2026/06/16 - Amazon Route 53 Resolver - 9 updated api methods
Changes Adds supports for PartnerManagedRules
{'CreateFirewallRuleEntries': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}}
Response {'CreateErrors': {'FirewallRule': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}},
'CreatedFirewallRules': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Creates multiple DNS Firewall rules in the specified rule group.
See also: AWS API Documentation
Request Syntax
client.batch_create_firewall_rule(
CreateFirewallRuleEntries=[
{
'CreatorRequestId': 'string',
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'Name': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
},
]
)
list
[REQUIRED]
The list of firewall rules to create.
(dict) --
The details for creating a single firewall rule in a batch operation.
CreatorRequestId (string) -- [REQUIRED]
A unique string that identifies the request and that allows you to retry failed requests without the risk of running the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.
FirewallRuleGroupId (string) -- [REQUIRED]
The unique identifier of the firewall rule group where you want to create the rule.
FirewallDomainListId (string) --
The ID of the domain list that you want to use in the rule. This setting is mutually exclusive with DnsThreatProtection and FirewallRuleType.
Priority (integer) -- [REQUIRED]
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) -- [REQUIRED]
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request and send metrics and logs to CloudWatch.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
BlockResponse (string) --
The way that you want DNS Firewall to block the request, used with the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
Name (string) -- [REQUIRED]
A name that lets you identify the rule in the rule group.
FirewallDomainRedirectionAction (string) --
How you want the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are:
A: Returns an IPv4 address.
AAAA: Returns an IPv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) -- [REQUIRED]
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) -- [REQUIRED]
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) -- [REQUIRED]
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) -- [REQUIRED]
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) -- [REQUIRED]
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
Response Syntax
{
'CreatedFirewallRules': [
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
},
],
'CreateErrors': [
{
'FirewallRule': {
'CreatorRequestId': 'string',
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'Name': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
},
'Code': 'string',
'Message': 'string'
},
]
}
Response Structure
(dict) --
CreatedFirewallRules (list) --
The firewall rules that were successfully created by the request.
(dict) --
A single firewall rule in a rule group.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
CreateErrors (list) --
A list of errors that occurred while creating the firewall rules.
(dict) --
An error that occurred while creating a firewall rule in a batch operation.
FirewallRule (dict) --
The firewall rule entry that caused the error.
CreatorRequestId (string) --
A unique string that identifies the request and that allows you to retry failed requests without the risk of running the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.
FirewallRuleGroupId (string) --
The unique identifier of the firewall rule group where you want to create the rule.
FirewallDomainListId (string) --
The ID of the domain list that you want to use in the rule. This setting is mutually exclusive with DnsThreatProtection and FirewallRuleType.
Priority (integer) --
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request and send metrics and logs to CloudWatch.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
BlockResponse (string) --
The way that you want DNS Firewall to block the request, used with the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
Name (string) --
A name that lets you identify the rule in the rule group.
FirewallDomainRedirectionAction (string) --
How you want the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are:
A: Returns an IPv4 address.
AAAA: Returns an IPv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Code (string) --
The error code for the failure.
Message (string) --
A message that provides details about the error.
{'DeletedFirewallRules': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Deletes multiple DNS Firewall rules from the specified rule group.
See also: AWS API Documentation
Request Syntax
client.batch_delete_firewall_rule(
DeleteFirewallRuleEntries=[
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Qtype': 'string'
},
]
)
list
[REQUIRED]
The list of firewall rules to delete.
(dict) --
The details for deleting a single firewall rule in a batch operation.
FirewallRuleGroupId (string) -- [REQUIRED]
The unique identifier of the firewall rule group for the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
The ID of the DNS Firewall Advanced rule.
Qtype (string) --
The DNS query type that the rule evaluates.
dict
Response Syntax
{
'DeletedFirewallRules': [
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
},
],
'DeleteErrors': [
{
'FirewallRule': {
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Qtype': 'string'
},
'Code': 'string',
'Message': 'string'
},
]
}
Response Structure
(dict) --
DeletedFirewallRules (list) --
The firewall rules that were successfully deleted by the request.
(dict) --
A single firewall rule in a rule group.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
DeleteErrors (list) --
A list of errors that occurred while deleting the firewall rules.
(dict) --
An error that occurred while deleting a firewall rule in a batch operation.
FirewallRule (dict) --
The firewall rule entry that caused the error.
