CfnFirewallRuleGroupPropsMixin
- class aws_cdk.mixins_preview.aws_route53resolver.mixins.CfnFirewallRuleGroupPropsMixin(props, *, strategy=None)
Bases:
MixinHigh-level information for a firewall rule group.
A firewall rule group is a collection of rules that DNS Firewall uses to filter DNS network traffic for a VPC. To retrieve the rules for the rule group, call ListFirewallRules .
- See:
- CloudformationResource:
AWS::Route53Resolver::FirewallRuleGroup
- Mixin:
true
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview import mixins from aws_cdk.mixins_preview.aws_route53resolver import mixins as route53resolver_mixins cfn_firewall_rule_group_props_mixin = route53resolver_mixins.CfnFirewallRuleGroupPropsMixin(route53resolver_mixins.CfnFirewallRuleGroupMixinProps( firewall_rules=[route53resolver_mixins.CfnFirewallRuleGroupPropsMixin.FirewallRuleProperty( action="action", block_override_dns_type="blockOverrideDnsType", block_override_domain="blockOverrideDomain", block_override_ttl=123, block_response="blockResponse", confidence_threshold="confidenceThreshold", dns_threat_protection="dnsThreatProtection", firewall_domain_list_id="firewallDomainListId", firewall_domain_redirection_action="firewallDomainRedirectionAction", firewall_threat_protection_id="firewallThreatProtectionId", priority=123, qtype="qtype" )], name="name", tags=[CfnTag( key="key", value="value" )] ), strategy=mixins.PropertyMergeStrategy.OVERRIDE )
Create a mixin to apply properties to
AWS::Route53Resolver::FirewallRuleGroup.- Parameters:
props (
Union[CfnFirewallRuleGroupMixinProps,Dict[str,Any]]) – L1 properties to apply.strategy (
Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE
Methods
- apply_to(construct)
Apply the mixin properties to the construct.
- Parameters:
construct (
IConstruct)- Return type:
- supports(construct)
Check if this mixin supports the given construct.
- Parameters:
construct (
IConstruct)- Return type:
bool
Attributes
- CFN_PROPERTY_KEYS = ['firewallRules', 'name', 'tags']
Static Methods
- classmethod is_mixin(x)
(experimental) Checks if
xis a Mixin.- Parameters:
x (
Any) – Any object.- Return type:
bool- Returns:
true if
xis an object created from a class which extendsMixin.- Stability:
experimental
FirewallRuleProperty
- class CfnFirewallRuleGroupPropsMixin.FirewallRuleProperty(*, action=None, block_override_dns_type=None, block_override_domain=None, block_override_ttl=None, block_response=None, confidence_threshold=None, dns_threat_protection=None, firewall_domain_list_id=None, firewall_domain_redirection_action=None, firewall_threat_protection_id=None, priority=None, qtype=None)
Bases:
objectA single firewall rule in a rule group.
- Parameters:
action (
Optional[str]) – The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule’s domain list, or a threat in a DNS Firewall Advvanced rule: -ALLOW- Permit the request to go through. Not available for DNS Firewall Advanced rules. -ALERT- Permit the request to go through but send an alert to the logs. -BLOCK- Disallow the request. If this is specified,thenBlockResponsemust also be specified. ifBlockResponseisOVERRIDE, then all of the followingOVERRIDEattributes must be specified: -BlockOverrideDnsType-BlockOverrideDomain-BlockOverrideTtlblock_override_dns_type (
Optional[str]) – The DNS record’s type. This determines the format of the record value that you provided inBlockOverrideDomain. Used for the rule actionBLOCKwith aBlockResponsesetting ofOVERRIDE.block_override_domain (
Optional[str]) – The custom DNS record to send back in response to the query. Used for the rule actionBLOCKwith aBlockResponsesetting ofOVERRIDE.block_override_ttl (
Union[int,float,None]) – The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule actionBLOCKwith aBlockResponsesetting ofOVERRIDE.block_response (
Optional[str]) – The way that you want DNS Firewall to block the request. Used for the rule action settingBLOCK. -NODATA- Respond indicating that the query was successful, but no response is available for it. -NXDOMAIN- Respond indicating that the domain name that’s in the query doesn’t exist. -OVERRIDE- Provide a custom override in the response. This option requires custom handling details in the rule’sBlockOverride*settings.confidence_threshold (
Optional[str]) – The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean: -LOW: Provides the highest detection rate for threats, but also increases false positives. -MEDIUM: Provides a balance between detecting threats and false positives. -HIGH: Detects only the most well corroborated threats with a low rate of false positives.dns_threat_protection (
Optional[str]) – The type of the DNS Firewall Advanced rule. Valid values are:. -DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks. -DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.firewall_domain_list_id (
Optional[str]) – The ID of the domain list that’s used in the rule.firewall_domain_redirection_action (
Optional[str]) – How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME, or DNAME.Inspect_Redirection_Domain(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.Trust_Redirection_Domaininspects only the first domain in the redirection chain. You don’t need to add the subsequent domains in the domain in the redirection list to the domain list.firewall_threat_protection_id (
Optional[str]) – ID of the DNS Firewall Advanced rule.priority (
Union[int,float,None]) – The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.qtype (
Optional[str]) – The DNS query type you want the rule to evaluate. Allowed values are; - A: Returns an IPv4 address. - AAAA: Returns an Ipv6 address. - CAA: Restricts CAs that can create SSL/TLS certifications for the domain. - CNAME: Returns another domain name. - DS: Record that identifies the DNSSEC signing key of a delegated zone. - MX: Specifies mail servers. - NAPTR: Regular-expression-based rewriting of domain names. - NS: Authoritative name servers. - PTR: Maps an IP address to a domain name. - SOA: Start of authority record for the zone. - SPF: Lists the servers authorized to send emails from a domain. - SRV: Application specific values that identify servers. - TXT: Verifies email senders and application-specific values. - A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE NUMBER , where the NUMBER can be 1-65334, for example, TYPE28. For more information, see List of DNS record types .
