This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::NetworkFirewall::TLSInspectionConfiguration The object that defines a TLS inspection configuration. AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::NetworkFirewall::TLSInspectionConfiguration", "Properties" : { "[Description](#cfn-networkfirewall-tlsinspectionconfiguration-description)" : String, "[Tags](#cfn-networkfirewall-tlsinspectionconfiguration-tags)" : [ Tag, ... ], "[TLSInspectionConfiguration](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration)" : TLSInspectionConfiguration, "[TLSInspectionConfigurationName](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfigurationname)" : String } } ``` ### YAML ``` Type: AWS::NetworkFirewall::TLSInspectionConfiguration Properties: [Description](#cfn-networkfirewall-tlsinspectionconfiguration-description): String [Tags](#cfn-networkfirewall-tlsinspectionconfiguration-tags): - Tag [TLSInspectionConfiguration](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration): TLSInspectionConfiguration [TLSInspectionConfigurationName](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfigurationname): String ``` ## Properties `Description` A description of the TLS inspection configuration. *Required*: No *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The key:value pairs to associate with the resource. *Required*: No *Type*: Array of [Tag](aws-properties-networkfirewall-tlsinspectionconfiguration-tag.md) *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TLSInspectionConfiguration` The object that defines a TLS inspection configuration. AWS Network Firewall uses TLS inspection configurations to decrypt your firewall's inbound and outbound SSL/TLS traffic. After decryption, AWS Network Firewall inspects the traffic according to your firewall policy's stateful rules, and then re-encrypts it before sending it to its destination. You can enable inspection of your firewall's inbound traffic, outbound traffic, or both. To use TLS inspection with your firewall, you must first import or provision certificates using AWS Certificate Manager, create a TLS inspection configuration, add that configuration to a new firewall policy, and then associate that policy with your firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide*. *Required*: Yes *Type*: [TLSInspectionConfiguration](aws-properties-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TLSInspectionConfigurationName` The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]+$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref ### Fn::GetAtt #### `TLSInspectionConfigurationArn` The Amazon Resource Name (ARN) of the TLS inspection configuration. `TLSInspectionConfigurationId` A unique identifier for the TLS inspection configuration. This ID is returned in the responses to create and list commands. You provide it to operations such as update and delete. # AWS::NetworkFirewall::TLSInspectionConfiguration Address A single IP address specification. This is used in the [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html) source and destination settings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AddressDefinition](#cfn-networkfirewall-tlsinspectionconfiguration-address-addressdefinition)" : String } ``` ### YAML ``` [AddressDefinition](#cfn-networkfirewall-tlsinspectionconfiguration-address-addressdefinition): String ``` ## Properties `AddressDefinition` Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples: + To configure Network Firewall to inspect for the IP address 192.0.2.44, specify `192.0.2.44/32`. + To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24`. + To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128`. + To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64`. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). *Required*: Yes *Type*: String *Pattern*: `^([a-fA-F\d:\.]+/\d{1,3})$` *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration CheckCertificateRevocationStatus When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RevokedStatusAction](#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-revokedstatusaction)" : String, "[UnknownStatusAction](#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-unknownstatusaction)" : String } ``` ### YAML ``` [RevokedStatusAction](#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-revokedstatusaction): String [UnknownStatusAction](#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-unknownstatusaction): String ``` ## Properties `RevokedStatusAction` Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status. + **PASS** - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. + **DROP** - Network Firewall closes the connection and drops subsequent packets for that connection. + **REJECT** - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. `REJECT` is available only for TCP traffic. *Required*: No *Type*: String *Allowed values*: `PASS | DROP | REJECT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UnknownStatusAction` Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate. + **PASS** - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. + **DROP** - Network Firewall closes the connection and drops subsequent packets for that connection. + **REJECT** - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. `REJECT` is available only for TCP traffic. *Required*: No *Type*: String *Allowed values*: `PASS | DROP | REJECT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration PortRange A single port range specification. This is used for source and destination port ranges in the stateless rule [MatchAttributes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-rulegroup-matchattributes.html), `SourcePorts`, and `DestinationPorts` settings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FromPort](#cfn-networkfirewall-tlsinspectionconfiguration-portrange-fromport)" : Integer, "[ToPort](#cfn-networkfirewall-tlsinspectionconfiguration-portrange-toport)" : Integer } ``` ### YAML ``` [FromPort](#cfn-networkfirewall-tlsinspectionconfiguration-portrange-fromport): Integer [ToPort](#cfn-networkfirewall-tlsinspectionconfiguration-portrange-toport): Integer ``` ## Properties `FromPort` The lower limit of the port range. This must be less than or equal to the `ToPort` specification. *Required*: Yes *Type*: Integer *Minimum*: `0` *Maximum*: `65535` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ToPort` The upper limit of the port range. This must be greater than or equal to the `FromPort` specification. *Required*: Yes *Type*: Integer *Minimum*: `0` *Maximum*: `65535` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration ServerCertificate Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html). Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager, see [Request a public certificate ](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ResourceArn](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificate-resourcearn)" : String } ``` ### YAML ``` [ResourceArn](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificate-resourcearn): String ``` ## Properties `ResourceArn` The Amazon Resource Name (ARN) of the AWS Certificate Manager SSL/TLS server certificate that's used for inbound SSL/TLS inspection. *Required*: No *Type*: String *Pattern*: `^(arn:aws.