AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-19 · Documentation low

File: cli/latest/reference/route53resolver/delete-firewall-rule.md

Summary

Updated documentation for delete-firewall-rule command: added rule identification methods, new threat types (DICTIONARY_DGA), detailed rule type configurations (including PartnerThreatProtection), and rule status lifecycle documentation.

Security assessment

The changes enhance documentation of DNS Firewall security features including new threat detection capabilities (DICTIONARY_DGA), partner threat protection integrations, and rule status monitoring. While these are security improvements, there's no evidence of a specific vulnerability being patched. The updates primarily provide clearer operational guidance for security features.

Diff

diff --git a/cli/latest/reference/route53resolver/delete-firewall-rule.md b/cli/latest/reference/route53resolver/delete-firewall-rule.md
index 9bc447b19..001695dbe 100644
--- a//cli/latest/reference/route53resolver/delete-firewall-rule.md
+++ b//cli/latest/reference/route53resolver/delete-firewall-rule.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »
@@ -60 +60,3 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Deletes the specified firewall rule.
+Deletes the specified firewall rule. Identify the rule using either `FirewallDomainListId` (for domain-list and DNS Firewall Advanced rules) or `FirewallThreatProtectionId` (for partner-managed and DNS Firewall Advanced rules) — together with `FirewallRuleGroupId` .
+
+> `DeleteFirewallRule` is the only operation that succeeds against a rule whose `Status` is `CREATION_FAILED` .
@@ -501 +503 @@ FirewallRule -> (structure)
->>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+>>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
@@ -502,0 +505 @@ FirewallRule -> (structure)
+>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -534 +537,25 @@ FirewallRule -> (structure)
->> The rule type configuration for the firewall rule. Exactly one member of this union should be set.
+>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
+>> 
+>>   * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>>   * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ).
+>>   * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>>   * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace.
+>> 
+
+>> 
+>> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+>> 
+>> PartnerThreatProtection -> (structure)
+>>
+>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>>> 
+>>> Partner -> (string) [required]
+>>>
+>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `128`
+>>>> 
+
@@ -538 +565 @@ FirewallRule -> (structure)
->>> The configuration for a content category-based filtering rule.
+>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -553 +580 @@ FirewallRule -> (structure)
->>> The configuration for a threat category-based filtering rule.
+>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -568 +595 @@ FirewallRule -> (structure)
->>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -576 +603 @@ FirewallRule -> (structure)
->>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -603,0 +631,28 @@ FirewallRule -> (structure)
+> 
+> Status -> (string)
+>
+>> The lifecycle state of the firewall rule. Possible values:
+>> 
+>>   * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement.
+>>   * `COMPLETE` — The rule is provisioned and enforcing matches.
+>>   * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule .
+>> 
+
+>> 
+>> For rules that do not require asynchronous provisioning, this field may be absent.
+>> 
+>> Constraints:
+>> 
+>>   * max: `32`
+>> 
+
+> 
+> StatusMessage -> (string)
+>
+>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed.
+>> 
+>> Constraints:
+>> 
+>>   * max: `1024`
+>> 
+
@@ -615 +670 @@ FirewallRule -> (structure)
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »