Amazon Route 53 Resolver

2021/04/01 - Amazon Route 53 Resolver - 25 new api methods

Changes  Route 53 Resolver DNS Firewall is a firewall service that allows you to filter and regulate outbound DNS traffic for your VPCs.

GetFirewallRuleGroupPolicy (new) Link ¶

Returns the AWS Identity and Access Management (AWS IAM) policy for sharing the specified rule group. You can use the policy to share the rule group using AWS Resource Access Manager (RAM).

See also: AWS API Documentation

Request Syntax

client.get_firewall_rule_group_policy(
    Arn='string'
)
type Arn:

string

param Arn:

[REQUIRED]

The ARN (Amazon Resource Name) for the rule group.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroupPolicy': 'string'
}

Response Structure

  • (dict) --

    • FirewallRuleGroupPolicy (string) --

      The AWS Identity and Access Management (AWS IAM) policy for sharing the specified rule group. You can use the policy to share the rule group using AWS Resource Access Manager (RAM).

CreateFirewallRule (new) Link ¶

Creates a single DNS Firewall rule in the specified rule group, using the specified domain list.

See also: AWS API Documentation

Request Syntax

client.create_firewall_rule(
    CreatorRequestId='string',
    FirewallRuleGroupId='string',
    FirewallDomainListId='string',
    Priority=123,
    Action='ALLOW'|'BLOCK'|'ALERT',
    BlockResponse='NODATA'|'NXDOMAIN'|'OVERRIDE',
    BlockOverrideDomain='string',
    BlockOverrideDnsType='CNAME',
    BlockOverrideTtl=123,
    Name='string'
)
type CreatorRequestId:

string

param CreatorRequestId:

[REQUIRED]

A unique string that identifies the request and that allows you to retry failed requests without the risk of executing the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.

This field is autopopulated if not provided.

type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group where you want to create the rule.

type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list that you want to use in the rule.

type Priority:

integer

param Priority:

[REQUIRED]

The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

You must specify a unique priority for each rule in a rule group. To make it easier to insert rules later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for the rules in a rule group at any time.

type Action:

string

param Action:

[REQUIRED]

The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

  • ALLOW - Permit the request to go through.

  • ALERT - Permit the request and send metrics and log to Cloud Watch.

  • BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.

type BlockResponse:

string

param BlockResponse:

The way that you want DNS Firewall to block the request, used with the rule aciton setting BLOCK.

  • NODATA - Respond indicating that the query was successful, but no response is available for it.

  • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

  • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

This setting is required if the rule action setting is BLOCK.

type BlockOverrideDomain:

string

param BlockOverrideDomain:

The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

This setting is required if the BlockResponse setting is OVERRIDE.

type BlockOverrideDnsType:

string

param BlockOverrideDnsType:

The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

This setting is required if the BlockResponse setting is OVERRIDE.

type BlockOverrideTtl:

integer

param BlockOverrideTtl:

The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

This setting is required if the BlockResponse setting is OVERRIDE.

type Name:

string

param Name:

[REQUIRED]

A name that lets you identify the rule in the rule group.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRule': {
        'FirewallRuleGroupId': 'string',
        'FirewallDomainListId': 'string',
        'Name': 'string',
        'Priority': 123,
        'Action': 'ALLOW'|'BLOCK'|'ALERT',
        'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
        'BlockOverrideDomain': 'string',
        'BlockOverrideDnsType': 'CNAME',
        'BlockOverrideTtl': 123,
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRule (dict) --

      The firewall rule that you just created.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group of the rule.

      • FirewallDomainListId (string) --

        The ID of the domain list that's used in the rule.

      • Name (string) --

        The name of the rule.

      • Priority (integer) --

        The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

      • Action (string) --

        The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

        • ALLOW - Permit the request to go through.

        • ALERT - Permit the request to go through but send an alert to the logs.

        • BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.

      • BlockResponse (string) --

        The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

        • NODATA - Respond indicating that the query was successful, but no response is available for it.

        • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

        • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

      • BlockOverrideDomain (string) --

        The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideDnsType (string) --

        The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideTtl (integer) --

        The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).

DeleteFirewallRuleGroup (new) Link ¶

Deletes the specified firewall rule group.

See also: AWS API Documentation

Request Syntax

client.delete_firewall_rule_group(
    FirewallRuleGroupId='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group that you want to delete.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroup': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'RuleCount': 123,
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'OwnerId': 'string',
        'CreatorRequestId': 'string',
        'ShareStatus': 'NOT_SHARED'|'SHARED_WITH_ME'|'SHARED_BY_ME',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroup (dict) --

      A collection of rules used to filter DNS network traffic.

      • Id (string) --

        The ID of the rule group.

      • Arn (string) --

        The ARN (Amazon Resource Name) of the rule group.

      • Name (string) --

        The name of the rule group.

      • RuleCount (integer) --

        The number of rules in the rule group.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the rule group, if available.

      • OwnerId (string) --

        The AWS account ID for the account that created the rule group. When a rule group is shared with your account, this is the account that has shared the rule group with you.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • ShareStatus (string) --

        Whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM).

      • CreationTime (string) --

        The date and time that the rule group was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule group was last modified, in Unix time format and Coordinated Universal Time (UTC).

