FirewallRuleType

The rule-type configuration for a DNS Firewall rule. FirewallRuleType is a tagged union — exactly one member must be set per rule, and the member determines what the rule matches against. This shape is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields on CreateFirewallRule and UpdateFirewallRule.

Call ListFirewallRuleTypes to discover which rule-type variants and which values within each variant are available in your account and Region.

Contents

DnsThreatProtection

Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.

Type: DnsThreatProtectionRuleTypeConfig object

Required: No

FirewallAdvancedContentCategory

Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.

Type: FirewallAdvancedContentCategoryConfig object

Required: No

FirewallAdvancedThreatCategory

Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.

Type: FirewallAdvancedThreatCategoryConfig object

Required: No

PartnerThreatProtection

Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.

Type: PartnerThreatProtectionConfig object

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++

• AWS SDK for Java V2

• AWS SDK for Ruby V3