FirewallRuleGroupId (string) --
The unique identifier of the firewall rule group for the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
The ID of the DNS Firewall Advanced rule.
Qtype (string) --
The DNS query type that the rule evaluates.
Code (string) --
The error code for the failure.
Message (string) --
A message that provides details about the error.
{'UpdateFirewallRuleEntries': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}}
Response {'UpdateErrors': {'FirewallRule': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}},
'UpdatedFirewallRules': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Updates multiple DNS Firewall rules in the specified rule group.
See also: AWS API Documentation
Request Syntax
client.batch_update_firewall_rule(
UpdateFirewallRuleEntries=[
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'Name': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
},
]
)
list
[REQUIRED]
The list of firewall rules to update.
(dict) --
The details for updating a single firewall rule in a batch operation.
FirewallRuleGroupId (string) -- [REQUIRED]
The unique identifier of the firewall rule group for the rule.
FirewallDomainListId (string) --
The ID of the domain list to use in the rule. This setting is mutually exclusive with DnsThreatProtection and FirewallRuleType.
FirewallThreatProtectionId (string) --
The ID of the DNS Firewall Advanced rule.
Priority (integer) --
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request and send metrics and logs to CloudWatch.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
BlockResponse (string) --
The way that you want DNS Firewall to block the request, used with the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
Name (string) --
The name of the rule.
FirewallDomainRedirectionAction (string) --
How you want the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are:
A: Returns an IPv4 address.
AAAA: Returns an IPv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) -- [REQUIRED]
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) -- [REQUIRED]
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) -- [REQUIRED]
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) -- [REQUIRED]
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) -- [REQUIRED]
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
Response Syntax
{
'UpdatedFirewallRules': [
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
},
],
'UpdateErrors': [
{
'FirewallRule': {
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'Name': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
},
'Code': 'string',
'Message': 'string'
},
]
}
Response Structure
(dict) --
UpdatedFirewallRules (list) --
The firewall rules that were successfully updated by the request.
(dict) --
A single firewall rule in a rule group.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
UpdateErrors (list) --
A list of errors that occurred while updating the firewall rules.
(dict) --
An error that occurred while updating a firewall rule in a batch operation.
FirewallRule (dict) --
The firewall rule entry that caused the error.
FirewallRuleGroupId (string) --
The unique identifier of the firewall rule group for the rule.
FirewallDomainListId (string) --
The ID of the domain list to use in the rule. This setting is mutually exclusive with DnsThreatProtection and FirewallRuleType.
FirewallThreatProtectionId (string) --
The ID of the DNS Firewall Advanced rule.
Priority (integer) --
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request and send metrics and logs to CloudWatch.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
BlockResponse (string) --
The way that you want DNS Firewall to block the request, used with the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
Name (string) --
The name of the rule.
FirewallDomainRedirectionAction (string) --
How you want the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are:
A: Returns an IPv4 address.
AAAA: Returns an IPv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Code (string) --
The error code for the failure.
Message (string) --
A message that provides details about the error.
{'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}
Response {'FirewallRule': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Creates a single DNS Firewall rule in the specified rule group. The rule can use any one of the following match sources, and the chosen source must be supplied through the matching request field — they are mutually exclusive:
FirewallDomainListId — match a customer-managed or AWS-managed domain list.
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
FirewallRuleType — match one of the rule-type variants returned by ListFirewallRuleTypes: FirewallAdvancedContentCategory, FirewallAdvancedThreatCategory, DnsThreatProtection, or PartnerThreatProtection. The PartnerThreatProtection variant requires an active AWS Marketplace subscription to the named partner product.
For rules that require asynchronous provisioning (today, the PartnerThreatProtection rule type), the rule's Status begins at CREATING and transitions to COMPLETE once the rule is provisioned and the marketplace entitlement is verified. If provisioning fails, Status becomes CREATION_FAILED and StatusMessage contains a human-readable reason; the rule is then immutable and must be removed with DeleteFirewallRule.