*)$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration ServerCertificateConfiguration Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html). You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [ Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide*. **Note** If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateAuthorityArn](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-certificateauthorityarn)" : String, "[CheckCertificateRevocationStatus](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-checkcertificaterevocationstatus)" : CheckCertificateRevocationStatus, "[Scopes](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-scopes)" : [ ServerCertificateScope, ... ], "[ServerCertificates](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-servercertificates)" : [ ServerCertificate, ... ] } ``` ### YAML ``` [CertificateAuthorityArn](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-certificateauthorityarn): String [CheckCertificateRevocationStatus](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-checkcertificaterevocationstatus): CheckCertificateRevocationStatus [Scopes](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-scopes): - ServerCertificateScope [ServerCertificates](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-servercertificates): - ServerCertificate ``` ## Properties `CertificateAuthorityArn` The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within AWS Certificate Manager (ACM) to use for outbound SSL/TLS inspection. The following limitations apply: + You can use CA certificates that you imported into ACM, but you can't generate CA certificates with ACM. + You can't use certificates issued by AWS Private Certificate Authority. For more information about configuring certificates for outbound inspection, see [Using SSL/TLS certificates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide*. For information about working with certificates in ACM, see [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide*. *Required*: No *Type*: String *Pattern*: `^(arn:aws.*)$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CheckCertificateRevocationStatus` When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html). *Required*: No *Type*: [CheckCertificateRevocationStatus](aws-properties-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scopes` A list of scopes. *Required*: No *Type*: Array of [ServerCertificateScope](aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServerCertificates` The list of server certificates to use for inbound SSL/TLS inspection. *Required*: No *Type*: Array of [ServerCertificate](aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificate.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration ServerCertificateScope Settings that define the Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic that Network Firewall should decrypt for inspection by the stateful rule engine. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DestinationPorts](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinationports)" : [ PortRange, ... ], "[Destinations](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinations)" : [ Address, ... ], "[Protocols](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-protocols)" : [ Integer, ... ], "[SourcePorts](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sourceports)" : [ PortRange, ... ], "[Sources](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sources)" : [ Address, ... ] } ``` ### YAML ``` [DestinationPorts](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinationports): - PortRange [Destinations](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinations): - Address [Protocols](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-protocols): - Integer [SourcePorts](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sourceports): - PortRange [Sources](#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sources): - Address ``` ## Properties `DestinationPorts` The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any destination port. You can specify individual ports, for example `1994`, and you can specify port ranges, such as `1990:1994`. *Required*: No *Type*: Array of [PortRange](aws-properties-networkfirewall-tlsinspectionconfiguration-portrange.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Destinations` The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any destination address. *Required*: No *Type*: Array of [Address](aws-properties-networkfirewall-tlsinspectionconfiguration-address.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Protocols` The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol. Network Firewall currently supports only TCP. *Required*: No *Type*: Array of Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourcePorts` The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any source port. You can specify individual ports, for example `1994`, and you can specify port ranges, such as `1990:1994`. *Required*: No *Type*: Array of [PortRange](aws-properties-networkfirewall-tlsinspectionconfiguration-portrange.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Sources` The source IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any source address. *Required*: No *Type*: Array of [Address](aws-properties-networkfirewall-tlsinspectionconfiguration-address.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration Tag A key:value pair associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-networkfirewall-tlsinspectionconfiguration-tag-key)" : String, "[Value](#cfn-networkfirewall-tlsinspectionconfiguration-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-networkfirewall-tlsinspectionconfiguration-tag-key): String [Value](#cfn-networkfirewall-tlsinspectionconfiguration-tag-value): String ``` ## Properties `Key` The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive. *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive. *Required*: Yes *Type*: String *Pattern*: `^.*$` *Minimum*: `0` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::TLSInspectionConfiguration TLSInspectionConfiguration The object that defines a TLS inspection configuration. This defines the TLS inspection configuration. AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the *AWS Network Firewall Developer Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ServerCertificateConfigurations](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration-servercertificateconfigurations)" : [ ServerCertificateConfiguration, ... ] } ``` ### YAML ``` [ServerCertificateConfigurations](#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration-servercertificateconfigurations): - ServerCertificateConfiguration ``` ## Properties `ServerCertificateConfigurations` Lists the server certificate configurations that are associated with the TLS configuration. *Required*: No *Type*: Array of [ServerCertificateConfiguration](aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)