AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-19 · Documentation low

File: cli/latest/reference/route53resolver/update-firewall-rule.md

Summary

Updated documentation for DNS Firewall Advanced rules including new rule types (DICTIONARY_DGA), partner threat protection, lifecycle states, and clarified rule configuration constraints.

Security assessment

The changes enhance documentation of security features like new threat detection types (DICTIONARY_DGA) and partner threat feeds, but don't address a specific vulnerability. They improve clarity on security configurations without evidence of patching a security flaw.

Diff

diff --git a/cli/latest/reference/route53resolver/update-firewall-rule.md b/cli/latest/reference/route53resolver/update-firewall-rule.md
index e21c2818d..b35e4363e 100644
--- a//cli/latest/reference/route53resolver/update-firewall-rule.md
+++ b//cli/latest/reference/route53resolver/update-firewall-rule.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »
@@ -60 +60 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Updates the specified firewall rule.
+Updates the specified firewall rule. The rule’s `FirewallRuleType` , `FirewallDomainListId` , and top-level `DnsThreatProtection` match source cannot be changed after creation. Rules whose `Status` is `CREATING` or `CREATION_FAILED` cannot be updated; remove a failed rule with DeleteFirewallRule .
@@ -275 +275 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
-> The type of the DNS Firewall Advanced rule. Valid values are:
+> The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with `FirewallDomainListId` and `FirewallRuleType` . Valid values are:
@@ -277 +277 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
@@ -278,0 +279 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
+>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -310 +311,25 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
-> The rule type configuration for the firewall rule. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields.
+> The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level `FirewallDomainListId` and `DnsThreatProtection` fields. Use one of:
+> 
+>   * `FirewallAdvancedContentCategory` — match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>   * `FirewallAdvancedThreatCategory` — match an AWS-managed advanced threat category (for example, `PHISHING` ).
+>   * `DnsThreatProtection` — match a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>   * `PartnerThreatProtection` — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
+> 
+
+> 
+> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+> 
+> PartnerThreatProtection -> (structure)
+>
+>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>> 
+>> Partner -> (string) [required]
+>>
+>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `128`
+>>> 
+
@@ -314 +339 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->> The configuration for a content category-based filtering rule.
+>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -329 +354 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->> The configuration for a threat category-based filtering rule.
+>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -344 +369 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -352 +377 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
->>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -384 +409 @@ Shorthand Syntax:
-    FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}
+    PartnerThreatProtection={Partner=string},FirewallAdvancedContentCategory={Category=string},FirewallAdvancedThreatCategory={Category=string},DnsThreatProtection={Value=string,ConfidenceThreshold=string}
@@ -390,0 +416,3 @@ JSON Syntax:
+      "PartnerThreatProtection": {
+        "Partner": "string"
+      },
@@ -748 +776 @@ FirewallRule -> (structure)
->>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+>>   * `DGA` : Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
@@ -749,0 +778 @@ FirewallRule -> (structure)
+>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -781 +810,25 @@ FirewallRule -> (structure)
->> The rule type configuration for the firewall rule. Exactly one member of this union should be set.
+>> The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
+>> 
+>>   * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ).
+>>   * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING` ).
+>>   * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` ).
+>>   * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace.
+>> 
+
+>> 
+>> To enumerate the values supported in your account, call ListFirewallRuleTypes .
+>> 
+>> PartnerThreatProtection -> (structure)
+>>
+>>> Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in `Partner` ; if the subscription is missing or revoked, the rule is created with `Status` `CREATION_FAILED` and cannot be modified — only deleted. See PartnerThreatProtectionConfig .
+>>> 
+>>> Partner -> (string) [required]
+>>>
+>>>> The identifier of the partner threat-protection product, exactly as returned in the `Value` field of a FirewallRuleTypeDefinition with `RuleType` set to `PartnerThreatProtection` . The calling account must hold an active AWS Marketplace subscription to this product.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `128`
+>>>> 
+
@@ -785 +838 @@ FirewallRule -> (structure)
->>> The configuration for a content category-based filtering rule.
+>>> Configures the rule to match an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH` ). See FirewallAdvancedContentCategoryConfig .
@@ -800 +853 @@ FirewallRule -> (structure)
->>> The configuration for a threat category-based filtering rule.
+>>> Configures the rule to match an AWS-managed advanced threat category (for example, `PHISHING` ). See FirewallAdvancedThreatCategoryConfig .
@@ -815 +868 @@ FirewallRule -> (structure)
->>> The configuration for a DNS threat protection rule type, such as DGA or DNS tunneling detection.
+>>> Configures the rule to match a built-in DNS Firewall Advanced threat detector — `DGA` , `DNS_TUNNELING` , or `DICTIONARY_DGA` . See DnsThreatProtectionRuleTypeConfig .
@@ -823 +876 @@ FirewallRule -> (structure)
->>>>   * `DICT_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+>>>>   * `DICTIONARY_DGA` : Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
@@ -850,0 +904,28 @@ FirewallRule -> (structure)
+> 
+> Status -> (string)
+>
+>> The lifecycle state of the firewall rule. Possible values:
+>> 
+>>   * `CREATING` — DNS Firewall is provisioning the rule. Rules created with the `PartnerThreatProtection` rule type begin in this state while DNS Firewall verifies the calling account’s AWS Marketplace entitlement.
+>>   * `COMPLETE` — The rule is provisioned and enforcing matches.
+>>   * `CREATION_FAILED` — Provisioning failed. `StatusMessage` contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule .
+>> 
+
+>> 
+>> For rules that do not require asynchronous provisioning, this field may be absent.
+>> 
+>> Constraints:
+>> 
+>>   * max: `32`
+>> 
+
+> 
+> StatusMessage -> (string)
+>
+>> An additional message about the rule’s lifecycle state. Populated when `Status` is `CREATION_FAILED` to describe why provisioning failed.
+>> 
+>> Constraints:
+>> 
+>>   * max: `1024`
+>> 
+
@@ -862 +943 @@ FirewallRule -> (structure)
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »