Class CfnPolicy

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
All Implemented Interfaces:
IInspectable, ITaggableV2, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.103.1 (build bef2dea)", date="2024-10-05T03:43:43.812Z") @Stability(Stable) public class CfnPolicy extends CfnResource implements IInspectable, ITaggableV2
An AWS Firewall Manager policy.

A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.

If you add a new account to an organization that you created with AWS Organizations , Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.

Policies require some setup to use. For more information, see the sections on prerequisites and getting started under Firewall Manager prerequisites .

Firewall Manager provides the following types of policies:

  • AWS WAF policy - This policy applies AWS WAF web ACL protections to specified accounts and resources.
  • Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
  • Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of rules across your organization.
  • Network ACL policy - This type of policy gives you control over the network ACLs that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
  • Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
  • DNS Firewall policy - This policy applies Amazon RouteĀ 53 Resolver DNS Firewall protections to your organization's VPCs.
  • Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the AWS Marketplace console at AWS Marketplace .
  • Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
  • Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.

Example:

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.fms.*;
 CfnPolicy cfnPolicy = CfnPolicy.Builder.create(this, "MyCfnPolicy")
         .excludeResourceTags(false)
         .policyName("policyName")
         .remediationEnabled(false)
         .securityServicePolicyData(SecurityServicePolicyDataProperty.builder()
                 .type("type")
                 // the properties below are optional
                 .managedServiceData("managedServiceData")
                 .policyOption(PolicyOptionProperty.builder()
                         .networkAclCommonPolicy(NetworkAclCommonPolicyProperty.builder().build())
                         .networkFirewallPolicy(NetworkFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .thirdPartyFirewallPolicy(ThirdPartyFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .build())
                 .build())
         // the properties below are optional
         .deleteAllPolicyResources(false)
         .excludeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .includeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .policyDescription("policyDescription")
         .resourcesCleanUp(false)
         .resourceSetIds(List.of("resourceSetIds"))
         .resourceTags(List.of(ResourceTagProperty.builder()
                 .key("key")
                 // the properties below are optional
                 .value("value")
                 .build()))
         .resourceType("resourceType")
         .resourceTypeList(List.of("resourceTypeList"))
         .tags(List.of(PolicyTagProperty.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();
 

See Also:
  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.
  • Constructor Details

    • CfnPolicy

      protected CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef)
    • CfnPolicy

      protected CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
    • CfnPolicy

      @Stability(Stable) public CfnPolicy(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPolicyProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.
  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.
    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.
    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) of the policy.
    • getAttrId

      @Stability(Stable) @NotNull public String getAttrId()
      The ID of the policy.
    • getCdkTagManager

      @Stability(Stable) @NotNull public TagManager getCdkTagManager()
      Tag Manager which manages the tags for this resource.
      Specified by:
      getCdkTagManager in interface ITaggableV2
    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource
    • getExcludeResourceTags

      @Stability(Stable) @NotNull public Object getExcludeResourceTags()
      Used only when tags are specified in the ResourceTags property.
    • setExcludeResourceTags

      @Stability(Stable) public void setExcludeResourceTags(@NotNull Boolean value)
      Used only when tags are specified in the ResourceTags property.
    • setExcludeResourceTags

      @Stability(Stable) public void setExcludeResourceTags(@NotNull IResolvable value)
      Used only when tags are specified in the ResourceTags property.
    • getPolicyName

      @Stability(Stable) @NotNull public String getPolicyName()
      The name of the AWS Firewall Manager policy.
    • setPolicyName

      @Stability(Stable) public void setPolicyName(@NotNull String value)
      The name of the AWS Firewall Manager policy.
    • getRemediationEnabled

      @Stability(Stable) @NotNull public Object getRemediationEnabled()
      Indicates if the policy should be automatically applied to new resources.
    • setRemediationEnabled

      @Stability(Stable) public void setRemediationEnabled(@NotNull Boolean value)
      Indicates if the policy should be automatically applied to new resources.
    • setRemediationEnabled