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_route53resolver import mixins as route53resolver_mixins firewall_rule_property = route53resolver_mixins.CfnFirewallRuleGroupPropsMixin.FirewallRuleProperty( action="action", block_override_dns_type="blockOverrideDnsType", block_override_domain="blockOverrideDomain", block_override_ttl=123, block_response="blockResponse", confidence_threshold="confidenceThreshold", dns_threat_protection="dnsThreatProtection", firewall_domain_list_id="firewallDomainListId", firewall_domain_redirection_action="firewallDomainRedirectionAction", firewall_threat_protection_id="firewallThreatProtectionId", priority=123, qtype="qtype" )
Attributes
- action
ALLOW- Permit the request to go through.
Not available for DNS Firewall Advanced rules.
ALERT- Permit the request to go through but send an alert to the logs.BLOCK- Disallow the request. If this is specified,thenBlockResponsemust also be specified.
if
BlockResponseisOVERRIDE, then all of the followingOVERRIDEattributes must be specified:BlockOverrideDnsTypeBlockOverrideDomainBlockOverrideTtl
- See:
- Type:
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule’s domain list, or a threat in a DNS Firewall Advvanced rule
- block_override_dns_type
The DNS record’s type.
This determines the format of the record value that you provided in
BlockOverrideDomain. Used for the rule actionBLOCKwith aBlockResponsesetting ofOVERRIDE.
- block_override_domain
The custom DNS record to send back in response to the query.
Used for the rule action
BLOCKwith aBlockResponsesetting ofOVERRIDE.
- block_override_ttl
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record.
Used for the rule action
BLOCKwith aBlockResponsesetting ofOVERRIDE.
- block_response
The way that you want DNS Firewall to block the request. Used for the rule action setting
BLOCK.NODATA- Respond indicating that the query was successful, but no response is available for it.NXDOMAIN- Respond indicating that the domain name that’s in the query doesn’t exist.OVERRIDE- Provide a custom override in the response. This option requires custom handling details in the rule’sBlockOverride*settings.
- confidence_threshold
The confidence threshold for DNS Firewall Advanced.
You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
LOW: Provides the highest detection rate for threats, but also increases false positives.MEDIUM: Provides a balance between detecting threats and false positives.HIGH: Detects only the most well corroborated threats with a low rate of false positives.
- dns_threat_protection
.
DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
- See:
- Type:
The type of the DNS Firewall Advanced rule. Valid values are
- firewall_domain_list_id
The ID of the domain list that’s used in the rule.
- firewall_domain_redirection_action
How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME, or DNAME.
Inspect_Redirection_Domain(Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.Trust_Redirection_Domaininspects only the first domain in the redirection chain. You don’t need to add the subsequent domains in the domain in the redirection list to the domain list.
- firewall_threat_protection_id
ID of the DNS Firewall Advanced rule.
- priority
The priority of the rule in the rule group.
This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
- qtype
The DNS query type you want the rule to evaluate. Allowed values are;
A: Returns an IPv4 address.
AAAA: Returns an Ipv6 address.
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
CNAME: Returns another domain name.
DS: Record that identifies the DNSSEC signing key of a delegated zone.
MX: Specifies mail servers.
NAPTR: Regular-expression-based rewriting of domain names.
NS: Authoritative name servers.
PTR: Maps an IP address to a domain name.
SOA: Start of authority record for the zone.
SPF: Lists the servers authorized to send emails from a domain.
SRV: Application specific values that identify servers.
TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE NUMBER , where the NUMBER can be 1-65334, for example, TYPE28. For more information, see List of DNS record types .