Class CfnPolicy
- All Implemented Interfaces:
IInspectable
,ITaggableV2
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
,software.constructs.IDependable
A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.
If you add a new account to an organization that you created with AWS Organizations , Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.
Policies require some setup to use. For more information, see the sections on prerequisites and getting started under Firewall Manager prerequisites .
Firewall Manager provides the following types of policies:
- AWS WAF policy - This policy applies AWS WAF web ACL protections to specified accounts and resources.
- Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
- Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of rules across your organization.
- Network ACL policy - This type of policy gives you control over the network ACLs that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
- Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
- DNS Firewall policy - This policy applies Amazon RouteĀ 53 Resolver DNS Firewall protections to your organization's VPCs.
- Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the AWS Marketplace console at AWS Marketplace .
- Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
- Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.fms.*; CfnPolicy cfnPolicy = CfnPolicy.Builder.create(this, "MyCfnPolicy") .excludeResourceTags(false) .policyName("policyName") .remediationEnabled(false) .securityServicePolicyData(SecurityServicePolicyDataProperty.builder() .type("type") // the properties below are optional .managedServiceData("managedServiceData") .policyOption(PolicyOptionProperty.builder() .networkAclCommonPolicy(NetworkAclCommonPolicyProperty.builder().build()) .networkFirewallPolicy(NetworkFirewallPolicyProperty.builder() .firewallDeploymentModel("firewallDeploymentModel") .build()) .thirdPartyFirewallPolicy(ThirdPartyFirewallPolicyProperty.builder() .firewallDeploymentModel("firewallDeploymentModel") .build()) .build()) .build()) // the properties below are optional .deleteAllPolicyResources(false) .excludeMap(Map.of( "account", List.of("account"), "orgunit", List.of("orgunit"))) .includeMap(Map.of( "account", List.of("account"), "orgunit", List.of("orgunit"))) .policyDescription("policyDescription") .resourcesCleanUp(false) .resourceSetIds(List.of("resourceSetIds")) .resourceTags(List.of(ResourceTagProperty.builder() .key("key") // the properties below are optional .value("value") .build())) .resourceType("resourceType") .resourceTypeList(List.of("resourceTypeList")) .tags(List.of(PolicyTagProperty.builder() .key("key") .value("value") .build())) .build();
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
A fluent builder forCfnPolicy
.static interface
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in or exclude from the policy.static interface
Defines a Firewall Manager network ACL policy.static interface
Configures the firewall policy deployment model of AWS Network Firewall .static interface
Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.static interface
A collection of key:value pairs associated with an AWS resource.static interface
The resource tags that AWS Firewall Manager uses to determine if a particular resource should be included or excluded from the AWS Firewall Manager policy.static interface
Details about the security service that is being used to protect the resources.static interface
Configures the deployment model for the third-party firewall.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
Nested classes/interfaces inherited from interface software.amazon.awscdk.ITaggableV2
ITaggableV2.Jsii$Default, ITaggableV2.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionprotected
CfnPolicy
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnPolicy
(software.amazon.jsii.JsiiObjectRef objRef) CfnPolicy
(software.constructs.Construct scope, String id, CfnPolicyProps props) -
Method Summary
Modifier and TypeMethodDescriptionThe Amazon Resource Name (ARN) of the policy.The ID of the policy.Tag Manager which manages the tags for this resource.Used when deleting a policy.Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.Used only when tags are specified in theResourceTags
property.Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.Your description of the AWS Firewall Manager policy.The name of the AWS Firewall Manager policy.Indicates if the policy should be automatically applied to new resources.Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.The unique identifiers of the resource sets used by the policy.An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.The type of resource protected by or in scope of the policy.An array ofResourceType
objects.Details about the security service that is being used to protect the resources.getTags()
A collection of key:value pairs associated with an AWS resource.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
Used when deleting a policy.void
Used when deleting a policy.void
setExcludeMap
(IResolvable value) Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.void
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.void
setExcludeResourceTags
(Boolean value) Used only when tags are specified in theResourceTags
property.void
Used only when tags are specified in theResourceTags
property.void
setIncludeMap
