Package software.amazon.awscdk.services.fms

Class CfnPolicy

java.lang.Object

software.amazon.jsii.JsiiObject

software.constructs.Construct

software.amazon.awscdk.CfnElement

software.amazon.awscdk.CfnRefElement

software.amazon.awscdk.CfnResource

software.amazon.awscdk.services.fms.CfnPolicy

All Implemented Interfaces:

IInspectable, ITaggableV2, IPolicyRef, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.113.0 (build fc68b25)",
           date="2025-10-14T12:28:11.406Z")
@Stability(Stable)
public class CfnPolicy
extends CfnResource
implements IInspectable, IPolicyRef, ITaggableV2

An AWS Firewall Manager policy.

A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.

If you add a new account to an organization that you created with AWS Organizations , Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.

Policies require some setup to use. For more information, see the sections on prerequisites and getting started under Firewall Manager prerequisites .

Firewall Manager provides the following types of policies:

• AWS WAF policy - This policy applies AWS WAF web ACL protections to specified accounts and resources.
• Shield Advanced policy - This policy applies Shield Advanced protection to specified accounts and resources.
• Security Groups policy - This type of policy gives you control over security groups that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of rules across your organization.
• Network ACL policy - This type of policy gives you control over the network ACLs that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization.
• Network Firewall policy - This policy applies Network Firewall protection to your organization's VPCs.
• DNS Firewall policy - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs.
• Third-party firewall policy - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the AWS Marketplace console at AWS Marketplace .
• Palo Alto Networks Cloud NGFW policy - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.
• Fortigate CNF policy - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.

Example:

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.fms.*;
 CfnPolicy cfnPolicy = CfnPolicy.Builder.create(this, "MyCfnPolicy")
         .excludeResourceTags(false)
         .policyName("policyName")
         .remediationEnabled(false)
         .securityServicePolicyData(SecurityServicePolicyDataProperty.builder()
                 .type("type")
                 // the properties below are optional
                 .managedServiceData("managedServiceData")
                 .policyOption(PolicyOptionProperty.builder()
                         .networkAclCommonPolicy(NetworkAclCommonPolicyProperty.builder()
                                 .networkAclEntrySet(NetworkAclEntrySetProperty.builder()
                                         .forceRemediateForFirstEntries(false)
                                         .forceRemediateForLastEntries(false)
                                         // the properties below are optional
                                         .firstEntries(List.of(NetworkAclEntryProperty.builder()
                                                 .egress(false)
                                                 .protocol("protocol")
                                                 .ruleAction("ruleAction")
                                                 // the properties below are optional
                                                 .cidrBlock("cidrBlock")
                                                 .icmpTypeCode(IcmpTypeCodeProperty.builder()
                                                         .code(123)
                                                         .type(123)
                                                         .build())
                                                 .ipv6CidrBlock("ipv6CidrBlock")
                                                 .portRange(PortRangeProperty.builder()
                                                         .from(123)
                                                         .to(123)
                                                         .build())
                                                 .build()))
                                         .lastEntries(List.of(NetworkAclEntryProperty.builder()
                                                 .egress(false)
                                                 .protocol("protocol")
                                                 .ruleAction("ruleAction")
                                                 // the properties below are optional
                                                 .cidrBlock("cidrBlock")
                                                 .icmpTypeCode(IcmpTypeCodeProperty.builder()
                                                         .code(123)
                                                         .type(123)
                                                         .build())
                                                 .ipv6CidrBlock("ipv6CidrBlock")
                                                 .portRange(PortRangeProperty.builder()
                                                         .from(123)
                                                         .to(123)
                                                         .build())
                                                 .build()))
                                         .build())
                                 .build())
                         .networkFirewallPolicy(NetworkFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .thirdPartyFirewallPolicy(ThirdPartyFirewallPolicyProperty.builder()
                                 .firewallDeploymentModel("firewallDeploymentModel")
                                 .build())
                         .build())
                 .build())
         // the properties below are optional
         .deleteAllPolicyResources(false)
         .excludeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .includeMap(Map.of(
                 "account", List.of("account"),
                 "orgunit", List.of("orgunit")))
         .policyDescription("policyDescription")
         .resourcesCleanUp(false)
         .resourceSetIds(List.of("resourceSetIds"))
         .resourceTagLogicalOperator("resourceTagLogicalOperator")
         .resourceTags(List.of(ResourceTagProperty.builder()
                 .key("key")
                 // the properties below are optional
                 .value("value")
                 .build()))
         .resourceType("resourceType")
         .resourceTypeList(List.of("resourceTypeList"))
         .tags(List.of(PolicyTagProperty.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();
 

See Also:

• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	CfnPolicy.Builder	A fluent builder for CfnPolicy.
static interface	CfnPolicy.IcmpTypeCodeProperty	ICMP protocol: The ICMP type and code.
static interface	CfnPolicy.IEMapProperty	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in or exclude from the policy.
static interface	CfnPolicy.NetworkAclCommonPolicyProperty	Defines a Firewall Manager network ACL policy.
static interface	CfnPolicy.NetworkAclEntryProperty	Describes a rule in a network ACL.
static interface	CfnPolicy.NetworkAclEntrySetProperty	The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
static interface	CfnPolicy.NetworkFirewallPolicyProperty	Configures the firewall policy deployment model of AWS Network Firewall .
static interface	CfnPolicy.PolicyOptionProperty	Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.
static interface	CfnPolicy.PolicyTagProperty	A collection of key:value pairs associated with an AWS resource.
static interface	CfnPolicy.PortRangeProperty	TCP or UDP protocols: The range of ports the rule applies to.
static interface	CfnPolicy.ResourceTagProperty	The resource tags that AWS Firewall Manager uses to determine if a particular resource should be included or excluded from the AWS Firewall Manager policy.
static interface	CfnPolicy.SecurityServicePolicyDataProperty	Details about the security service that is being used to protect the resources.
static interface	CfnPolicy.ThirdPartyFirewallPolicyProperty	Configures the deployment model for the third-party firewall.

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Nested classes/interfaces inherited from interface software.constructs.IConstruct

software.constructs.IConstruct.Jsii$Default

Nested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable

IInspectable.Jsii$Default, IInspectable.Jsii$Proxy

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.fms.IPolicyRef

IPolicyRef.Jsii$Default, IPolicyRef.Jsii$Proxy

Nested classes/interfaces inherited from interface software.amazon.awscdk.ITaggableV2

ITaggableV2.Jsii$Default, ITaggableV2.Jsii$Proxy

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CFN_RESOURCE_TYPE_NAME	The CloudFormation resource type name for this resource class.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef)
	CfnPolicy(software.constructs.Construct scope, String id, CfnPolicyProps props)

Method Summary

Modifier and Type	Method	Description
String	getAttrArn()	The Amazon Resource Name (ARN) of the policy.
String	getAttrId()	The ID of the policy.
TagManager	getCdkTagManager()	Tag Manager which manages the tags for this resource.
protected Map<String,Object>	getCfnProperties()
Object	getDeleteAllPolicyResources()	Used when deleting a policy.
Object	getExcludeMap()	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
Object	getExcludeResourceTags()	Used only when tags are specified in the ResourceTags property.
Object	getIncludeMap()	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
String	getPolicyDescription()	Your description of the AWS Firewall Manager policy.
String	getPolicyName()	The name of the AWS Firewall Manager policy.
PolicyReference	getPolicyRef()	A reference to a Policy resource.
Object	getRemediationEnabled()	Indicates if the policy should be automatically applied to new resources.
Object	getResourcesCleanUp()	Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
List<String>	getResourceSetIds()	The unique identifiers of the resource sets used by the policy.
String	getResourceTagLogicalOperator()	Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.
Object	getResourceTags()	An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
String	getResourceType()	The type of resource protected by or in scope of the policy.
List<String>	getResourceTypeList()	An array of ResourceType objects.
Object	getSecurityServicePolicyData()	Details about the security service that is being used to protect the resources.
List<CfnPolicy.PolicyTagProperty>	getTags()	A collection of key:value pairs associated with an AWS resource.
void	inspect(TreeInspector inspector)	Examines the CloudFormation resource and discloses attributes.
protected Map<String,Object>	renderProperties(Map<String,Object> props)
void	setDeleteAllPolicyResources(Boolean value)	Used when deleting a policy.
void	setDeleteAllPolicyResources(IResolvable value)	Used when deleting a policy.
void	setExcludeMap(IResolvable value)	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
void	setExcludeMap(CfnPolicy.IEMapProperty value)	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.
void	setExcludeResourceTags(Boolean value)	Used only when tags are specified in the ResourceTags property.
void	setExcludeResourceTags(IResolvable value)	Used only when tags are specified in the ResourceTags property.
void	setIncludeMap(IResolvable value)	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
void	setIncludeMap(CfnPolicy.IEMapProperty value)	Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.
void	setPolicyDescription(String value)	Your description of the AWS Firewall Manager policy.
void	setPolicyName(String value)	The name of the AWS Firewall Manager policy.
void	setRemediationEnabled(Boolean value)	Indicates if the policy should be automatically applied to new resources.
void	setRemediationEnabled(IResolvable value)	Indicates if the policy should be automatically applied to new resources.
void	setResourcesCleanUp(Boolean value)	Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
void	setResourcesCleanUp(IResolvable value)	Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.
void	setResourceSetIds(List<String> value)	The unique identifiers of the resource sets used by the policy.
void	setResourceTagLogicalOperator(String value)	Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.
void	setResourceTags(List<Object> value)	An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
void	setResourceTags(IResolvable value)	An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.
void	setResourceType(String value)	The type of resource protected by or in scope of the policy.
void	setResourceTypeList(List<String> value)	An array of ResourceType objects.
void	setSecurityServicePolicyData(IResolvable value)	Details about the security service that is being used to protect the resources.
void	setSecurityServicePolicyData(CfnPolicy.SecurityServicePolicyDataProperty value)	Details about the security service that is being used to protect the resources.
void	setTags(List<CfnPolicy.PolicyTagProperty> value)	A collection of key:value pairs associated with an AWS resource.

Methods inherited from class software.amazon.awscdk.CfnResource

addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validateProperties

Methods inherited from class software.amazon.awscdk.CfnRefElement

getRef

Methods inherited from class software.amazon.awscdk.CfnElement

getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId

Methods inherited from class software.constructs.Construct

getNode, isConstruct

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.constructs.IConstruct

getNode

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Field Details

CFN_RESOURCE_TYPE_NAME

@Stability(Stable)
public static final String CFN_RESOURCE_TYPE_NAME

The CloudFormation resource type name for this resource class.

Constructor Details

CfnPolicy

protected CfnPolicy(software.amazon.jsii.JsiiObjectRef objRef)

CfnPolicy

protected CfnPolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

CfnPolicy

@Stability(Stable)
public CfnPolicy(@NotNull
 software.constructs.Construct scope,
 @NotNull
 String id,
 @NotNull
 CfnPolicyProps props)

Parameters:

scope - Scope in which this resource is defined. This parameter is required.

id - Construct identifier for this resource (unique in its scope). This parameter is required.

props - Resource properties. This parameter is required.

Method Details

inspect

@Stability(Stable)
public void inspect(@NotNull
 TreeInspector inspector)

Examines the CloudFormation resource and discloses attributes.

Specified by:

inspect in interface IInspectable

Parameters:

inspector - tree inspector to collect and process attributes. This parameter is required.

renderProperties

@Stability(Stable)
@NotNull
protected Map<String,Object> renderProperties(@NotNull
 Map<String,Object> props)

Overrides:

renderProperties in class CfnResource

Parameters:

props - This parameter is required.

getAttrArn

@Stability(Stable)
@NotNull
public String getAttrArn()

The Amazon Resource Name (ARN) of the policy.

getAttrId

@Stability(Stable)
@NotNull
public String getAttrId()

The ID of the policy.

getCdkTagManager

@Stability(Stable)
@NotNull
public TagManager getCdkTagManager()

Tag Manager which manages the tags for this resource.

Specified by:

getCdkTagManager in interface ITaggableV2

getCfnProperties

@Stability(Stable)
@NotNull
protected Map<String,Object> getCfnProperties()

Overrides:

getCfnProperties in class CfnResource

getPolicyRef

@Stability(Stable)
@NotNull
public PolicyReference getPolicyRef()

A reference to a Policy resource.

Specified by:

getPolicyRef in interface IPolicyRef

getExcludeResourceTags

@Stability(Stable)
@NotNull
public Object getExcludeResourceTags()

Used only when tags are specified in the ResourceTags property.

setExcludeResourceTags

@Stability(Stable)
public void setExcludeResourceTags(@NotNull
 Boolean value)

Used only when tags are specified in the ResourceTags property.

setExcludeResourceTags

@Stability(Stable)
public void setExcludeResourceTags(@NotNull
 IResolvable value)

Used only when tags are specified in the ResourceTags property.

getPolicyName

@Stability(Stable)
@NotNull
public String getPolicyName()

The name of the AWS Firewall Manager policy.

setPolicyName

@Stability(Stable)
public void setPolicyName(@NotNull
 String value)

The name of the AWS Firewall Manager policy.

getRemediationEnabled

@Stability(Stable)
@NotNull
public Object getRemediationEnabled()

Indicates if the policy should be automatically applied to new resources.

setRemediationEnabled

@Stability(Stable)
public void setRemediationEnabled(@NotNull
 Boolean value)

Indicates if the policy should be automatically applied to new resources.

setRemediationEnabled

@Stability(Stable)
public void setRemediationEnabled(@NotNull
 IResolvable value)

Indicates if the policy should be automatically applied to new resources.

getSecurityServicePolicyData

@Stability(Stable)
@NotNull
public Object getSecurityServicePolicyData()

Details about the security service that is being used to protect the resources.

setSecurityServicePolicyData

@Stability(Stable)
public void setSecurityServicePolicyData(@NotNull
 IResolvable value)

Details about the security service that is being used to protect the resources.

setSecurityServicePolicyData

@Stability(Stable)
public void setSecurityServicePolicyData(@NotNull
 CfnPolicy.SecurityServicePolicyDataProperty value)

Details about the security service that is being used to protect the resources.

getDeleteAllPolicyResources

@Stability(Stable)
@Nullable
public Object getDeleteAllPolicyResources()

Used when deleting a policy.

If true , Firewall Manager performs cleanup according to the policy type.

setDeleteAllPolicyResources

@Stability(Stable)
public void setDeleteAllPolicyResources(@Nullable
 Boolean value)

Used when deleting a policy.

If true , Firewall Manager performs cleanup according to the policy type.

setDeleteAllPolicyResources

@Stability(Stable)
public void setDeleteAllPolicyResources(@Nullable
 IResolvable value)

Used when deleting a policy.

If true , Firewall Manager performs cleanup according to the policy type.

getExcludeMap

@Stability(Stable)
@Nullable
public Object getExcludeMap()

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

setExcludeMap

@Stability(Stable)
public void setExcludeMap(@Nullable
 IResolvable value)

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

setExcludeMap

@Stability(Stable)
public void setExcludeMap(@Nullable
 CfnPolicy.IEMapProperty value)

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy.

getIncludeMap

@Stability(Stable)
@Nullable
public Object getIncludeMap()

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

setIncludeMap

@Stability(Stable)
public void setIncludeMap(@Nullable
 IResolvable value)

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

setIncludeMap

@Stability(Stable)
public void setIncludeMap(@Nullable
 CfnPolicy.IEMapProperty value)

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy.

getPolicyDescription

@Stability(Stable)
@Nullable
public String getPolicyDescription()

Your description of the AWS Firewall Manager policy.

setPolicyDescription

@Stability(Stable)
public void setPolicyDescription(@Nullable
 String value)

Your description of the AWS Firewall Manager policy.

getResourcesCleanUp

@Stability(Stable)
@Nullable
public Object getResourcesCleanUp()

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

setResourcesCleanUp

@Stability(Stable)
public void setResourcesCleanUp(@Nullable
 Boolean value)

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

setResourcesCleanUp

@Stability(Stable)
public void setResourcesCleanUp(@Nullable
 IResolvable value)

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope.

getResourceSetIds

@Stability(Stable)
@Nullable
public List<String> getResourceSetIds()

The unique identifiers of the resource sets used by the policy.

setResourceSetIds

@Stability(Stable)
public void setResourceSetIds(@Nullable
 List<String> value)

The unique identifiers of the resource sets used by the policy.

getResourceTagLogicalOperator

@Stability(Stable)
@Nullable
public String getResourceTagLogicalOperator()

Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.

setResourceTagLogicalOperator

@Stability(Stable)
public void setResourceTagLogicalOperator(@Nullable
 String value)

Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.

getResourceTags

@Stability(Stable)
@Nullable
public Object getResourceTags()

An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

setResourceTags

@Stability(Stable)
public void setResourceTags(@Nullable
 IResolvable value)

An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

setResourceTags

@Stability(Stable)
public void setResourceTags(@Nullable
 List<Object> value)

An array of ResourceTag objects, used to explicitly include resources in the policy scope or explicitly exclude them.

getResourceType

@Stability(Stable)
@Nullable
public String getResourceType()

The type of resource protected by or in scope of the policy.

setResourceType

@Stability(Stable)
public void setResourceType(@Nullable
 String value)

The type of resource protected by or in scope of the policy.

getResourceTypeList

@Stability(Stable)
@Nullable
public List<String> getResourceTypeList()

An array of ResourceType objects.

setResourceTypeList

@Stability(Stable)
public void setResourceTypeList(@Nullable
 List<String> value)

An array of ResourceType objects.

getTags

@Stability(Stable)
@Nullable
public List<CfnPolicy.PolicyTagProperty> getTags()

A collection of key:value pairs associated with an AWS resource.

setTags

@Stability(Stable)
public void setTags(@Nullable
 List<CfnPolicy.PolicyTagProperty> value)

A collection of key:value pairs associated with an AWS resource.