ListFirewallRuleGroupAssociations (new) Link ¶

Retrieves the firewall rule group associations that you have defined. Each association enables DNS filtering for a VPC with one rule group.

A single call might return only a partial list of the associations. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_rule_group_associations(
    FirewallRuleGroupId='string',
    VpcId='string',
    Priority=123,
    Status='COMPLETE'|'DELETING'|'UPDATING',
    MaxResults=123,
    NextToken='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

The unique identifier of the firewall rule group that you want to retrieve the associations for. Leave this blank to retrieve associations for any rule group.

type VpcId:

string

param VpcId:

The unique identifier of the VPC that you want to retrieve the associations for. Leave this blank to retrieve associations for any VPC.

type Priority:

integer

param Priority:

The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

type Status:

string

param Status:

The association Status setting that you want DNS Firewall to filter on for the list. If you don't specify this, then DNS Firewall returns all associations, regardless of status.

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'FirewallRuleGroupAssociations': [
        {
            'Id': 'string',
            'Arn': 'string',
            'FirewallRuleGroupId': 'string',
            'VpcId': 'string',
            'Name': 'string',
            'Priority': 123,
            'MutationProtection': 'ENABLED'|'DISABLED',
            'ManagedOwnerName': 'string',
            'Status': 'COMPLETE'|'DELETING'|'UPDATING',
            'StatusMessage': 'string',
            'CreatorRequestId': 'string',
            'CreationTime': 'string',
            'ModificationTime': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • FirewallRuleGroupAssociations (list) --

      A list of your firewall rule group associations.

      This might be a partial list of the associations that you have defined. For information, see MaxResults.

      • (dict) --

        An association between a firewall rul group and a VPC, which enables DNS filtering for the VPC.

        • Id (string) --

          The identifier for the association.

        • Arn (string) --

          The Amazon Resource Name (ARN) of the firewall rule group association.

        • FirewallRuleGroupId (string) --

          The unique identifier of the firewall rule group.

        • VpcId (string) --

          The unique identifier of the VPC that is associated with the rule group.

        • Name (string) --

          The name of the association.

        • Priority (integer) --

          The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

        • MutationProtection (string) --

          If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

        • ManagedOwnerName (string) --

          The owner of the association, used only for associations that are not managed by you. If you use AWS Firewall Manager to manage your DNS Firewalls, then this reports Firewall Manager as the managed owner.

        • Status (string) --

          The current status of the association.

        • StatusMessage (string) --

          Additional information about the status of the response, if available.

        • CreatorRequestId (string) --

          A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

        • CreationTime (string) --

          The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).

        • ModificationTime (string) --

          The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).

DeleteFirewallDomainList (new) Link ¶

Deletes the specified domain list.

See also: AWS API Documentation

Request Syntax

client.delete_firewall_domain_list(
    FirewallDomainListId='string'
)
type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list that you want to delete.

rtype:

dict

returns:

Response Syntax

{
    'FirewallDomainList': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'DomainCount': 123,
        'Status': 'COMPLETE'|'COMPLETE_IMPORT_FAILED'|'IMPORTING'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'ManagedOwnerName': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallDomainList (dict) --

      The domain list that you just deleted.

      • Id (string) --

        The ID of the domain list.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall domain list.

      • Name (string) --

        The name of the domain list.

      • DomainCount (integer) --

        The number of domain names that are specified in the domain list.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the list, if available.

      • ManagedOwnerName (string) --

        The owner of the list, used only for lists that are not managed by you. For example, the managed domain list AWSManagedDomainsMalwareDomainList has the managed owner name Route 53 Resolver DNS Firewall.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the domain list was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the domain list was last modified, in Unix time format and Coordinated Universal Time (UTC).

GetFirewallConfig (new) Link ¶

Retrieves the configuration of the firewall behavior provided by DNS Firewall for a single Amazon virtual private cloud (VPC).

See also: AWS API Documentation

Request Syntax

client.get_firewall_config(
    ResourceId='string'
)
type ResourceId:

string

param ResourceId:

[REQUIRED]

The ID of the Amazon virtual private cloud (VPC) that the configuration is for.

rtype:

dict

returns:

Response Syntax

{
    'FirewallConfig': {
        'Id': 'string',
        'ResourceId': 'string',
        'OwnerId': 'string',
        'FirewallFailOpen': 'ENABLED'|'DISABLED'
    }
}

Response Structure

  • (dict) --

    • FirewallConfig (dict) --

      Configuration of the firewall behavior provided by DNS Firewall for a single Amazon virtual private cloud (VPC).

      • Id (string) --

        The Id of the firewall configuration.

      • ResourceId (string) --

        The ID of the VPC that this firewall configuration applies to.

      • OwnerId (string) --

        The AWS account ID of the owner of the VPC that this firewall configuration applies to.

      • FirewallFailOpen (string) --

        Determines how DNS Firewall operates during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply.

        • By default, fail open is disabled, which means the failure mode is closed. This approach favors security over availability. DNS Firewall returns a failure error when it is unable to properly evaluate a query.

        • If you enable this option, the failure mode is open. This approach favors availability over security. DNS Firewall allows queries to proceed if it is unable to properly evaluate them.

        This behavior is only enforced for VPCs that have at least one DNS Firewall rule group association.

CreateFirewallRuleGroup (new) Link ¶

Creates an empty DNS Firewall rule group for filtering DNS network traffic in a VPC. You can add rules to the new rule group by calling CreateFirewallRule.

See also: AWS API Documentation

Request Syntax

client.create_firewall_rule_group(
    CreatorRequestId='string',
    Name='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type CreatorRequestId:

string

param CreatorRequestId:

[REQUIRED]

A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

This field is autopopulated if not provided.

type Name:

string

param Name:

[REQUIRED]

A name that lets you identify the rule group, to manage and use it.

type Tags:

list

param Tags:

A list of the tag keys and values that you want to associate with the rule group.

  • (dict) --

    One tag that you want to add to the specified resource. A tag consists of a Key (a name for the tag) and a Value.

    • Key (string) -- [REQUIRED]

      The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of Key might be account-id.

    • Value (string) -- [REQUIRED]

      The value for the tag. For example, if Key is account-id, then Value might be the ID of the customer account that you're creating the resource for.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroup': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'RuleCount': 123,
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'OwnerId': 'string',
        'CreatorRequestId': 'string',
        'ShareStatus': 'NOT_SHARED'|'SHARED_WITH_ME'|'SHARED_BY_ME',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroup (dict) --

      A collection of rules used to filter DNS network traffic.

      • Id (string) --

        The ID of the rule group.

      • Arn (string) --

        The ARN (Amazon Resource Name) of the rule group.

      • Name (string) --

        The name of the rule group.

      • RuleCount (integer) --

        The number of rules in the rule group.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the rule group, if available.

      • OwnerId (string) --

        The AWS account ID for the account that created the rule group. When a rule group is shared with your account, this is the account that has shared the rule group with you.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • ShareStatus (string) --

        Whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM).

      • CreationTime (string) --

        The date and time that the rule group was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule group was last modified, in Unix time format and Coordinated Universal Time (UTC).

ListFirewallRuleGroups (new) Link ¶

Retrieves the minimal high-level information for the rule groups that you have defined.

A single call might return only a partial list of the rule groups. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_rule_groups(
    MaxResults=123,
    NextToken='string'
)
type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'FirewallRuleGroups': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Name': 'string',
            'OwnerId': 'string',
            'CreatorRequestId': 'string',
            'ShareStatus': 'NOT_SHARED'|'SHARED_WITH_ME'|'SHARED_BY_ME'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • FirewallRuleGroups (list) --

      A list of your firewall rule groups.

      This might be a partial list of the rule groups that you have defined. For information, see MaxResults.

      • (dict) --

        Minimal high-level information for a firewall rule group. The action ListFirewallRuleGroups returns an array of these objects.

        To retrieve full information for a firewall rule group, call GetFirewallRuleGroup and ListFirewallRules.

        • Id (string) --

          The ID of the rule group.

        • Arn (string) --

          The ARN (Amazon Resource Name) of the rule group.

        • Name (string) --

          The name of the rule group.

        • OwnerId (string) --

          The AWS account ID for the account that created the rule group. When a rule group is shared with your account, this is the account that has shared the rule group with you.

        • CreatorRequestId (string) --

          A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

        • ShareStatus (string) --

          Whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM).

PutFirewallRuleGroupPolicy (new) Link ¶

Attaches an AWS Identity and Access Management (AWS IAM) policy for sharing the rule group. You can use the policy to share the rule group using AWS Resource Access Manager (RAM).

See also: AWS API Documentation

Request Syntax

client.put_firewall_rule_group_policy(
    Arn='string',
    FirewallRuleGroupPolicy='string'
)
type Arn:

string

param Arn:

[REQUIRED]

The ARN (Amazon Resource Name) for the rule group that you want to share.

type FirewallRuleGroupPolicy:

string

param FirewallRuleGroupPolicy:

[REQUIRED]

The AWS Identity and Access Management (AWS IAM) policy to attach to the rule group.

rtype:

dict

returns:

Response Syntax

{
    'ReturnValue': True|False
}

Response Structure

  • (dict) --

    • ReturnValue (boolean) --

UpdateFirewallRuleGroupAssociation (new) Link ¶

Changes the association of a FirewallRuleGroup with a VPC. The association enables DNS filtering for the VPC.

See also: AWS API Documentation

Request Syntax

client.update_firewall_rule_group_association(
    FirewallRuleGroupAssociationId='string',
    Priority=123,
    MutationProtection='ENABLED'|'DISABLED',
    Name='string'
)
type FirewallRuleGroupAssociationId:

string

param FirewallRuleGroupAssociationId:

[REQUIRED]

The identifier of the FirewallRuleGroupAssociation.

type Priority:

integer

param Priority:

The setting that determines the processing order of the rule group among the rule groups that you associate with the specified VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

You must specify a unique priority for each rule group that you associate with a single VPC. To make it easier to insert rule groups later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for a rule group association after you create it.

type MutationProtection:

string

param MutationProtection:

If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

type Name:

string

param Name:

The name of the rule group association.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroupAssociation': {
        'Id': 'string',
        'Arn': 'string',
        'FirewallRuleGroupId': 'string',
        'VpcId': 'string',
        'Name': 'string',
        'Priority': 123,
        'MutationProtection': 'ENABLED'|'DISABLED',
        'ManagedOwnerName': 'string',
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroupAssociation (dict) --

      The association that you just updated.

      • Id (string) --

        The identifier for the association.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall rule group association.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group.

      • VpcId (string) --

        The unique identifier of the VPC that is associated with the rule group.

      • Name (string) --

        The name of the association.

      • Priority (integer) --

        The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

      • MutationProtection (string) --

        If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

      • ManagedOwnerName (string) --

        The owner of the association, used only for associations that are not managed by you. If you use AWS Firewall Manager to manage your DNS Firewalls, then this reports Firewall Manager as the managed owner.

      • Status (string) --

        The current status of the association.

      • StatusMessage (string) --

        Additional information about the status of the response, if available.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).

DisassociateFirewallRuleGroup (new) Link ¶

Disassociates a FirewallRuleGroup from a VPC, to remove DNS filtering from the VPC.

See also: AWS API Documentation

Request Syntax

client.disassociate_firewall_rule_group(
    FirewallRuleGroupAssociationId='string'
)
type FirewallRuleGroupAssociationId:

string

param FirewallRuleGroupAssociationId:

[REQUIRED]

The identifier of the FirewallRuleGroupAssociation.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroupAssociation': {
        'Id': 'string',
        'Arn': 'string',
        'FirewallRuleGroupId': 'string',
        'VpcId': 'string',
        'Name': 'string',
        'Priority': 123,
        'MutationProtection': 'ENABLED'|'DISABLED',
        'ManagedOwnerName': 'string',
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroupAssociation (dict) --

      The firewall rule group association that you just removed.

      • Id (string) --

        The identifier for the association.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall rule group association.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group.

      • VpcId (string) --

        The unique identifier of the VPC that is associated with the rule group.

      • Name (string) --

        The name of the association.

      • Priority (integer) --

        The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

      • MutationProtection (string) --

        If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

      • ManagedOwnerName (string) --

        The owner of the association, used only for associations that are not managed by you. If you use AWS Firewall Manager to manage your DNS Firewalls, then this reports Firewall Manager as the managed owner.

      • Status (string) --

        The current status of the association.

      • StatusMessage (string) --

        Additional information about the status of the response, if available.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).

ImportFirewallDomains (new) Link ¶

Imports domain names from a file into a domain list, for use in a DNS firewall rule group.

Each domain specification in your domain list must satisfy the following requirements:

  • It can optionally start with * (asterisk).

  • With the exception of the optional starting asterisk, it must only contain the following characters: A-Z, a-z, 0-9, - (hyphen).

  • It must be from 1-255 characters in length.

See also: AWS API Documentation

Request Syntax

client.import_firewall_domains(
    FirewallDomainListId='string',
    Operation='REPLACE',
    DomainFileUrl='string'
)
type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list that you want to modify with the import operation.

type Operation:

string

param Operation:

[REQUIRED]

What you want DNS Firewall to do with the domains that are listed in the file. This must be set to REPLACE, which updates the domain list to exactly match the list in the file.

type DomainFileUrl:

string

param DomainFileUrl:

[REQUIRED]

The fully qualified URL or URI of the file stored in Amazon Simple Storage Service (S3) that contains the list of domains to import.

The file must be in an S3 bucket that's in the same Region as your DNS Firewall. The file must be a text file and must contain a single domain per line.

rtype:

dict

returns:

Response Syntax

{
    'Id': 'string',
    'Name': 'string',
    'Status': 'COMPLETE'|'COMPLETE_IMPORT_FAILED'|'IMPORTING'|'DELETING'|'UPDATING',
    'StatusMessage': 'string'
}

Response Structure

  • (dict) --

    • Id (string) --

      The Id of the firewall domain list that DNS Firewall just updated.

    • Name (string) --

      The name of the domain list.

    • Status (string) --

    • StatusMessage (string) --

      Additional information about the status of the list, if available.

GetFirewallRuleGroupAssociation (new) Link ¶

Retrieves a firewall rule group association, which enables DNS filtering for a VPC with one rule group. A VPC can have more than one firewall rule group association, and a rule group can be associated with more than one VPC.

See also: AWS API Documentation

Request Syntax

client.get_firewall_rule_group_association(
    FirewallRuleGroupAssociationId='string'
)
type FirewallRuleGroupAssociationId:

string

param FirewallRuleGroupAssociationId:

[REQUIRED]

The identifier of the FirewallRuleGroupAssociation.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroupAssociation': {
        'Id': 'string',
        'Arn': 'string',
        'FirewallRuleGroupId': 'string',
        'VpcId': 'string',
        'Name': 'string',
        'Priority': 123,
        'MutationProtection': 'ENABLED'|'DISABLED',
        'ManagedOwnerName': 'string',
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroupAssociation (dict) --

      The association that you requested.

      • Id (string) --

        The identifier for the association.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall rule group association.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group.

      • VpcId (string) --

        The unique identifier of the VPC that is associated with the rule group.

      • Name (string) --

        The name of the association.

      • Priority (integer) --

        The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

      • MutationProtection (string) --

        If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

      • ManagedOwnerName (string) --

        The owner of the association, used only for associations that are not managed by you. If you use AWS Firewall Manager to manage your DNS Firewalls, then this reports Firewall Manager as the managed owner.

      • Status (string) --

        The current status of the association.

      • StatusMessage (string) --

        Additional information about the status of the response, if available.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).

ListFirewallConfigs (new) Link ¶

Retrieves the firewall configurations that you have defined. DNS Firewall uses the configurations to manage firewall behavior for your VPCs.

A single call might return only a partial list of the configurations. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_configs(
    MaxResults=123,
    NextToken='string'
)
type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'FirewallConfigs': [
        {
            'Id': 'string',
            'ResourceId': 'string',
            'OwnerId': 'string',
            'FirewallFailOpen': 'ENABLED'|'DISABLED'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • FirewallConfigs (list) --

      The configurations for the firewall behavior provided by DNS Firewall for Amazon virtual private clouds (VPC).

      • (dict) --

        Configuration of the firewall behavior provided by DNS Firewall for a single Amazon virtual private cloud (VPC).

        • Id (string) --

          The Id of the firewall configuration.

        • ResourceId (string) --

          The ID of the VPC that this firewall configuration applies to.

        • OwnerId (string) --

          The AWS account ID of the owner of the VPC that this firewall configuration applies to.

        • FirewallFailOpen (string) --

          Determines how DNS Firewall operates during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply.

          • By default, fail open is disabled, which means the failure mode is closed. This approach favors security over availability. DNS Firewall returns a failure error when it is unable to properly evaluate a query.

          • If you enable this option, the failure mode is open. This approach favors availability over security. DNS Firewall allows queries to proceed if it is unable to properly evaluate them.

          This behavior is only enforced for VPCs that have at least one DNS Firewall rule group association.

ListFirewallRules (new) Link ¶

Retrieves the firewall rules that you have defined for the specified firewall rule group. DNS Firewall uses the rules in a rule group to filter DNS network traffic for a VPC.

A single call might return only a partial list of the rules. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_rules(
    FirewallRuleGroupId='string',
    Priority=123,
    Action='ALLOW'|'BLOCK'|'ALERT',
    MaxResults=123,
    NextToken='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group that you want to retrieve the rules for.

type Priority:

integer

param Priority:

Optional additional filter for the rules to retrieve.

The setting that determines the processing order of the rules in a rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

type Action:

string

param Action:

Optional additional filter for the rules to retrieve.

The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

  • ALLOW - Permit the request to go through.

  • ALERT - Permit the request to go through but send an alert to the logs.

  • BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'FirewallRules': [
        {
            'FirewallRuleGroupId': 'string',
            'FirewallDomainListId': 'string',
            'Name': 'string',
            'Priority': 123,
            'Action': 'ALLOW'|'BLOCK'|'ALERT',
            'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
            'BlockOverrideDomain': 'string',
            'BlockOverrideDnsType': 'CNAME',
            'BlockOverrideTtl': 123,
            'CreatorRequestId': 'string',
            'CreationTime': 'string',
            'ModificationTime': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • FirewallRules (list) --

      A list of the rules that you have defined.

      This might be a parital list of the firewall rules that you've defined. For information, see MaxResults.

      • (dict) --

        A single firewall rule in a rule group.

        • FirewallRuleGroupId (string) --

          The unique identifier of the firewall rule group of the rule.

        • FirewallDomainListId (string) --

          The ID of the domain list that's used in the rule.

        • Name (string) --

          The name of the rule.

        • Priority (integer) --

          The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

        • Action (string) --

          The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

          • ALLOW - Permit the request to go through.

          • ALERT - Permit the request to go through but send an alert to the logs.

          • BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.

        • BlockResponse (string) --

          The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

          • NODATA - Respond indicating that the query was successful, but no response is available for it.

          • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

          • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

        • BlockOverrideDomain (string) --

          The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

        • BlockOverrideDnsType (string) --

          The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

        • BlockOverrideTtl (integer) --

          The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

        • CreatorRequestId (string) --

          A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

        • CreationTime (string) --

          The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).

        • ModificationTime (string) --

          The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).

ListFirewallDomainLists (new) Link ¶

Retrieves the firewall domain lists that you have defined. For each firewall domain list, you can retrieve the domains that are defined for a list by calling ListFirewallDomains.

A single call to this list operation might return only a partial list of the domain lists. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_domain_lists(
    MaxResults=123,
    NextToken='string'
)
type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'FirewallDomainLists': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Name': 'string',
            'CreatorRequestId': 'string',
            'ManagedOwnerName': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • FirewallDomainLists (list) --

      A list of the domain lists that you have defined.

      This might be a parital list of the domain lists that you've defined. For information, see MaxResults.

      • (dict) --

        Minimal high-level information for a firewall domain list. The action ListFirewallDomainLists returns an array of these objects.

        To retrieve full information for a firewall domain list, call GetFirewallDomainList and ListFirewallDomains.

        • Id (string) --

          The ID of the domain list.

        • Arn (string) --

          The Amazon Resource Name (ARN) of the firewall domain list metadata.

        • Name (string) --

          The name of the domain list.

        • CreatorRequestId (string) --

          A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

        • ManagedOwnerName (string) --

          The owner of the list, used only for lists that are not managed by you. For example, the managed domain list AWSManagedDomainsMalwareDomainList has the managed owner name Route 53 Resolver DNS Firewall.

GetFirewallDomainList (new) Link ¶

Retrieves the specified firewall domain list.

