied to new resources.

    • setRemediationEnabled

      @Stability(Stable) public void setRemediationEnabled(@NotNull IResolvable value)
      Indicates if the policy should be automatically applied to new resources.

    • getSecurityServicePolicyData

      @Stability(Stable) @NotNull public Object getSecurityServicePolicyData()
      Details about the security service that is being used to protect the resources.

    • setSecurityServicePolicyData

      @Stability(Stable) public void setSecurityServicePolicyData(@NotNull IResolvable value)
      Details about the security service that is being used to protect the resources.

    • setSecurityServicePolicyData

      @Stability(Stable) public void setSecurityServicePolicyData(@NotNull CfnPolicy.SecurityServicePolicyDataProperty value)
      Details about the security service that is being used to protect the resources.

    • getDeleteAllPolicyResources

      @Stability(Stable) @Nullable public Object getDeleteAllPolicyResources()
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • setDeleteAllPolicyResources

      @Stability(Stable) public void setDeleteAllPolicyResources(@Nullable Boolean value)
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • setDeleteAllPolicyResources

      @Stability(Stable) public void setDeleteAllPolicyResources(@Nullable IResolvable value)
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • getExcludeMap

      @Stability(Stable) @Nullable public Object getExcludeMap()
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

    • setExcludeMap

      @Stability(Stable) public void setExcludeMap(@Nullable IResolvable value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

    • setExcludeMap

      @Stability(Stable) public void setExcludeMap(@Nullable CfnPolicy.IEMapProperty value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

    • getIncludeMap

      @Stability(Stable) @Nullable public Object getIncludeMap()
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

    • setIncludeMap

      @Stability(Stable) public void setIncludeMap(@Nullable IResolvable value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

    • setIncludeMap

      @Stability(Stable) public void setIncludeMap(@Nullable CfnPolicy.IEMapProperty value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

    • getPolicyDescription

      @Stability(Stable) @Nullable public String getPolicyDescription()
      The definition of the AWS Network Firewall firewall policy.

    • setPolicyDescription

      @Stability(Stable) public void setPolicyDescription(@Nullable String value)
      The definition of the AWS Network Firewall firewall policy.

    • getResourcesCleanUp

      @Stability(Stable) @Nullable public Object getResourcesCleanUp()
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

    • setResourcesCleanUp

      @Stability(Stable) public void setResourcesCleanUp(@Nullable Boolean value)
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

    • setResourcesCleanUp

      @Stability(Stable) public void setResourcesCleanUp(@Nullable IResolvable value)
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

    • getResourceSetIds

      @Stability(Stable) @Nullable public List<String> getResourceSetIds()
      The unique identifiers of the resource sets used by the policy.

    • setResourceSetIds

      @Stability(Stable) public void setResourceSetIds(@Nullable List<String> value)
      The unique identifiers of the resource sets used by the policy.

    • getResourceTags

      @Stability(Stable) @Nullable public Object getResourceTags()
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

    • setResourceTags

      @Stability(Stable) public void setResourceTags(@Nullable IResolvable value)
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

    • setResourceTags

      @Stability(Stable) public void setResourceTags(@Nullable List<Object> value)
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

    • getResourceType

      @Stability(Stable) @Nullable public String getResourceType()
      The type of resource protected by or in scope of the policy.

    • setResourceType

      @Stability(Stable) public void setResourceType(@Nullable String value)
      The type of resource protected by or in scope of the policy.

    • getResourceTypeList

      @Stability(Stable) @Nullable public List<String> getResourceTypeList()
      An array of ResourceType objects.

    • setResourceTypeList

      @Stability(Stable) public void setResourceTypeList(@Nullable List<String> value)
      An array of ResourceType objects.

    • getTags

      @Stability(Stable) @Nullable public List<CfnPolicy.PolicyTagProperty> getTags()
      A collection of key:value pairs associated with an AWS resource.

    • setTags

      @Stability(Stable) public void setTags(@Nullable List<CfnPolicy.PolicyTagProperty> value)
      A collection of key:value pairs associated with an AWS resource.