AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-19 · Documentation low

File: cli/latest/reference/route53resolver/batch-create-firewall-rule.md

Summary

Added support for PartnerThreatProtection rule type that integrates third-party threat feeds from AWS Marketplace. Updated threat type names (DICT_DGA to DICTIONARY_DGA) and enhanced rule type documentation with new configuration options, status tracking, and constraints.

Security assessment

The changes document new security capabilities (third-party threat feeds and enhanced threat detection) but show no evidence of addressing a specific vulnerability. The updates expand DNS Firewall's security features without referencing any patched weakness.

Diff

diff --git a/cli/latest/reference/route53resolver/batch-create-firewall-rule.md b/cli/latest/reference/route53resolver/batch-create-firewall-rule.md
index 21acbc57c..d4c6158c4 100644
--- a//cli/latest/reference/route53resolver/batch-create-firewall-rule.md
+++ b//cli/latest/reference/route53resolver/batch-create-firewall-rule.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »
@@ -268 +268 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -300 +300,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields.
+>>> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of:
+>>> 
+>>>   * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>>>   * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ).
+>>>   * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>>>   * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
+>>> 
+
+>>> 
+>>> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+>>> 
+>>> PartnerThreatProtection -> (structure)
+>>>
+>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>>>> 
+>>>> Partner -> (string) [required]
+>>>>
+>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `128`
+>>>>> 
+
@@ -304 +328 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>> The configuration for a content category-based filtering rule.
+>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -319 +343 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>> The configuration for a threat category-based filtering rule.
+>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -334 +358 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -342 +366 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -374 +398 @@ Shorthand Syntax:
-    CreatorRequestId=string,FirewallRuleGroupId=string,FirewallDomainListId=string,Priority=integer,Action=string,BlockResponse=string,BlockOverrideDomain=string,BlockOverrideDnsType=string,BlockOverrideTtl=integer,Name=string,FirewallDomainRedirectionAction=string,Qtype=string,DnsThreatProtection=string,ConfidenceThreshold=string,FirewallRuleType={FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}} ...
+    CreatorRequestId=string,FirewallRuleGroupId=string,FirewallDomainListId=string,Priority=integer,Action=string,BlockResponse=string,BlockOverrideDomain=string,BlockOverrideDnsType=string,BlockOverrideTtl=integer,Name=string,FirewallDomainRedirectionAction=string,Qtype=string,DnsThreatProtection=string,ConfidenceThreshold=string,FirewallRuleType={PartnerThreatProtection={Partner=string},FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}} ...
@@ -396,0 +421,3 @@ JSON Syntax:
+          "PartnerThreatProtection": {
+            "Partner": "string"
+          },
@@ -723 +750 @@ CreatedFirewallRules -> (list)
->>>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+>>>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
@@ -724,0 +752 @@ CreatedFirewallRules -> (list)
+>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -756 +784,25 @@ CreatedFirewallRules -> (list)
->>> The rule type configuration for the firewall rule. Exactly one member of this union should be set.
+>>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
+>>> 
+>>>   * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>>>   * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ).
+>>>   * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>>>   * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace.
+>>> 
+
+>>> 
+>>> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+>>> 
+>>> PartnerThreatProtection -> (structure)
+>>>
+>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>>>> 
+>>>> Partner -> (string) [required]
+>>>>
+>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `128`
+>>>>> 
+
@@ -760 +812 @@ CreatedFirewallRules -> (list)
->>>> The configuration for a content category-based filtering rule.
+>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -775 +827 @@ CreatedFirewallRules -> (list)
->>>> The configuration for a threat category-based filtering rule.
+>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -790 +842 @@ CreatedFirewallRules -> (list)
->>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -798 +850 @@ CreatedFirewallRules -> (list)
->>>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -825,0 +878,28 @@ CreatedFirewallRules -> (list)
+>> 
+>> Status -> (string)
+>>
+>>> The lifecycle state of the firewall rule. Possible values:
+>>> 
+>>>   * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement.
+>>>   * `COMPLETE` — The rule is provisioned and enforcing matches.
+>>>   * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule .
+>>> 
+
+>>> 
+>>> For rules that do not require asynchronous provisioning, this field may be absent.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * max: `32`
+>>> 
+
+>> 
+>> StatusMessage -> (string)
+>>
+>>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * max: `1024`
+>>> 
+
@@ -1006 +1086 @@ CreateErrors -> (list)
->>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -1038 +1118,25 @@ CreateErrors -> (list)
->>>> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields.
+>>>> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of:
+>>>> 
+>>>>   * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>>>>   * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ).
+>>>>   * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>>>>   * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
+>>>> 
+
+>>>> 
+>>>> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+>>>> 
+>>>> PartnerThreatProtection -> (structure)
+>>>>
+>>>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>>>>> 
+>>>>> Partner -> (string) [required]
+>>>>>
+>>>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `128`
+>>>>>> 
+
@@ -1042 +1146 @@ CreateErrors -> (list)
->>>>> The configuration for a content category-based filtering rule.
+>>>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -1057 +1161 @@ CreateErrors -> (list)
->>>>> The configuration for a threat category-based filtering rule.
+>>>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -1072 +1176 @@ CreateErrors -> (list)
->>>>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -1080 +1184 @@ CreateErrors -> (list)
->>>>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -1127 +1231 @@ CreateErrors -> (list)
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »