CfnTLSInspectionConfigurationPropsMixin

class aws_cdk.mixins_preview.aws_networkfirewall.mixins.CfnTLSInspectionConfigurationPropsMixin(props, *, strategy=None)

Bases: Mixin

The object that defines a TLS inspection configuration.

AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.

To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see Inspecting SSL/TLS traffic with TLS inspection configurations in the AWS Network Firewall Developer Guide .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html
CloudformationResource:: AWS::NetworkFirewall::TLSInspectionConfiguration
Mixin:: true
ExampleMetadata:: fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview import mixins
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

cfn_tLSInspection_configuration_props_mixin = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin(networkfirewall_mixins.CfnTLSInspectionConfigurationMixinProps(
    description="description",
    tags=[CfnTag(
        key="key",
        value="value"
    )],
    tls_inspection_configuration=networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.TLSInspectionConfigurationProperty(
        server_certificate_configurations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateConfigurationProperty(
            certificate_authority_arn="certificateAuthorityArn",
            check_certificate_revocation_status=networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.CheckCertificateRevocationStatusProperty(
                revoked_status_action="revokedStatusAction",
                unknown_status_action="unknownStatusAction"
            ),
            scopes=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateScopeProperty(
                destination_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
                    from_port=123,
                    to_port=123
                )],
                destinations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
                    address_definition="addressDefinition"
                )],
                protocols=[123],
                source_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
                    from_port=123,
                    to_port=123
                )],
                sources=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
                    address_definition="addressDefinition"
                )]
            )],
            server_certificates=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateProperty(
                resource_arn="resourceArn"
            )]
        )]
    ),
    tls_inspection_configuration_name="tlsInspectionConfigurationName"
),
    strategy=mixins.PropertyMergeStrategy.OVERRIDE
)

Create a mixin to apply properties to AWS::NetworkFirewall::TLSInspectionConfiguration.

Parameters:

props (Union[CfnTLSInspectionConfigurationMixinProps, Dict[str, Any]]) – L1 properties to apply.
strategy (Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE

Methods

apply_to(construct)

Apply the mixin properties to the construct.

Parameters:: construct (IConstruct)
Return type:: IConstruct

supports(construct)

Check if this mixin supports the given construct.

Parameters:: construct (IConstruct)
Return type:: bool

Attributes

CFN_PROPERTY_KEYS = ['description', 'tags', 'tlsInspectionConfiguration', 'tlsInspectionConfigurationName']

Static Methods

classmethod is_mixin(x)

(experimental) Checks if x is a Mixin.

Parameters:: x (Any) – Any object.
Return type:: bool
Returns:: true if x is an object created from a class which extends Mixin.
Stability:: experimental

AddressProperty

class CfnTLSInspectionConfigurationPropsMixin.AddressProperty(*, address_definition=None)

Bases: object

A single IP address specification.

This is used in the MatchAttributes source and destination settings.

Parameters:: address_definition (Optional[str]) – Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples: - To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32 . - To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 . - To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 . - To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 . For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .
See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-address.html
ExampleMetadata:: fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

address_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
    address_definition="addressDefinition"
)

Attributes

address_definition

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.

Network Firewall supports all address ranges for IPv4 and IPv6.

Examples:

To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32 .
To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24 .
To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128 .
To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64 .

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-address.html#cfn-networkfirewall-tlsinspectionconfiguration-address-addressdefinition

CheckCertificateRevocationStatusProperty

class CfnTLSInspectionConfigurationPropsMixin.CheckCertificateRevocationStatusProperty(*, revoked_status_action=None, unknown_status_action=None)

Bases: object

When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status.

If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a CertificateAuthorityArn in ServerCertificateConfiguration .

Parameters:

revoked_status_action (Optional[str]) – Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status. - PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - DROP - Network Firewall closes the connection and drops subsequent packets for that connection. - REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.
unknown_status_action (Optional[str]) – Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate. - PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - DROP - Network Firewall closes the connection and drops subsequent packets for that connection. - REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

check_certificate_revocation_status_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.CheckCertificateRevocationStatusProperty(
    revoked_status_action="revokedStatusAction",
    unknown_status_action="unknownStatusAction"
)

Attributes

revoked_status_action

Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status.

PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection.
DROP - Network Firewall closes the connection and drops subsequent packets for that connection.
REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus.html#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-revokedstatusaction

unknown_status_action

Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate.

PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection.
DROP - Network Firewall closes the connection and drops subsequent packets for that connection.
REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus.html#cfn-networkfirewall-tlsinspectionconfiguration-checkcertificaterevocationstatus-unknownstatusaction

PortRangeProperty

class CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(*, from_port=None, to_port=None)

Bases: object

A single port range specification.

This is used for source and destination port ranges in the stateless rule MatchAttributes , SourcePorts , and DestinationPorts settings.

Parameters:

from_port (Union[int, float, None]) – The lower limit of the port range. This must be less than or equal to the ToPort specification.
to_port (Union[int, float, None]) – The upper limit of the port range. This must be greater than or equal to the FromPort specification.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-portrange.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

port_range_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
    from_port=123,
    to_port=123
)

Attributes

from_port

The lower limit of the port range.

This must be less than or equal to the ToPort specification.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-portrange.html#cfn-networkfirewall-tlsinspectionconfiguration-portrange-fromport

to_port

The upper limit of the port range.

This must be greater than or equal to the FromPort specification.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-portrange.html#cfn-networkfirewall-tlsinspectionconfiguration-portrange-toport

ServerCertificateConfigurationProperty

class CfnTLSInspectionConfigurationPropsMixin.ServerCertificateConfigurationProperty(*, certificate_authority_arn=None, check_certificate_revocation_status=None, scopes=None, server_certificates=None)

Bases: object

Configures the Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a TLSInspectionConfiguration . You can configure ServerCertificates for inbound SSL/TLS inspection, a CertificateAuthorityArn for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see Using SSL/TLS server certficiates with TLS inspection configurations in the AWS Network Firewall Developer Guide .

If a server certificate that’s associated with your TLSInspectionConfiguration is revoked, deleted, or expired it can result in client-side TLS errors.

Parameters:

certificate_authority_arn (Optional[str]) – The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection. The following limitations apply: - You can use CA certificates that you imported into ACM, but you can’t generate CA certificates with ACM. - You can’t use certificates issued by Private Certificate Authority . For more information about configuring certificates for outbound inspection, see Using SSL/TLS certificates with TLS inspection configurations in the AWS Network Firewall Developer Guide . For information about working with certificates in ACM, see Importing certificates in the Certificate Manager User Guide .
check_certificate_revocation_status (Union[IResolvable, CheckCertificateRevocationStatusProperty, Dict[str, Any], None]) –
When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a CertificateAuthorityArn in ServerCertificateConfiguration .
scopes (Union[IResolvable, Sequence[Union[IResolvable, ServerCertificateScopeProperty, Dict[str, Any]]], None]) – A list of scopes.
server_certificates (Union[IResolvable, Sequence[Union[IResolvable, ServerCertificateProperty, Dict[str, Any]]], None]) – The list of server certificates to use for inbound SSL/TLS inspection.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

server_certificate_configuration_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateConfigurationProperty(
    certificate_authority_arn="certificateAuthorityArn",
    check_certificate_revocation_status=networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.CheckCertificateRevocationStatusProperty(
        revoked_status_action="revokedStatusAction",
        unknown_status_action="unknownStatusAction"
    ),
    scopes=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateScopeProperty(
        destination_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
            from_port=123,
            to_port=123
        )],
        destinations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
            address_definition="addressDefinition"
        )],
        protocols=[123],
        source_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
            from_port=123,
            to_port=123
        )],
        sources=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
            address_definition="addressDefinition"
        )]
    )],
    server_certificates=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateProperty(
        resource_arn="resourceArn"
    )]
)

Attributes

certificate_authority_arn

The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection.

The following limitations apply:

You can use CA certificates that you imported into ACM, but you can’t generate CA certificates with ACM.
You can’t use certificates issued by Private Certificate Authority .

For more information about configuring certificates for outbound inspection, see Using SSL/TLS certificates with TLS inspection configurations in the AWS Network Firewall Developer Guide .

For information about working with certificates in ACM, see Importing certificates in the Certificate Manager User Guide .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-certificateauthorityarn

check_certificate_revocation_status

When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status.

If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a CertificateAuthorityArn in ServerCertificateConfiguration .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-checkcertificaterevocationstatus

scopes

A list of scopes.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-scopes

server_certificates

The list of server certificates to use for inbound SSL/TLS inspection.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration-servercertificates

ServerCertificateProperty

class CfnTLSInspectionConfigurationPropsMixin.ServerCertificateProperty(*, resource_arn=None)

Bases: object

Any Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that’s associated with a ServerCertificateConfiguration . Used in a TLSInspectionConfiguration for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in Certificate Manager , see Request a public certificate or Importing certificates in the Certificate Manager User Guide .