See also: AWS API Documentation
Request Syntax
client.create_firewall_rule(
CreatorRequestId='string',
FirewallRuleGroupId='string',
FirewallDomainListId='string',
Priority=123,
Action='ALLOW'|'BLOCK'|'ALERT',
BlockResponse='NODATA'|'NXDOMAIN'|'OVERRIDE',
BlockOverrideDomain='string',
BlockOverrideDnsType='CNAME',
BlockOverrideTtl=123,
Name='string',
FirewallDomainRedirectionAction='INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
Qtype='string',
DnsThreatProtection='DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
ConfidenceThreshold='LOW'|'MEDIUM'|'HIGH',
FirewallRuleType={
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
)
string
[REQUIRED]
A unique string that identifies the request and that allows you to retry failed requests without the risk of running the operation twice. CreatorRequestId can be any unique string, for example, a date/time stamp.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the firewall rule group where you want to create the rule.
string
The ID of the domain list that you want to use in the rule. Can't be used together with DnsThreatProtecton.
integer
[REQUIRED]
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
You must specify a unique priority for each rule in a rule group. To make it easier to insert rules later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for the rules in a rule group at any time.
string
[REQUIRED]
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request and send metrics and logs to Cloud Watch.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
string
The way that you want DNS Firewall to block the request, used with the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
This setting is required if the rule action setting is BLOCK.
string
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
string
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
integer
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
This setting is required if the BlockResponse setting is OVERRIDE.
string
[REQUIRED]
A name that lets you identify the rule in the rule group.
string
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
string
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
string
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
string
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) -- [REQUIRED]
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) -- [REQUIRED]
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) -- [REQUIRED]
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) -- [REQUIRED]
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) -- [REQUIRED]
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
Response Syntax
{
'FirewallRule': {
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
}
}
Response Structure
(dict) --
FirewallRule (dict) --
The firewall rule that you just created.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
{'FirewallRule': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Deletes the specified firewall rule. Identify the rule using either FirewallDomainListId (for domain-list and DNS Firewall Advanced rules) or FirewallThreatProtectionId (for partner-managed and DNS Firewall Advanced rules) — together with FirewallRuleGroupId.
DeleteFirewallRule is the only operation that succeeds against a rule whose Status is CREATION_FAILED.
See also: AWS API Documentation
Request Syntax
client.delete_firewall_rule(
FirewallRuleGroupId='string',
FirewallDomainListId='string',
FirewallThreatProtectionId='string',
Qtype='string'
)
string
[REQUIRED]
The unique identifier of the firewall rule group that you want to delete the rule from.
string
The ID of the domain list that's used in the rule.
string
The ID that is created for a DNS Firewall Advanced rule.
string
The DNS query type that the rule you are deleting evaluates. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
dict
Response Syntax
{
'FirewallRule': {
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
}
}
Response Structure
(dict) --
FirewallRule (dict) --
The specification for the firewall rule that you just deleted.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
{'FirewallRuleTypes': {'SubscriptionInfo': {'ProductId': 'string',
'VendorName': 'string'}}}
Retrieves the rule-type variants that can be used in the FirewallRuleType field of CreateFirewallRule and UpdateFirewallRule. Each returned FirewallRuleTypeDefinition identifies one variant + value combination — for example, FirewallAdvancedContentCategory + VIOLENCE_AND_HATE_SPEECH, or PartnerThreatProtection + a partner-managed feed.
The supported RuleType filter values are FirewallAdvancedContentCategory, FirewallAdvancedThreatCategory, DnsThreatProtection, and PartnerThreatProtection. When a returned definition's variant requires an external subscription (currently only PartnerThreatProtection), the response also includes a SubscriptionInfo identifying the AWS Marketplace product that backs it; absence of SubscriptionInfo means the variant is fully managed by AWS and requires no separate subscription.
See also: AWS API Documentation
Request Syntax
client.list_firewall_rule_types(
RuleType='string',
MaxResults=123,
NextToken='string'
)
string
An optional filter that restricts the response to a single FirewallRuleType variant. Supported values: FirewallAdvancedContentCategory, FirewallAdvancedThreatCategory, DnsThreatProtection, and PartnerThreatProtection. If omitted, definitions across all variants are returned.
integer
The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
string
For the first call to this list request, omit this value. When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver provides a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.
dict
Response Syntax
{
'FirewallRuleTypes': [
{
'RuleType': 'string',
'Value': 'string',
'DisplayName': 'string',
'Description': 'string',
'SubscriptionInfo': {
'VendorName': 'string',
'ProductId': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
FirewallRuleTypes (list) --
A list of the available rule type definitions.
(dict) --
The definition of an available rule type that can be used in DNS Firewall rules. This is returned by ListFirewallRuleTypes.
RuleType (string) --
The category or class of the rule type, such as FirewallAdvancedContentCategory or FirewallAdvancedThreatCategory.
Value (string) --
The specific identifier within the rule type category, such as VIOLENCE_AND_HATE_SPEECH or PHISHING.
DisplayName (string) --
The display name of the rule type.
Description (string) --
A description of the rule type.
SubscriptionInfo (dict) --
For rule types that require an external subscription (today, only the PartnerThreatProtection variant), describes the AWS Marketplace product that backs the rule type. Absent for rule types that are managed by AWS and do not require a separate subscription. See SubscriptionInfo.
VendorName (string) --
The name of the AWS Marketplace seller (vendor) that publishes the partner threat-protection product (for example, Palo Alto Networks).
ProductId (string) --
The AWS Marketplace product identifier of the partner threat-protection product. Use this value to verify or manage the calling account's subscription in AWS Marketplace.
NextToken (string) --
If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.
{'FirewallRules': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Retrieves the firewall rules that you have defined for the specified firewall rule group. DNS Firewall uses the rules in a rule group to filter DNS network traffic for a VPC.
A single call might return only a partial list of the rules. For information, see MaxResults.
For rules that require asynchronous provisioning, the response includes Status (see FirewallRuleStatus) and, on failure, StatusMessage with the reason.
See also: AWS API Documentation
Request Syntax
client.list_firewall_rules(
FirewallRuleGroupId='string',
Priority=123,
Action='ALLOW'|'BLOCK'|'ALERT',
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The unique identifier of the firewall rule group that you want to retrieve the rules for.
integer
Optional additional filter for the rules to retrieve.
The setting that determines the processing order of the rules in a rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
string
Optional additional filter for the rules to retrieve.
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not availabe for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
integer
The maximum number of objects that you want Resolver to return for this request. If more objects are available, in the response, Resolver provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
If you don't specify a value for MaxResults, Resolver returns up to 100 objects.
string
For the first call to this list request, omit this value.
When you request a list of objects, Resolver returns at most the number of objects specified in MaxResults. If more objects are available for retrieval, Resolver returns a NextToken value in the response. To retrieve the next batch of objects, use the token that was returned for the prior request in your next request.
dict
Response Syntax
{
'NextToken': 'string',
'FirewallRules': [
{
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
If objects are still available for retrieval, Resolver returns this token in the response. To retrieve the next batch of objects, provide this token in your next request.
FirewallRules (list) --
A list of the rules that you have defined.
This might be a partial list of the firewall rules that you've defined. For information, see MaxResults.
(dict) --
A single firewall rule in a rule group.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.
{'IpAddresses': {'Status': {'FAILED_CREATION_INSUFFICIENT_EC2_CAPACITY_IN_OUTPOST'}}}
Gets the IP addresses for a specified Resolver endpoint.
See also: AWS API Documentation
Request Syntax
client.list_resolver_endpoint_ip_addresses(
ResolverEndpointId='string',
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The ID of the Resolver endpoint that you want to get IP addresses for.
integer
The maximum number of IP addresses that you want to return in the response to a ListResolverEndpointIpAddresses request. If you don't specify a value for MaxResults, Resolver returns up to 100 IP addresses.
string
For the first ListResolverEndpointIpAddresses request, omit this value.
If the specified Resolver endpoint has more than MaxResults IP addresses, you can submit another ListResolverEndpointIpAddresses request to get the next group of IP addresses. In the next request, specify the value of NextToken from the previous response.
dict
Response Syntax
{
'NextToken': 'string',
'MaxResults': 123,
'IpAddresses': [
{
'IpId': 'string',
'SubnetId': 'string',
'Ip': 'string',
'Ipv6': 'string',
'Status': 'CREATING'|'FAILED_CREATION'|'FAILED_CREATION_INSUFFICIENT_EC2_CAPACITY_IN_OUTPOST'|'ATTACHING'|'ATTACHED'|'REMAP_DETACHING'|'REMAP_ATTACHING'|'DETACHING'|'FAILED_RESOURCE_GONE'|'DELETING'|'DELETE_FAILED_FAS_EXPIRED'|'UPDATING'|'UPDATE_FAILED'|'ISOLATED',
'StatusMessage': 'string',
'CreationTime': 'string',
'ModificationTime': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
If the specified endpoint has more than MaxResults IP addresses, you can submit another ListResolverEndpointIpAddresses request to get the next group of IP addresses. In the next request, specify the value of NextToken from the previous response.
