AWS cli documentation change
Summary
Added support for PartnerThreatProtection rule type that integrates third-party threat feeds from AWS Marketplace. Updated threat type names (DICT_DGA to DICTIONARY_DGA) and enhanced rule type documentation with new configuration options, status tracking, and constraints.
Security assessment
The changes document new security capabilities (third-party threat feeds and enhanced threat detection) but show no evidence of addressing a specific vulnerability. The updates expand DNS Firewall's security features without referencing any patched weakness.
Diff
diff --git a/cli/latest/reference/route53resolver/batch-create-firewall-rule.md b/cli/latest/reference/route53resolver/batch-create-firewall-rule.md index 21acbc57c..d4c6158c4 100644 --- a//cli/latest/reference/route53resolver/batch-create-firewall-rule.md +++ b//cli/latest/reference/route53resolver/batch-create-firewall-rule.md @@ -15 +15 @@ - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) » @@ -268 +268 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -300 +300,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. +>>> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of: +>>> +>>> * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>>> * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ). +>>> * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>>> * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account. +>>> + +>>> +>>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>>> +>>> PartnerThreatProtection -> (structure) +>>> +>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>>> +>>>> Partner -> (string) [required] +>>>> +>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `128` +>>>>> + @@ -304 +328 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>>> The configuration for a content category-based filtering rule. +>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -319 +343 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>>> The configuration for a threat category-based filtering rule. +>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -334 +358 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -342 +366 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -374 +398 @@ Shorthand Syntax: - CreatorRequestId=string,FirewallRuleGroupId=string,FirewallDomainListId=string,Priority=integer,Action=string,BlockResponse=string,BlockOverrideDomain=string,BlockOverrideDnsType=string,BlockOverrideTtl=integer,Name=string,FirewallDomainRedirectionAction=string,Qtype=string,DnsThreatProtection=string,ConfidenceThreshold=string,FirewallRuleType={FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}} ... + CreatorRequestId=string,FirewallRuleGroupId=string,FirewallDomainListId=string,Priority=integer,Action=string,BlockResponse=string,BlockOverrideDomain=string,BlockOverrideDnsType=string,BlockOverrideTtl=integer,Name=string,FirewallDomainRedirectionAction=string,Qtype=string,DnsThreatProtection=string,ConfidenceThreshold=string,FirewallRuleType={PartnerThreatProtection={Partner=string},FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}} ... @@ -396,0 +421,3 @@ JSON Syntax: + "PartnerThreatProtection": { + "Partner": "string" + }, @@ -723 +750 @@ CreatedFirewallRules -> (list) ->>> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. +>>> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -724,0 +752 @@ CreatedFirewallRules -> (list) +>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -756 +784,25 @@ CreatedFirewallRules -> (list) ->>> The rule type configuration for the firewall rule. Exactly one member of this union should be set. +>>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are: +>>> +>>> * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>>> * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ). +>>> * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>>> * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace. +>>> + +>>> +>>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>>> +>>> PartnerThreatProtection -> (structure) +>>> +>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>>> +>>>> Partner -> (string) [required] +>>>> +>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `128` +>>>>> + @@ -760 +812 @@ CreatedFirewallRules -> (list) ->>>> The configuration for a content category-based filtering rule. +>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -775 +827 @@ CreatedFirewallRules -> (list) ->>>> The configuration for a threat category-based filtering rule. +>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -790 +842 @@ CreatedFirewallRules -> (list) ->>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -798 +850 @@ CreatedFirewallRules -> (list) ->>>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -825,0 +878,28 @@ CreatedFirewallRules -> (list) +>> +>> Status -> (string) +>> +>>> The lifecycle state of the firewall rule. Possible values: +>>> +>>> * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement. +>>> * `COMPLETE` — The rule is provisioned and enforcing matches. +>>> * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule . +>>> + +>>> +>>> For rules that do not require asynchronous provisioning, this field may be absent. +>>> +>>> Constraints: +>>> +>>> * max: `32` +>>> + +>> +>> StatusMessage -> (string) +>> +>>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed. +>>> +>>> Constraints: +>>> +>>> * max: `1024` +>>> + @@ -1006 +1086 @@ CreateErrors -> (list) ->>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -1038 +1118,25 @@ CreateErrors -> (list) ->>>> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. +>>>> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of: +>>>> +>>>> * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>>>> * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ). +>>>> * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>>>> * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account. +>>>> + +>>>> +>>>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>>>> +>>>> PartnerThreatProtection -> (structure) +>>>> +>>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>>>> +>>>>> Partner -> (string) [required] +>>>>> +>>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `128` +>>>>>> + @@ -1042 +1146 @@ CreateErrors -> (list) ->>>>> The configuration for a content category-based filtering rule. +>>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -1057 +1161 @@ CreateErrors -> (list) ->>>>> The configuration for a threat category-based filtering rule. +>>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -1072 +1176 @@ CreateErrors -> (list) ->>>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -1080 +1184 @@ CreateErrors -> (list) ->>>>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -1127 +1231 @@ CreateErrors -> (list) - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) »