Class CfnPolicy
java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.fms.CfnPolicy
- All Implemented Interfaces:
IInspectable
,ITaggableV2
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
,software.constructs.IDependable
@Generated(value="jsii-pacmak/1.97.0 (build 729de35)",
date="2024-04-18T17:54:17.471Z")
@Stability(Stable)
public class CfnPolicy
extends CfnResource
implements IInspectable, ITaggableV2
An AWS Firewall Manager policy.
Firewall Manager provides the following types of policies:
- An AWS Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources.
- An AWS WAF policy (type WAFV2), which defines rule groups to run first in the corresponding AWS WAF web ACL and rule groups to run last in the web ACL.
- An AWS WAF Classic policy, which defines a rule group. AWS WAF Classic doesn't support rule groups in Amazon CloudFront , so, to create AWS WAF Classic policies through CloudFront , you first need to create your rule groups outside of CloudFront .
- A security group policy, which manages VPC security groups across your AWS organization.
- An AWS Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs.
- A DNS Firewall policy, which provides Amazon RouteĀ 53 Resolver DNS Firewall rules to filter DNS queries for specified Amazon VPCs.
- A third-party firewall policy, which manages a third-party firewall service.
Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type.
These policies require some setup to use. For more information, see the sections on prerequisites and getting started under AWS Firewall Manager .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.fms.*; CfnPolicy cfnPolicy = CfnPolicy.Builder.create(this, "MyCfnPolicy") .excludeResourceTags(false) .policyName("policyName") .remediationEnabled(false) .securityServicePolicyData(SecurityServicePolicyDataProperty.builder() .type("type") // the properties below are optional .managedServiceData("managedServiceData") .policyOption(PolicyOptionProperty.builder() .networkFirewallPolicy(NetworkFirewallPolicyProperty.builder() .firewallDeploymentModel("firewallDeploymentModel") .build()) .thirdPartyFirewallPolicy(ThirdPartyFirewallPolicyProperty.builder() .firewallDeploymentModel("firewallDeploymentModel") .build()) .build()) .build()) // the properties below are optional .deleteAllPolicyResources(false) .excludeMap(Map.of( "account", List.of("account"), "orgunit", List.of("orgunit"))) .includeMap(Map.of( "account", List.of("account"), "orgunit", List.of("orgunit"))) .policyDescription("policyDescription") .resourcesCleanUp(false) .resourceSetIds(List.of("resourceSetIds")) .resourceTags(List.of(ResourceTagProperty.builder() .key("key") // the properties below are optional .value("value") .build())) .resourceType("resourceType") .resourceTypeList(List.of("resourceTypeList")) .tags(List.of(PolicyTagProperty.builder() .key("key") .value("value") .build())) .build();
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
A fluent builder forCfnPolicy
.static interface
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in or exclude from the policy.static interface
Configures the firewall policy deployment model of AWS Network Firewall .static interface
Contains the AWS Network Firewall firewall policy options to configure the policy's deployment model and third-party firewall policy settings.static interface
A collection of key:value pairs associated with an AWS resource.static interface
The resource tags that AWS Firewall Manager uses to determine if a particular resource should be included or excluded from the AWS Firewall Manager policy.static interface
Details about the security service that is being used to protect the resources.static interface
Configures the deployment model for the third-party firewall.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
Nested classes/interfaces inherited from interface software.amazon.awscdk.ITaggableV2
ITaggableV2.Jsii$Default, ITaggableV2.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionprotected
CfnPolicy
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnPolicy
(software.amazon.jsii.JsiiObjectRef objRef) CfnPolicy
(software.constructs.Construct scope, String id, CfnPolicyProps props) -
Method Summary
Modifier and TypeMethodDescriptionThe Amazon Resource Name (ARN) of the policy.The ID of the policy.Tag Manager which manages the tags for this resource.Used when deleting a policy.Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.Used only when tags are specified in theResourceTags
property.Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.The definition of the AWS Network Firewall firewall policy.The name of the AWS Firewall Manager policy.Indicates if the policy should be automatically applied to new resources.Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.The unique identifiers of the resource sets used by the policy.An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.The type of resource protected by or in scope of the policy.An array ofResourceType
objects.Details about the security service that is being used to protect the resources.getTags()
A collection of key:value pairs associated with an AWS resource.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
Used when deleting a policy.void
Used when deleting a policy.void
setExcludeMap
(IResolvable value) Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.void
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.void