See also: AWS API Documentation

Request Syntax

client.get_firewall_domain_list(
    FirewallDomainListId='string'
)
type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list.

rtype:

dict

returns:

Response Syntax

{
    'FirewallDomainList': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'DomainCount': 123,
        'Status': 'COMPLETE'|'COMPLETE_IMPORT_FAILED'|'IMPORTING'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'ManagedOwnerName': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallDomainList (dict) --

      The domain list that you requested.

      • Id (string) --

        The ID of the domain list.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall domain list.

      • Name (string) --

        The name of the domain list.

      • DomainCount (integer) --

        The number of domain names that are specified in the domain list.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the list, if available.

      • ManagedOwnerName (string) --

        The owner of the list, used only for lists that are not managed by you. For example, the managed domain list AWSManagedDomainsMalwareDomainList has the managed owner name Route 53 Resolver DNS Firewall.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the domain list was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the domain list was last modified, in Unix time format and Coordinated Universal Time (UTC).

UpdateFirewallDomains (new) Link ¶

Updates the firewall domain list from an array of domain specifications.

See also: AWS API Documentation

Request Syntax

client.update_firewall_domains(
    FirewallDomainListId='string',
    Operation='ADD'|'REMOVE'|'REPLACE',
    Domains=[
        'string',
    ]
)
type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list whose domains you want to update.

type Operation:

string

param Operation:

[REQUIRED]

What you want DNS Firewall to do with the domains that you are providing:

  • ADD - Add the domains to the ones that are already in the domain list.

  • REMOVE - Search the domain list for the domains and remove them from the list.

  • REPLACE - Update the domain list to exactly match the list that you are providing.

type Domains:

list

param Domains:

[REQUIRED]

A list of domains to use in the update operation.

Each domain specification in your domain list must satisfy the following requirements:

  • It can optionally start with * (asterisk).

  • With the exception of the optional starting asterisk, it must only contain the following characters: A-Z, a-z, 0-9, - (hyphen).

  • It must be from 1-255 characters in length.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Id': 'string',
    'Name': 'string',
    'Status': 'COMPLETE'|'COMPLETE_IMPORT_FAILED'|'IMPORTING'|'DELETING'|'UPDATING',
    'StatusMessage': 'string'
}

Response Structure

  • (dict) --

    • Id (string) --

      The Id of the firewall domain list that DNS Firewall just updated.

    • Name (string) --

      The name of the domain list.

    • Status (string) --

    • StatusMessage (string) --

      Additional information about the status of the list, if available.

CreateFirewallDomainList (new) Link ¶

Creates an empty firewall domain list for use in DNS Firewall rules. You can populate the domains for the new list with a file, using ImportFirewallDomains, or with domain strings, using UpdateFirewallDomains.

See also: AWS API Documentation

Request Syntax

client.create_firewall_domain_list(
    CreatorRequestId='string',
    Name='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type CreatorRequestId:

string

param CreatorRequestId:

[REQUIRED]

A unique string that identifies the request and that allows you to retry failed requests without the risk of executing the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.

This field is autopopulated if not provided.

type Name:

string

param Name:

[REQUIRED]

A name that lets you identify the domain list to manage and use it.

type Tags:

list

param Tags:

A list of the tag keys and values that you want to associate with the domain list.

  • (dict) --

    One tag that you want to add to the specified resource. A tag consists of a Key (a name for the tag) and a Value.

    • Key (string) -- [REQUIRED]

      The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of Key might be account-id.

    • Value (string) -- [REQUIRED]

      The value for the tag. For example, if Key is account-id, then Value might be the ID of the customer account that you're creating the resource for.

rtype:

dict

returns:

Response Syntax

{
    'FirewallDomainList': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'DomainCount': 123,
        'Status': 'COMPLETE'|'COMPLETE_IMPORT_FAILED'|'IMPORTING'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'ManagedOwnerName': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallDomainList (dict) --

      The domain list that you just created.

      • Id (string) --

        The ID of the domain list.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall domain list.

      • Name (string) --

        The name of the domain list.

      • DomainCount (integer) --

        The number of domain names that are specified in the domain list.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the list, if available.

      • ManagedOwnerName (string) --

        The owner of the list, used only for lists that are not managed by you. For example, the managed domain list AWSManagedDomainsMalwareDomainList has the managed owner name Route 53 Resolver DNS Firewall.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the domain list was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the domain list was last modified, in Unix time format and Coordinated Universal Time (UTC).

UpdateFirewallConfig (new) Link ¶

Updates the configuration of the firewall behavior provided by DNS Firewall for a single Amazon virtual private cloud (VPC).

See also: AWS API Documentation

Request Syntax

client.update_firewall_config(
    ResourceId='string',
    FirewallFailOpen='ENABLED'|'DISABLED'
)
type ResourceId:

string

param ResourceId:

[REQUIRED]

The ID of the Amazon virtual private cloud (VPC) that the configuration is for.

type FirewallFailOpen:

string

param FirewallFailOpen:

[REQUIRED]

Determines how Route 53 Resolver handles queries during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply.

  • By default, fail open is disabled, which means the failure mode is closed. This approach favors security over availability. DNS Firewall blocks queries that it is unable to evaluate properly.

  • If you enable this option, the failure mode is open. This approach favors availability over security. DNS Firewall allows queries to proceed if it is unable to properly evaluate them.

This behavior is only enforced for VPCs that have at least one DNS Firewall rule group association.

rtype:

dict

returns:

Response Syntax

{
    'FirewallConfig': {
        'Id': 'string',
        'ResourceId': 'string',
        'OwnerId': 'string',
        'FirewallFailOpen': 'ENABLED'|'DISABLED'
    }
}

Response Structure

  • (dict) --

    • FirewallConfig (dict) --

      Configuration of the firewall behavior provided by DNS Firewall for a single Amazon virtual private cloud (VPC).

      • Id (string) --

        The Id of the firewall configuration.

      • ResourceId (string) --

        The ID of the VPC that this firewall configuration applies to.

      • OwnerId (string) --

        The AWS account ID of the owner of the VPC that this firewall configuration applies to.

      • FirewallFailOpen (string) --

        Determines how DNS Firewall operates during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply.

        • By default, fail open is disabled, which means the failure mode is closed. This approach favors security over availability. DNS Firewall returns a failure error when it is unable to properly evaluate a query.

        • If you enable this option, the failure mode is open. This approach favors availability over security. DNS Firewall allows queries to proceed if it is unable to properly evaluate them.

        This behavior is only enforced for VPCs that have at least one DNS Firewall rule group association.

GetFirewallRuleGroup (new) Link ¶

Retrieves the specified firewall rule group.

See also: AWS API Documentation

Request Syntax

client.get_firewall_rule_group(
    FirewallRuleGroupId='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroup': {
        'Id': 'string',
        'Arn': 'string',
        'Name': 'string',
        'RuleCount': 123,
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'OwnerId': 'string',
        'CreatorRequestId': 'string',
        'ShareStatus': 'NOT_SHARED'|'SHARED_WITH_ME'|'SHARED_BY_ME',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroup (dict) --

      A collection of rules used to filter DNS network traffic.

      • Id (string) --

        The ID of the rule group.

      • Arn (string) --

        The ARN (Amazon Resource Name) of the rule group.

      • Name (string) --

        The name of the rule group.

      • RuleCount (integer) --

        The number of rules in the rule group.

      • Status (string) --

        The status of the domain list.

      • StatusMessage (string) --

        Additional information about the status of the rule group, if available.

      • OwnerId (string) --

        The AWS account ID for the account that created the rule group. When a rule group is shared with your account, this is the account that has shared the rule group with you.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • ShareStatus (string) --

        Whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM).

      • CreationTime (string) --

        The date and time that the rule group was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule group was last modified, in Unix time format and Coordinated Universal Time (UTC).

AssociateFirewallRuleGroup (new) Link ¶

Associates a FirewallRuleGroup with a VPC, to provide DNS filtering for the VPC.

See also: AWS API Documentation

Request Syntax

client.associate_firewall_rule_group(
    CreatorRequestId='string',
    FirewallRuleGroupId='string',
    VpcId='string',
    Priority=123,
    Name='string',
    MutationProtection='ENABLED'|'DISABLED',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type CreatorRequestId:

string

param CreatorRequestId:

[REQUIRED]

A unique string that identifies the request and that allows failed requests to be retried without the risk of executing the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.

This field is autopopulated if not provided.

type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group.

type VpcId:

string

param VpcId:

[REQUIRED]

The unique identifier of the VPC that you want to associate with the rule group.

type Priority:

integer

param Priority:

[REQUIRED]

The setting that determines the processing order of the rule group among the rule groups that you associate with the specified VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

You must specify a unique priority for each rule group that you associate with a single VPC. To make it easier to insert rule groups later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for a rule group association after you create it.

type Name:

string

param Name:

[REQUIRED]

A name that lets you identify the association, to manage and use it.

type MutationProtection:

string

param MutationProtection:

If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections. When you create the association, the default setting is DISABLED.

type Tags:

list

param Tags:

A list of the tag keys and values that you want to associate with the rule group association.

  • (dict) --

    One tag that you want to add to the specified resource. A tag consists of a Key (a name for the tag) and a Value.

    • Key (string) -- [REQUIRED]

      The name for the tag. For example, if you want to associate Resolver resources with the account IDs of your customers for billing purposes, the value of Key might be account-id.

    • Value (string) -- [REQUIRED]

      The value for the tag. For example, if Key is account-id, then Value might be the ID of the customer account that you're creating the resource for.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRuleGroupAssociation': {
        'Id': 'string',
        'Arn': 'string',
        'FirewallRuleGroupId': 'string',
        'VpcId': 'string',
        'Name': 'string',
        'Priority': 123,
        'MutationProtection': 'ENABLED'|'DISABLED',
        'ManagedOwnerName': 'string',
        'Status': 'COMPLETE'|'DELETING'|'UPDATING',
        'StatusMessage': 'string',
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRuleGroupAssociation (dict) --

      The association that you just created. The association has an Id that you can use to identify it in other requests, like update and delete.

      • Id (string) --

        The identifier for the association.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the firewall rule group association.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group.

      • VpcId (string) --

        The unique identifier of the VPC that is associated with the rule group.

      • Name (string) --

        The name of the association.

      • Priority (integer) --

        The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

      • MutationProtection (string) --

        If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

      • ManagedOwnerName (string) --

        The owner of the association, used only for associations that are not managed by you. If you use AWS Firewall Manager to manage your DNS Firewalls, then this reports Firewall Manager as the managed owner.

      • Status (string) --

        The current status of the association.

