AWS cli documentation change
Summary
Updated documentation for DNS Firewall Advanced rules including new rule types (DICTIONARY_DGA), partner threat protection, lifecycle states, and clarified rule configuration constraints.
Security assessment
The changes enhance documentation of security features like new threat detection types (DICTIONARY_DGA) and partner threat feeds, but don't address a specific vulnerability. They improve clarity on security configurations without evidence of patching a security flaw.
Diff
diff --git a/cli/latest/reference/route53resolver/update-firewall-rule.md b/cli/latest/reference/route53resolver/update-firewall-rule.md index e21c2818d..b35e4363e 100644 --- a//cli/latest/reference/route53resolver/update-firewall-rule.md +++ b//cli/latest/reference/route53resolver/update-firewall-rule.md @@ -15 +15 @@ - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) » @@ -60 +60 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Updates the specified firewall rule. +Updates the specified firewall rule. The rule’s `FirewallRuleType` , `FirewallDomainListId` , and top-level `DnsThreatProtection` match source cannot be changed after creation. Rules whose `Status` is `CREATING` or `CREATION_FAILED` cannot be updated; remove a failed rule with DeleteFirewallRule . @@ -275 +275 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 -> The type of the DNS Firewall Advanced rule. Valid values are: +> The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with `FirewallDomainListId` and `FirewallRuleType` . Valid values are: @@ -277 +277 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 -> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. +> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -278,0 +279 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 +> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -310 +311,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 -> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. +> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of: +> +> * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +> * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ). +> * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +> * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account. +> + +> +> To enumerate the values supported in your account, call ListFirewallRuleTypes . +> +> PartnerThreatProtection -> (structure) +> +>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>> +>> Partner -> (string) [required] +>> +>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `128` +>>> + @@ -314 +339 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a content category-based filtering rule. +>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -329 +354 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a threat category-based filtering rule. +>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -344 +369 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -352 +377 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5 ->>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -384 +409 @@ Shorthand Syntax: - FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string} + PartnerThreatProtection={Partner=string},FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string} @@ -390,0 +416,3 @@ JSON Syntax: + "PartnerThreatProtection": { + "Partner": "string" + }, @@ -748 +776 @@ FirewallRule -> (structure) ->> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. +>> * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -749,0 +778 @@ FirewallRule -> (structure) +>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -781 +810,25 @@ FirewallRule -> (structure) ->> The rule type configuration for the firewall rule. Exactly one member of this union should be set. +>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are: +>> +>> * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). +>> * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ). +>> * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ). +>> * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace. +>> + +>> +>> To enumerate the values supported in your account, call ListFirewallRuleTypes . +>> +>> PartnerThreatProtection -> (structure) +>> +>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig . +>>> +>>> Partner -> (string) [required] +>>> +>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> + @@ -785 +838 @@ FirewallRule -> (structure) ->>> The configuration for a content category-based filtering rule. +>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig . @@ -800 +853 @@ FirewallRule -> (structure) ->>> The configuration for a threat category-based filtering rule. +>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig . @@ -815 +868 @@ FirewallRule -> (structure) ->>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection. +>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig . @@ -823 +876 @@ FirewallRule -> (structure) ->>>> * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. +>>>> * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs. @@ -850,0 +904,28 @@ FirewallRule -> (structure) +> +> Status -> (string) +> +>> The lifecycle state of the firewall rule. Possible values: +>> +>> * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement. +>> * `COMPLETE` — The rule is provisioned and enforcing matches. +>> * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule . +>> + +>> +>> For rules that do not require asynchronous provisioning, this field may be absent. +>> +>> Constraints: +>> +>> * max: `32` +>> + +> +> StatusMessage -> (string) +> +>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed. +>> +>> Constraints: +>> +>> * max: `1024` +>> + @@ -862 +943 @@ FirewallRule -> (structure) - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) »