setExcludeResourceTags
(Boolean value) Used only when tags are specified in theResourceTags
property.void
Used only when tags are specified in theResourceTags
property.void
setIncludeMap
(IResolvable value) Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.void
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.void
setPolicyDescription
(String value) The definition of the AWS Network Firewall firewall policy.void
setPolicyName
(String value) The name of the AWS Firewall Manager policy.void
setRemediationEnabled
(Boolean value) Indicates if the policy should be automatically applied to new resources.void
setRemediationEnabled
(IResolvable value) Indicates if the policy should be automatically applied to new resources.void
setResourcesCleanUp
(Boolean value) Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.void
setResourcesCleanUp
(IResolvable value) Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.void
setResourceSetIds
(List<String> value) The unique identifiers of the resource sets used by the policy.void
setResourceTags
(List<Object> value) An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.void
setResourceTags
(IResolvable value) An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.void
setResourceType
(String value) The type of resource protected by or in scope of the policy.void
setResourceTypeList
(List<String> value) An array ofResourceType
objects.void
Details about the security service that is being used to protect the resources.void
Details about the security service that is being used to protect the resources.void
setTags
(List<CfnPolicy.PolicyTagProperty> value) A collection of key:value pairs associated with an AWS resource.Methods inherited from class software.amazon.awscdk.CfnResource
addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.constructs.Construct
getNode, isConstruct
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnPolicy
protected CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef) -
CfnPolicy
protected CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnPolicy
@Stability(Stable) public CfnPolicy(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPolicyProps props) - Parameters:
scope
- Scope in which this resource is defined. This parameter is required.id
- Construct identifier for this resource (unique in its scope). This parameter is required.props
- Resource properties. This parameter is required.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
- tree inspector to collect and process attributes. This parameter is required.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrArn
The Amazon Resource Name (ARN) of the policy. -
getAttrId
The ID of the policy. -
getCdkTagManager
Tag Manager which manages the tags for this resource.- Specified by:
getCdkTagManager
in interfaceITaggableV2
-
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
setExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
setExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
getPolicyName
The name of the AWS Firewall Manager policy. -
setPolicyName
The name of the AWS Firewall Manager policy. -
getRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
setRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
setRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
getSecurityServicePolicyData
Details about the security service that is being used to protect the resources. -
setSecurityServicePolicyData
Details about the security service that is being used to protect the resources. -
setSecurityServicePolicyData
@Stability(Stable) public void setSecurityServicePolicyData(@NotNull CfnPolicy.SecurityServicePolicyDataProperty value) Details about the security service that is being used to protect the resources. -
getDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
setDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
setDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
getExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
setExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
setExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
getIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
setIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
setIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
getPolicyDescription
The definition of the AWS Network Firewall firewall policy. -
setPolicyDescription
The definition of the AWS Network Firewall firewall policy. -
getResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
setResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
setResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
getResourceSetIds
The unique identifiers of the resource sets used by the policy. -
setResourceSetIds
The unique identifiers of the resource sets used by the policy. -
getResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
setResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
setResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
getResourceType
The type of resource protected by or in scope of the policy. -
setResourceType
The type of resource protected by or in scope of the policy. -
getResourceTypeList
An array ofResourceType
objects. -
setResourceTypeList
An array ofResourceType
objects. -
getTags
A collection of key:value pairs associated with an AWS resource. -
setTags
A collection of key:value pairs associated with an AWS resource.
-