(IResolvable value) Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.void
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.void
setPolicyDescription
(String value) Your description of the AWS Firewall Manager policy.void
setPolicyName
(String value) The name of the AWS Firewall Manager policy.void
setRemediationEnabled
(Boolean value) Indicates if the policy should be automatically applied to new resources.void
setRemediationEnabled
(IResolvable value) Indicates if the policy should be automatically applied to new resources.void
setResourcesCleanUp
(Boolean value) Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.void
setResourcesCleanUp
(IResolvable value) Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.void
setResourceSetIds
(List<String> value) The unique identifiers of the resource sets used by the policy.void
setResourceTags
(List<Object> value) An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.void
setResourceTags
(IResolvable value) An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them.void
setResourceType
(String value) The type of resource protected by or in scope of the policy.void
setResourceTypeList
(List<String> value) An array ofResourceType
objects.void
Details about the security service that is being used to protect the resources.void
Details about the security service that is being used to protect the resources.void
setTags
(List<CfnPolicy.PolicyTagProperty> value) A collection of key:value pairs associated with an AWS resource.Methods inherited from class software.amazon.awscdk.CfnResource
addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.constructs.Construct
getNode, isConstruct
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnPolicy
protected CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef) -
CfnPolicy
protected CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnPolicy
@Stability(Stable) public CfnPolicy(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPolicyProps props) - Parameters:
scope
- Scope in which this resource is defined. This parameter is required.id
- Construct identifier for this resource (unique in its scope). This parameter is required.props
- Resource properties. This parameter is required.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
- tree inspector to collect and process attributes. This parameter is required.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrArn
The Amazon Resource Name (ARN) of the policy. -
getAttrId
The ID of the policy. -
getCdkTagManager
Tag Manager which manages the tags for this resource.- Specified by:
getCdkTagManager
in interfaceITaggableV2
-
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
setExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
setExcludeResourceTags
Used only when tags are specified in theResourceTags
property. -
getPolicyName
The name of the AWS Firewall Manager policy. -
setPolicyName
The name of the AWS Firewall Manager policy. -
getRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
setRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
setRemediationEnabled
Indicates if the policy should be automatically applied to new resources. -
getSecurityServicePolicyData
Details about the security service that is being used to protect the resources. -
setSecurityServicePolicyData
Details about the security service that is being used to protect the resources. -
setSecurityServicePolicyData
@Stability(Stable) public void setSecurityServicePolicyData(@NotNull CfnPolicy.SecurityServicePolicyDataProperty value) Details about the security service that is being used to protect the resources. -
getDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
setDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
setDeleteAllPolicyResources
Used when deleting a policy.If
true
, Firewall Manager performs cleanup according to the policy type. -
getExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
setExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
setExcludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. -
getIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
setIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
setIncludeMap
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. -
getPolicyDescription
Your description of the AWS Firewall Manager policy. -
setPolicyDescription
Your description of the AWS Firewall Manager policy. -
getResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
setResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
setResourcesCleanUp
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. -
getResourceSetIds
The unique identifiers of the resource sets used by the policy. -
setResourceSetIds
The unique identifiers of the resource sets used by the policy. -
getResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
setResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
setResourceTags
An array ofResourceTag
objects, used to explicitly include resources in the policy scope or explicitly exclude them. -
getResourceType
The type of resource protected by or in scope of the policy. -
setResourceType
The type of resource protected by or in scope of the policy. -
getResourceTypeList
An array ofResourceType
objects. -
setResourceTypeList
An array ofResourceType
objects. -
getTags
A collection of key:value pairs associated with an AWS resource. -
setTags
A collection of key:value pairs associated with an AWS resource.
-