AWS Firewall Manager
Firewall Management (API Version 2018-01-01)

Policy

An AWS Firewall Manager policy.

Contents

ExcludeMap

Specifies the AWS account IDs to exclude from the policy. The IncludeMap values are evaluated first, with all the appropriate account IDs added to the policy. Then the accounts listed in ExcludeMap are removed, resulting in the final list of accounts to add to the policy.

The key to the map is ACCOUNT. For example, a valid ExcludeMap would be {“ACCOUNT” : [“accountID1”, “accountID2”]}.

Type: String to array of strings map

Valid Keys: ACCOUNT

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: No

ExcludeResourceTags

If set to True, resources with the tags that are specified in the ResourceTag array are not in scope of the policy. If set to False, and the ResourceTag array is not null, only resources with the specified tags are in scope of the policy.

Type: Boolean

Required: Yes

IncludeMap

Specifies the AWS account IDs to include in the policy. If IncludeMap is null, all accounts in the organization in AWS Organizations are included in the policy. If IncludeMap is not null, only values listed in IncludeMap are included in the policy.

The key to the map is ACCOUNT. For example, a valid IncludeMap would be {“ACCOUNT” : [“accountID1”, “accountID2”]}.

Type: String to array of strings map

Valid Keys: ACCOUNT

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: No

PolicyId

The ID of the AWS Firewall Manager policy.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^[a-z0-9A-Z-]{36}$

Required: No

PolicyName

The friendly name of the AWS Firewall Manager policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: Yes

PolicyUpdateToken

A unique identifier for each update to the policy. When issuing a PutPolicy request, the PolicyUpdateToken in the request must match the PolicyUpdateToken of the current policy version. To get the PolicyUpdateToken of the current policy version, use a GetPolicy request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: No

RemediationEnabled

Indicates if the policy should be automatically applied to new resources.

Type: Boolean

Required: Yes

ResourceTags

An array of ResourceTag objects.

Type: Array of ResourceTag objects

Array Members: Minimum number of 0 items. Maximum number of 8 items.

Required: No

ResourceType

The type of resource protected by or in scope of the policy. This is in the format shown in the AWS Resource Types Reference. For AWS WAF and Shield Advanced, examples include AWS::ElasticLoadBalancingV2::LoadBalancer and AWS::CloudFront::Distribution. For a security group common policy, valid values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a security group content audit policy, valid values are AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security group usage audit policy, the value is AWS::EC2::SecurityGroup.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: Yes

ResourceTypeList

An array of ResourceType.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Required: No

SecurityServicePolicyData

Details about the security service that is being used to protect the resources.

Type: SecurityServicePolicyData object

Required: Yes

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: