AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-31 · Documentation low

File: cli/latest/reference/route53resolver/list-firewall-rules.md

Summary

Updated CLI version references, fixed DNS type range, added documentation for FirewallRuleType structure including threat protection features (DGA, DNS tunneling)

Security assessment

Documents new security capabilities like DNS threat protection (DGA/tunneling detection) and content filtering, but shows no evidence of patching a vulnerability. The DNS range correction (65334→65534) appears to be a documentation fix without security implications.

Diff

diff --git a/cli/latest/reference/route53resolver/list-firewall-rules.md b/cli/latest/reference/route53resolver/list-firewall-rules.md
index 41611ebc9..7123f4798 100644
--- a//cli/latest/reference/route53resolver/list-firewall-rules.md
+++ b//cli/latest/reference/route53resolver/list-firewall-rules.md
@@ -14,2 +14,2 @@
-  * [previous](list-firewall-rule-groups.html "list-firewall-rule-groups") |
-  * [AWS CLI 2.34.55 Command Reference](../../index.html) »
+  * [previous](list-firewall-rule-types.html "list-firewall-rule-types") |
+  * [AWS CLI 2.34.57 Command Reference](../../index.html) »
@@ -22 +22 @@
-  * [← list-firewall-rule-groups](list-firewall-rule-groups.html "previous chapter \(use the left arrow\)") /
+  * [← list-firewall-rule-types](list-firewall-rule-types.html "previous chapter \(use the left arrow\)") /
@@ -497 +497 @@ FirewallRules -> (list)
->>>   * A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65334, for example, TYPE28. For more information, see [List of DNS record types](https://en.wikipedia.org/wiki/List_of_DNS_record_types) .
+>>>   * A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see [List of DNS record types](https://en.wikipedia.org/wiki/List_of_DNS_record_types) .
@@ -541,0 +542,33 @@ FirewallRules -> (list)
+>> 
+>> FirewallRuleType -> (structure)
+>>
+>>> The rule type configuration for the firewall rule. Exactly one member of this union should be set.
+>>> 
+>>> FirewallAdvancedContentCategory -> (structure)
+>>>
+>>>> The configuration for a content category-based filtering rule.
+>>>> 
+>>>> Category -> (string) [required]
+>>>>
+>>>>> The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with `RuleType` set to `FirewallAdvancedContentCategory` .
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `128`
+>>>>> 
+
+>>> 
+>>> FirewallAdvancedThreatCategory -> (structure)
+>>>
+>>>> The configuration for a threat category-based filtering rule.
+>>>> 
+>>>> Category -> (string) [required]
+>>>>
+>>>>> The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with `RuleType` set to `FirewallAdvancedThreatCategory` .
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `128`
+>>>>> 
@@ -543 +576,41 @@ FirewallRules -> (list)
-  * [← list-firewall-rule-groups](list-firewall-rule-groups.html "previous chapter \(use the left arrow\)") /
+>>> 
+>>> DnsThreatProtection -> (structure)
+>>>
+>>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>>> 
+>>>> Value -> (string) [required]
+>>>>
+>>>>> The type of DNS threat protection. Valid values are:
+>>>>> 
+>>>>>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+>>>>>   * `DNS_TUNNELING` : DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
+>>>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>> 
+
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `128`
+>>>>> 
+
+>>>> 
+>>>> ConfidenceThreshold -> (string) [required]
+>>>>
+>>>>> The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
+>>>>> 
+>>>>>   * `LOW` : Provides the highest detection rate for threats, but also increases false positives.
+>>>>>   * `MEDIUM` : Provides a balance between detecting threats and false positives.
+>>>>>   * `HIGH` : Detects only the most well corroborated threats with a low rate of false positives.
+>>>>> 
+
+>>>>> 
+>>>>> Possible values:
+>>>>> 
+>>>>>   * `LOW`
+>>>>>   * `MEDIUM`
+>>>>>   * `HIGH`
+>>>>> 
+
+
+  * [← list-firewall-rule-types](list-firewall-rule-types.html "previous chapter \(use the left arrow\)") /
@@ -552,2 +625,2 @@ FirewallRules -> (list)
-  * [previous](list-firewall-rule-groups.html "list-firewall-rule-groups") |
-  * [AWS CLI 2.34.55 Command Reference](../../index.html) »
+  * [previous](list-firewall-rule-types.html "list-firewall-rule-types") |
+  * [AWS CLI 2.34.57 Command Reference](../../index.html) »