MaxResults (integer) --
The value that you specified for MaxResults in the request.
IpAddresses (list) --
Information about the IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints).
(dict) --
In the response to a GetResolverEndpoint request, information about the IP addresses that the Resolver endpoint uses for DNS queries.
IpId (string) --
The ID of one IP address.
SubnetId (string) --
The ID of one subnet.
Ip (string) --
One IPv4 address that the Resolver endpoint uses for DNS queries.
Ipv6 (string) --
One IPv6 address that the Resolver endpoint uses for DNS queries.
Status (string) --
A status code that gives the current status of the request.
StatusMessage (string) --
A message that provides additional information about the status of the request.
CreationTime (string) --
The date and time that the IP address was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the IP address was last modified, in Unix time format and Coordinated Universal Time (UTC).
{'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}}}
Response {'FirewallRule': {'FirewallRuleType': {'PartnerThreatProtection': {'Partner': 'string'}},
'Status': 'string',
'StatusMessage': 'string'}}
Updates the specified firewall rule. The rule's FirewallRuleType, FirewallDomainListId, and top-level DnsThreatProtection match source cannot be changed after creation. Rules whose Status is CREATING or CREATION_FAILED cannot be updated; remove a failed rule with DeleteFirewallRule.
See also: AWS API Documentation
Request Syntax
client.update_firewall_rule(
FirewallRuleGroupId='string',
FirewallDomainListId='string',
FirewallThreatProtectionId='string',
Priority=123,
Action='ALLOW'|'BLOCK'|'ALERT',
BlockResponse='NODATA'|'NXDOMAIN'|'OVERRIDE',
BlockOverrideDomain='string',
BlockOverrideDnsType='CNAME',
BlockOverrideTtl=123,
Name='string',
FirewallDomainRedirectionAction='INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
Qtype='string',
DnsThreatProtection='DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
ConfidenceThreshold='LOW'|'MEDIUM'|'HIGH',
FirewallRuleType={
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
}
)
string
[REQUIRED]
The unique identifier of the firewall rule group for the rule.
string
The ID of the domain list to use in the rule.
string
The DNS Firewall Advanced rule ID.
integer
The setting that determines the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
You must specify a unique priority for each rule in a rule group. To make it easier to insert rules later, leave space between the numbers, for example, use 100, 200, and so on. You can change the priority setting for the rules in a rule group at any time.
string
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
string
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
string
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
string
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
integer
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
string
The name of the rule.
string
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
string
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
string
The type of the DNS Firewall Advanced rule. This setting is mutually exclusive with FirewallDomainListId and FirewallRuleType. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
string
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
The rule type configuration for the firewall rule. This is a tagged union — set exactly one of its members. This setting is mutually exclusive with the top-level FirewallDomainListId and DnsThreatProtection fields. Use one of:
FirewallAdvancedContentCategory — match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — match an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — match a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — match a third-party threat feed delivered through AWS Marketplace. The selected partner must be an active subscription on the calling account.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) -- [REQUIRED]
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) -- [REQUIRED]
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) -- [REQUIRED]
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) -- [REQUIRED]
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) -- [REQUIRED]
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
dict
Response Syntax
{
'FirewallRule': {
'FirewallRuleGroupId': 'string',
'FirewallDomainListId': 'string',
'FirewallThreatProtectionId': 'string',
'Name': 'string',
'Priority': 123,
'Action': 'ALLOW'|'BLOCK'|'ALERT',
'BlockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
'BlockOverrideDomain': 'string',
'BlockOverrideDnsType': 'CNAME',
'BlockOverrideTtl': 123,
'CreatorRequestId': 'string',
'CreationTime': 'string',
'ModificationTime': 'string',
'FirewallDomainRedirectionAction': 'INSPECT_REDIRECTION_DOMAIN'|'TRUST_REDIRECTION_DOMAIN',
'Qtype': 'string',
'DnsThreatProtection': 'DGA'|'DNS_TUNNELING'|'DICTIONARY_DGA',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
'FirewallRuleType': {
'PartnerThreatProtection': {
'Partner': 'string'
},
'FirewallAdvancedContentCategory': {
'Category': 'string'
},
'FirewallAdvancedThreatCategory': {
'Category': 'string'
},
'DnsThreatProtection': {
'Value': 'string',
'ConfidenceThreshold': 'LOW'|'MEDIUM'|'HIGH'
}
},
'Status': 'string',
'StatusMessage': 'string'
}
}
Response Structure
(dict) --
FirewallRule (dict) --
The firewall rule that you just updated.
