AWS cli documentation change
Summary
Updated documentation for delete-firewall-rule command: added rule identification methods, new threat types (DICTIONARY_DGA), detailed rule type configurations (including PartnerThreatProtection), and rule status lifecycle documentation.
Security assessment
The changes enhance documentation of DNS Firewall security features including new threat detection capabilities (DICTIONARY_DGA), partner threat protection integrations, and rule status monitoring. While these are security improvements, there's no evidence of a specific vulnerability being patched. The updates primarily provide clearer operational guidance for security features.
Diff
diff --git a/cli/latest/reference/route53resolver/delete-firewall-rule.md b/cli/latest/reference/route53resolver/delete-firewall-rule.md index 9bc447b19..001695dbe 100644 --- a//cli/latest/reference/route53resolver/delete-firewall-rule.md +++ b//cli/latest/reference/route53resolver/delete-firewall-rule.md @@ -15 +15 @@ - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) » @@ -60 +60,3 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Deletes the specified firewall rule. +Deletes the specified firewall rule. Identify the rule using either `FirewallDomainListId` (for domain-list and DNS Firewall Advanced rules) or `FirewallThreatProtectionId` (for partner-managed and DNS Firewall Advanced rules) — together with `FirewallRuleGroupId` . + +> `DeleteFirewallRule` is the only operation that succeeds against a rule whose `Status` is `CREATION_FAILED` . @@ -501 +503 @@ FirewallRule -> (structure) ->> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. +>> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -502,0 +505 @@ FirewallRule -> (structure) +>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -534 +537,25 @@ FirewallRule -> (structure) ->> The rule type configuration for the firewall rule. Exactly one member of this union should be set. +>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are: +>> +>> * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>> * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ). +>> * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>> * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace. +>> + +>> +>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>> +>> PartnerThreatProtection -> (structure) +>> +>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>> +>>> Partner -> (string) [required] +>>> +>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> + @@ -538 +565 @@ FirewallRule -> (structure) ->>> The configuration for a content category-based filtering rule. +>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -553 +580 @@ FirewallRule -> (structure) ->>> The configuration for a threat category-based filtering rule. +>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -568 +595 @@ FirewallRule -> (structure) ->>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -576 +603 @@ FirewallRule -> (structure) ->>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -603,0 +631,28 @@ FirewallRule -> (structure) +> +> Status -> (string) +> +>> The lifecycle state of the firewall rule. Possible values: +>> +>> * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement. +>> * `COMPLETE` — The rule is provisioned and enforcing matches. +>> * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule . +>> + +>> +>> For rules that do not require asynchronous provisioning, this field may be absent. +>> +>> Constraints: +>> +>> * max: `32` +>> + +> +> StatusMessage -> (string) +> +>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed. +>> +>> Constraints: +>> +>> * max: `1024` +>> + @@ -615 +670 @@ FirewallRule -> (structure) - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) »