Parameters:: resource_arn (Optional[str]) – The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS server certificate that’s used for inbound SSL/TLS inspection.
See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificate.html
ExampleMetadata:: fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

server_certificate_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateProperty(
    resource_arn="resourceArn"
)

Attributes

resource_arn

The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS server certificate that’s used for inbound SSL/TLS inspection.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificate.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificate-resourcearn

ServerCertificateScopeProperty

class CfnTLSInspectionConfigurationPropsMixin.ServerCertificateScopeProperty(*, destination_ports=None, destinations=None, protocols=None, source_ports=None, sources=None)

Bases: object

Settings that define the Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic that Network Firewall should decrypt for inspection by the stateful rule engine.

Parameters:

destination_ports (Union[IResolvable, Sequence[Union[IResolvable, PortRangeProperty, Dict[str, Any]]], None]) – The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any destination port. You can specify individual ports, for example 1994 , and you can specify port ranges, such as 1990:1994 .
destinations (Union[IResolvable, Sequence[Union[IResolvable, AddressProperty, Dict[str, Any]]], None]) – The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any destination address.
protocols (Union[Sequence[Union[int, float]], IResolvable, None]) – The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol. Network Firewall currently supports only TCP.
source_ports (Union[IResolvable, Sequence[Union[IResolvable, PortRangeProperty, Dict[str, Any]]], None]) – The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any source port. You can specify individual ports, for example 1994 , and you can specify port ranges, such as 1990:1994 .
sources (Union[IResolvable, Sequence[Union[IResolvable, AddressProperty, Dict[str, Any]]], None]) – The source IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any source address.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

server_certificate_scope_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateScopeProperty(
    destination_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
        from_port=123,
        to_port=123
    )],
    destinations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
        address_definition="addressDefinition"
    )],
    protocols=[123],
    source_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
        from_port=123,
        to_port=123
    )],
    sources=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
        address_definition="addressDefinition"
    )]
)

Attributes

destination_ports

The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format.

If not specified, this matches with any destination port.

You can specify individual ports, for example 1994 , and you can specify port ranges, such as 1990:1994 .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinationports

destinations

The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation.

If not specified, this matches with any destination address.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-destinations

protocols

The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol.

If not specified, this matches with any protocol.

Network Firewall currently supports only TCP.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-protocols

source_ports

The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format.

If not specified, this matches with any source port.

You can specify individual ports, for example 1994 , and you can specify port ranges, such as 1990:1994 .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sourceports

sources

The source IP addresses and address ranges to decrypt for inspection, in CIDR notation.

If not specified, this matches with any source address.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificatescope.html#cfn-networkfirewall-tlsinspectionconfiguration-servercertificatescope-sources

TLSInspectionConfigurationProperty

class CfnTLSInspectionConfigurationPropsMixin.TLSInspectionConfigurationProperty(*, server_certificate_configurations=None)

Bases: object

The object that defines a TLS inspection configuration. This defines the TLS inspection configuration.

AWS Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination.

To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see Inspecting SSL/TLS traffic with TLS inspection configurations in the AWS Network Firewall Developer Guide .

Parameters:: server_certificate_configurations (Union[IResolvable, Sequence[Union[IResolvable, ServerCertificateConfigurationProperty, Dict[str, Any]]], None]) – Lists the server certificate configurations that are associated with the TLS configuration.
See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration.html
ExampleMetadata:: fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_networkfirewall import mixins as networkfirewall_mixins

t_lSInspection_configuration_property = networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.TLSInspectionConfigurationProperty(
    server_certificate_configurations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateConfigurationProperty(
        certificate_authority_arn="certificateAuthorityArn",
        check_certificate_revocation_status=networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.CheckCertificateRevocationStatusProperty(
            revoked_status_action="revokedStatusAction",
            unknown_status_action="unknownStatusAction"
        ),
        scopes=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateScopeProperty(
            destination_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
                from_port=123,
                to_port=123
            )],
            destinations=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
                address_definition="addressDefinition"
            )],
            protocols=[123],
            source_ports=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.PortRangeProperty(
                from_port=123,
                to_port=123
            )],
            sources=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.AddressProperty(
                address_definition="addressDefinition"
            )]
        )],
        server_certificates=[networkfirewall_mixins.CfnTLSInspectionConfigurationPropsMixin.ServerCertificateProperty(
            resource_arn="resourceArn"
        )]
    )]
)

Attributes

server_certificate_configurations

Lists the server certificate configurations that are associated with the TLS configuration.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration.html#cfn-networkfirewall-tlsinspectionconfiguration-tlsinspectionconfiguration-servercertificateconfigurations