      • StatusMessage (string) --

        Additional information about the status of the response, if available.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).

DeleteFirewallRule (new) Link ¶

Deletes the specified firewall rule.

See also: AWS API Documentation

Request Syntax

client.delete_firewall_rule(
    FirewallRuleGroupId='string',
    FirewallDomainListId='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group that you want to delete the rule from.

type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list that's used in the rule.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRule': {
        'FirewallRuleGroupId': 'string',
        'FirewallDomainListId': 'string',
        'Name': 'string',
        'Priority': 123,
        'Action': 'ALLOW'|'BLOCK'|'ALERT',
        'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
        'BlockOverrideDomain': 'string',
        'BlockOverrideDnsType': 'CNAME',
        'BlockOverrideTtl': 123,
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRule (dict) --

      The specification for the firewall rule that you just deleted.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group of the rule.

      • FirewallDomainListId (string) --

        The ID of the domain list that's used in the rule.

      • Name (string) --

        The name of the rule.

      • Priority (integer) --

        The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

      • Action (string) --

        The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

        • ALLOW - Permit the request to go through.

        • ALERT - Permit the request to go through but send an alert to the logs.

        • BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.

      • BlockResponse (string) --

        The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

        • NODATA - Respond indicating that the query was successful, but no response is available for it.

        • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

        • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

      • BlockOverrideDomain (string) --

        The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideDnsType (string) --

        The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideTtl (integer) --

        The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).

ListFirewallDomains (new) Link ¶

Retrieves the domains that you have defined for the specified firewall domain list.

A single call might return only a partial list of the domains. For information, see MaxResults.

See also: AWS API Documentation

Request Syntax

client.list_firewall_domains(
    FirewallDomainListId='string',
    MaxResults=123,
    NextToken='string'
)
type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list whose domains you want to retrieve.

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

If you don't specify a value for MaxResults, Resolver returns up to 100 objects.

type NextToken:

string

param NextToken:

For the first call to this list request, omit this value.

When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'NextToken': 'string',
    'Domains': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.

    • Domains (list) --

      A list of the domains in the firewall domain list.

      This might be a parital list of the domains that you've defined in the domain list. For information, see MaxResults.

      • (string) --

UpdateFirewallRule (new) Link ¶

Updates the specified firewall rule.

See also: AWS API Documentation

Request Syntax

client.update_firewall_rule(
    FirewallRuleGroupId='string',
    FirewallDomainListId='string',
    Priority=123,
    Action='ALLOW'|'BLOCK'|'ALERT',
    BlockResponse='NODATA'|'NXDOMAIN'|'OVERRIDE',
    BlockOverrideDomain='string',
    BlockOverrideDnsType='CNAME',
    BlockOverrideTtl=123,
    Name='string'
)
type FirewallRuleGroupId:

string

param FirewallRuleGroupId:

[REQUIRED]

The unique identifier of the firewall rule group for the rule.

type FirewallDomainListId:

string

param FirewallDomainListId:

[REQUIRED]

The ID of the domain list to use in the rule.

type Priority:

integer

param Priority:

The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

You must specify a unique priority for each rule in a rule group. To make it easier to insert rules later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for the rules in a rule group at any time.

type Action:

string

param Action:

The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

  • ALLOW - Permit the request to go through.

  • ALERT - Permit the request to go through but send an alert to the logs.

  • BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.

type BlockResponse:

string

param BlockResponse:

The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

  • NODATA - Respond indicating that the query was successful, but no response is available for it.

  • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

  • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

type BlockOverrideDomain:

string

param BlockOverrideDomain:

The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

type BlockOverrideDnsType:

string

param BlockOverrideDnsType:

The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

type BlockOverrideTtl:

integer

param BlockOverrideTtl:

The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

type Name:

string

param Name:

The name of the rule.

rtype:

dict

returns:

Response Syntax

{
    'FirewallRule': {
        'FirewallRuleGroupId': 'string',
        'FirewallDomainListId': 'string',
        'Name': 'string',
        'Priority': 123,
        'Action': 'ALLOW'|'BLOCK'|'ALERT',
        'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
        'BlockOverrideDomain': 'string',
        'BlockOverrideDnsType': 'CNAME',
        'BlockOverrideTtl': 123,
        'CreatorRequestId': 'string',
        'CreationTime': 'string',
        'ModificationTime': 'string'
    }
}

Response Structure

  • (dict) --

    • FirewallRule (dict) --

      The firewall rule that you just updated.

      • FirewallRuleGroupId (string) --

        The unique identifier of the firewall rule group of the rule.

      • FirewallDomainListId (string) --

        The ID of the domain list that's used in the rule.

      • Name (string) --

        The name of the rule.

      • Priority (integer) --

        The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

      • Action (string) --

        The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

        • ALLOW - Permit the request to go through.

        • ALERT - Permit the request to go through but send an alert to the logs.

        • BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.

      • BlockResponse (string) --

        The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

        • NODATA - Respond indicating that the query was successful, but no response is available for it.

        • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

        • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

      • BlockOverrideDomain (string) --

        The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideDnsType (string) --

        The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • BlockOverrideTtl (integer) --

        The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

      • CreatorRequestId (string) --

        A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.

      • CreationTime (string) --

        The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).

      • ModificationTime (string) --

        The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).