AWS cli documentation change
Summary
Expanded documentation for DNS Firewall rule creation, adding new threat detection types (DGA, DNS_TUNNELING, DICTIONARY_DGA), partner threat protection via AWS Marketplace, asynchronous provisioning status tracking, and clarified rule type configurations.
Security assessment
The changes document new security features like advanced threat detection (DGA, DNS tunneling) and partner threat feeds, but there's no evidence of addressing a specific vulnerability. Updates focus on feature enhancements and configuration clarity.
Diff
diff --git a/cli/latest/reference/route53resolver/create-firewall-rule.md b/cli/latest/reference/route53resolver/create-firewall-rule.md index 2811ca80a..381460a02 100644 --- a//cli/latest/reference/route53resolver/create-firewall-rule.md +++ b//cli/latest/reference/route53resolver/create-firewall-rule.md @@ -15 +15 @@ - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) » @@ -60 +60,9 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Creates a single DNS Firewall rule in the specified rule group, using the specified domain list. +Creates a single DNS Firewall rule in the specified rule group. The rule can use any one of the following match sources, and the chosen source must be supplied through the matching request field — they are mutually exclusive: + + * `FirewallDomainListId` — match a customer-managed or AWS-managed domain list. + * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). + * `FirewallRuleType` — match one of the rule-type variants returned by ListFirewallRuleTypes : `FirewallAdvancedContentCategory` , `FirewallAdvancedThreatCategory` , `DnsThreatProtection` , or `PartnerThreatProtection` . The `PartnerThreatProtection` variant requires an active AWS Marketplace subscription to the named partner product. + + + +For rules that require asynchronous provisioning (today, the `PartnerThreatProtection` rule type), the rule’s `Status` begins at `CREATING` and transitions to `COMPLETE` once the rule is provisioned and the marketplace entitlement is verified. If provisioning fails, `Status` becomes `CREATION_FAILED` and `StatusMessage` contains a human-readable reason; the rule is then immutable and must be removed with DeleteFirewallRule . @@ -279 +287,7 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 -> Use to create a DNS Firewall Advanced rule. +> The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with `FirewallDomainListId` and `FirewallRuleType` . Valid values are: +> +> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. +> * `DNS_TUNNELING` : DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client. +> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +> + @@ -309 +323,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 -> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. +> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of: +> +> * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +> * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ). +> * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +> * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account. +> + +> +> To enumerate the values supported in your account, call ListFirewallRuleTypes . +> +> PartnerThreatProtection -> (structure) +> +>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>> +>> Partner -> (string) [required] +>> +>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `128` +>>> + @@ -313 +351 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a content category-based filtering rule. +>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -328 +366 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a threat category-based filtering rule. +>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -343 +381 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -351 +389 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -383 +421 @@ Shorthand Syntax: - FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string} + PartnerThreatProtection={Partner=string},FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string} @@ -389,0 +428,3 @@ JSON Syntax: + "PartnerThreatProtection": { + "Partner": "string" + }, @@ -749 +790 @@ FirewallRule -> (structure) ->> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. +>> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -750,0 +792 @@ FirewallRule -> (structure) +>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -782 +824,25 @@ FirewallRule -> (structure) ->> The rule type configuration for the firewall rule. Exactly one member of this union should be set. +>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are: +>> +>> * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>> * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ). +>> * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>> * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace. +>> + +>> +>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>> +>> PartnerThreatProtection -> (structure) +>> +>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>> +>>> Partner -> (string) [required] +>>> +>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> + @@ -786 +852 @@ FirewallRule -> (structure) ->>> The configuration for a content category-based filtering rule. +>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -801 +867 @@ FirewallRule -> (structure) ->>> The configuration for a threat category-based filtering rule. +>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -816 +882 @@ FirewallRule -> (structure) ->>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -824 +890 @@ FirewallRule -> (structure) ->>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -851,0 +918,28 @@ FirewallRule -> (structure) +> +> Status -> (string) +> +>> The lifecycle state of the firewall rule. Possible values: +>> +>> * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement. +>> * `COMPLETE` — The rule is provisioned and enforcing matches. +>> * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule . +>> + +>> +>> For rules that do not require asynchronous provisioning, this field may be absent. +>> +>> Constraints: +>> +>> * max: `32` +>> + +> +> StatusMessage -> (string) +> +>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed. +>> +>> Constraints: +>> +>> * max: `1024` +>> + @@ -863 +957 @@ FirewallRule -> (structure) - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) »