FirewallRuleGroupId (string) --
The unique identifier of the Firewall rule group of the rule.
FirewallDomainListId (string) --
The ID of the domain list that's used in the rule.
FirewallThreatProtectionId (string) --
ID of the DNS Firewall Advanced rule.
Name (string) --
The name of the rule.
Priority (integer) --
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Action (string) --
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
BlockResponse (string) --
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.
NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.
BlockOverrideDomain (string) --
The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideDnsType (string) --
The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
BlockOverrideTtl (integer) --
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.
CreatorRequestId (string) --
A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of executing the operation twice. This can be any unique string, for example, a timestamp.
CreationTime (string) --
The date and time that the rule was created, in Unix time format and Coordinated Universal Time (UTC).
ModificationTime (string) --
The date and time that the rule was last modified, in Unix time format and Coordinated Universal Time (UTC).
FirewallDomainRedirectionAction (string) --
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME.
INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.
TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.
Qtype (string) --
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65534, for example, TYPE28. For more information, see List of DNS record types.
DnsThreatProtection (string) --
The type of the DNS Firewall Advanced rule. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
FirewallRuleType (dict) --
The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
FirewallAdvancedContentCategory — an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH).
FirewallAdvancedThreatCategory — an AWS-managed advanced threat category (for example, PHISHING).
DnsThreatProtection — a built-in DNS Firewall Advanced threat detector ( DGA, DNS_TUNNELING, or DICTIONARY_DGA).
PartnerThreatProtection — a third-party threat feed delivered through AWS Marketplace.
To enumerate the values supported in your account, call ListFirewallRuleTypes.
PartnerThreatProtection (dict) --
Configures the rule to match a third-party threat feed delivered through AWS Marketplace. The calling account must hold an active subscription to the partner product named in Partner; if the subscription is missing or revoked, the rule is created with Status CREATION_FAILED and cannot be modified — only deleted. See PartnerThreatProtectionConfig.
Partner (string) --
The identifier of the partner threat-protection product, exactly as returned in the Value field of a FirewallRuleTypeDefinition with RuleType set to PartnerThreatProtection. The calling account must hold an active AWS Marketplace subscription to this product.
FirewallAdvancedContentCategory (dict) --
Configures the rule to match an AWS-managed content category (for example, VIOLENCE_AND_HATE_SPEECH). See FirewallAdvancedContentCategoryConfig.
Category (string) --
The content category identifier. To retrieve the list of available content categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedContentCategory.
FirewallAdvancedThreatCategory (dict) --
Configures the rule to match an AWS-managed advanced threat category (for example, PHISHING). See FirewallAdvancedThreatCategoryConfig.
Category (string) --
The threat category identifier. To retrieve the list of available threat categories, call ListFirewallRuleTypes with RuleType set to FirewallAdvancedThreatCategory.
DnsThreatProtection (dict) --
Configures the rule to match a built-in DNS Firewall Advanced threat detector — DGA, DNS_TUNNELING, or DICTIONARY_DGA. See DnsThreatProtectionRuleTypeConfig.
Value (string) --
The type of DNS threat protection. Valid values are:
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
DICTIONARY_DGA: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
ConfidenceThreshold (string) --
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create or update a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.
MEDIUM: Provides a balance between detecting threats and false positives.
HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Status (string) --
The lifecycle state of the firewall rule. Possible values:
CREATING — DNS Firewall is provisioning the rule. Rules created with the PartnerThreatProtection rule type begin in this state while DNS Firewall verifies the calling account's AWS Marketplace entitlement.
COMPLETE — The rule is provisioned and enforcing matches.
CREATION_FAILED — Provisioning failed. StatusMessage contains a human-readable reason. A rule in this state is immutable: UpdateFirewallRule rejects the request, and the rule must be removed with DeleteFirewallRule.
For rules that do not require asynchronous provisioning, this field may be absent.
StatusMessage (string) --
An additional message about the rule's lifecycle state. Populated when Status is CREATION_FAILED to describe why provisioning failed.