      @Stability(Stable) public void setRemediationEnabled(@NotNull IResolvable value)
      Indicates if the policy should be automatically applied to new resources.
    • getSecurityServicePolicyData

      @Stability(Stable) @NotNull public Object getSecurityServicePolicyData()
      Details about the security service that is being used to protect the resources.
    • setSecurityServicePolicyData

      @Stability(Stable) public void setSecurityServicePolicyData(@NotNull IResolvable value)
      Details about the security service that is being used to protect the resources.
    • setSecurityServicePolicyData

      @Stability(Stable) public void setSecurityServicePolicyData(@NotNull CfnPolicy.SecurityServicePolicyDataProperty value)
      Details about the security service that is being used to protect the resources.
    • getDeleteAllPolicyResources

      @Stability(Stable) @Nullable public Object getDeleteAllPolicyResources()
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • setDeleteAllPolicyResources

      @Stability(Stable) public void setDeleteAllPolicyResources(@Nullable Boolean value)
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • setDeleteAllPolicyResources

      @Stability(Stable) public void setDeleteAllPolicyResources(@Nullable IResolvable value)
      Used when deleting a policy.

      If true , Firewall Manager performs cleanup according to the policy type.

    • getExcludeMap

      @Stability(Stable) @Nullable public Object getExcludeMap()
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
    • setExcludeMap

      @Stability(Stable) public void setExcludeMap(@Nullable IResolvable value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
    • setExcludeMap

      @Stability(Stable) public void setExcludeMap(@Nullable CfnPolicy.IEMapProperty value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
    • getIncludeMap

      @Stability(Stable) @Nullable public Object getIncludeMap()
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
    • setIncludeMap

      @Stability(Stable) public void setIncludeMap(@Nullable IResolvable value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
    • setIncludeMap

      @Stability(Stable) public void setIncludeMap(@Nullable CfnPolicy.IEMapProperty value)
      Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
    • getPolicyDescription

      @Stability(Stable) @Nullable public String getPolicyDescription()
      Your description of the AWS Firewall Manager policy.
    • setPolicyDescription

      @Stability(Stable) public void setPolicyDescription(@Nullable String value)
      Your description of the AWS Firewall Manager policy.
    • getResourcesCleanUp

      @Stability(Stable) @Nullable public Object getResourcesCleanUp()
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
    • setResourcesCleanUp

      @Stability(Stable) public void setResourcesCleanUp(@Nullable Boolean value)
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
    • setResourcesCleanUp

      @Stability(Stable) public void setResourcesCleanUp(@Nullable IResolvable value)
      Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
    • getResourceSetIds

      @Stability(Stable) @Nullable public List<String> getResourceSetIds()
      The unique identifiers of the resource sets used by the policy.
    • setResourceSetIds

      @Stability(Stable) public void setResourceSetIds(@Nullable List<String> value)
      The unique identifiers of the resource sets used by the policy.
    • getResourceTags

      @Stability(Stable) @Nullable public Object getResourceTags()
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
    • setResourceTags

      @Stability(Stable) public void setResourceTags(@Nullable IResolvable value)
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
    • setResourceTags

      @Stability(Stable) public void setResourceTags(@Nullable List<Object> value)
      An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
    • getResourceType

      @Stability(Stable) @Nullable public String getResourceType()
      The type of resource protected by or in scope of the policy.
    • setResourceType

      @Stability(Stable) public void setResourceType(@Nullable String value)
      The type of resource protected by or in scope of the policy.
    • getResourceTypeList

      @Stability(Stable) @Nullable public List<String> getResourceTypeList()
      An array of ResourceType objects.
    • setResourceTypeList

      @Stability(Stable) public void setResourceTypeList(@Nullable List<String> value)
      An array of ResourceType objects.
    • getTags

      @Stability(Stable) @Nullable public List<CfnPolicy.PolicyTagProperty> getTags()
      A collection of key:value pairs associated with an AWS resource.
    • setTags

      @Stability(Stable) public void setTags(@Nullable List<CfnPolicy.PolicyTagProperty> value)
      A collection of key:value pairs associated with an AWS resource.