# Data Types


The AWS Firewall Manager API contains several data types that various actions use. This section describes each data type in detail.

**Note**  
The order of each element in a data type structure is not guaranteed. Applications should not assume a particular order.

The following data types are supported:
+  [AccountScope](API_AccountScope.md) 
+  [ActionTarget](API_ActionTarget.md) 
+  [AdminAccountSummary](API_AdminAccountSummary.md) 
+  [AdminScope](API_AdminScope.md) 
+  [App](API_App.md) 
+  [AppsListData](API_AppsListData.md) 
+  [AppsListDataSummary](API_AppsListDataSummary.md) 
+  [AwsEc2InstanceViolation](API_AwsEc2InstanceViolation.md) 
+  [AwsEc2NetworkInterfaceViolation](API_AwsEc2NetworkInterfaceViolation.md) 
+  [AwsVPCSecurityGroupViolation](API_AwsVPCSecurityGroupViolation.md) 
+  [ComplianceViolator](API_ComplianceViolator.md) 
+  [CreateNetworkAclAction](API_CreateNetworkAclAction.md) 
+  [CreateNetworkAclEntriesAction](API_CreateNetworkAclEntriesAction.md) 
+  [DeleteNetworkAclEntriesAction](API_DeleteNetworkAclEntriesAction.md) 
+  [DiscoveredResource](API_DiscoveredResource.md) 
+  [DnsDuplicateRuleGroupViolation](API_DnsDuplicateRuleGroupViolation.md) 
+  [DnsRuleGroupLimitExceededViolation](API_DnsRuleGroupLimitExceededViolation.md) 
+  [DnsRuleGroupPriorityConflictViolation](API_DnsRuleGroupPriorityConflictViolation.md) 
+  [EC2AssociateRouteTableAction](API_EC2AssociateRouteTableAction.md) 
+  [EC2CopyRouteTableAction](API_EC2CopyRouteTableAction.md) 
+  [EC2CreateRouteAction](API_EC2CreateRouteAction.md) 
+  [EC2CreateRouteTableAction](API_EC2CreateRouteTableAction.md) 
+  [EC2DeleteRouteAction](API_EC2DeleteRouteAction.md) 
+  [EC2ReplaceRouteAction](API_EC2ReplaceRouteAction.md) 
+  [EC2ReplaceRouteTableAssociationAction](API_EC2ReplaceRouteTableAssociationAction.md) 
+  [EntryDescription](API_EntryDescription.md) 
+  [EntryViolation](API_EntryViolation.md) 
+  [EvaluationResult](API_EvaluationResult.md) 
+  [ExpectedRoute](API_ExpectedRoute.md) 
+  [FailedItem](API_FailedItem.md) 
+  [FirewallSubnetIsOutOfScopeViolation](API_FirewallSubnetIsOutOfScopeViolation.md) 
+  [FirewallSubnetMissingVPCEndpointViolation](API_FirewallSubnetMissingVPCEndpointViolation.md) 
+  [FMSPolicyUpdateFirewallCreationConfigAction](API_FMSPolicyUpdateFirewallCreationConfigAction.md) 
+  [InvalidNetworkAclEntriesViolation](API_InvalidNetworkAclEntriesViolation.md) 
+  [NetworkAclCommonPolicy](API_NetworkAclCommonPolicy.md) 
+  [NetworkAclEntry](API_NetworkAclEntry.md) 
+  [NetworkAclEntrySet](API_NetworkAclEntrySet.md) 
+  [NetworkAclIcmpTypeCode](API_NetworkAclIcmpTypeCode.md) 
+  [NetworkAclPortRange](API_NetworkAclPortRange.md) 
+  [NetworkFirewallBlackHoleRouteDetectedViolation](API_NetworkFirewallBlackHoleRouteDetectedViolation.md) 
+  [NetworkFirewallInternetTrafficNotInspectedViolation](API_NetworkFirewallInternetTrafficNotInspectedViolation.md) 
+  [NetworkFirewallInvalidRouteConfigurationViolation](API_NetworkFirewallInvalidRouteConfigurationViolation.md) 
+  [NetworkFirewallMissingExpectedRoutesViolation](API_NetworkFirewallMissingExpectedRoutesViolation.md) 
+  [NetworkFirewallMissingExpectedRTViolation](API_NetworkFirewallMissingExpectedRTViolation.md) 
+  [NetworkFirewallMissingFirewallViolation](API_NetworkFirewallMissingFirewallViolation.md) 
+  [NetworkFirewallMissingSubnetViolation](API_NetworkFirewallMissingSubnetViolation.md) 
+  [NetworkFirewallPolicy](API_NetworkFirewallPolicy.md) 
+  [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md) 
+  [NetworkFirewallPolicyModifiedViolation](API_NetworkFirewallPolicyModifiedViolation.md) 
+  [NetworkFirewallStatefulRuleGroupOverride](API_NetworkFirewallStatefulRuleGroupOverride.md) 
+  [NetworkFirewallUnexpectedFirewallRoutesViolation](API_NetworkFirewallUnexpectedFirewallRoutesViolation.md) 
+  [NetworkFirewallUnexpectedGatewayRoutesViolation](API_NetworkFirewallUnexpectedGatewayRoutesViolation.md) 
+  [OrganizationalUnitScope](API_OrganizationalUnitScope.md) 
+  [PartialMatch](API_PartialMatch.md) 
+  [Policy](API_Policy.md) 
+  [PolicyComplianceDetail](API_PolicyComplianceDetail.md) 
+  [PolicyComplianceStatus](API_PolicyComplianceStatus.md) 
+  [PolicyOption](API_PolicyOption.md) 
+  [PolicySummary](API_PolicySummary.md) 
+  [PolicyTypeScope](API_PolicyTypeScope.md) 
+  [PossibleRemediationAction](API_PossibleRemediationAction.md) 
+  [PossibleRemediationActions](API_PossibleRemediationActions.md) 
+  [ProtocolsListData](API_ProtocolsListData.md) 
+  [ProtocolsListDataSummary](API_ProtocolsListDataSummary.md) 
+  [RegionScope](API_RegionScope.md) 
+  [RemediationAction](API_RemediationAction.md) 
+  [RemediationActionWithOrder](API_RemediationActionWithOrder.md) 
+  [ReplaceNetworkAclAssociationAction](API_ReplaceNetworkAclAssociationAction.md) 
+  [Resource](API_Resource.md) 
+  [ResourceSet](API_ResourceSet.md) 
+  [ResourceSetSummary](API_ResourceSetSummary.md) 
+  [ResourceTag](API_ResourceTag.md) 
+  [ResourceViolation](API_ResourceViolation.md) 
+  [Route](API_Route.md) 
+  [RouteHasOutOfScopeEndpointViolation](API_RouteHasOutOfScopeEndpointViolation.md) 
+  [SecurityGroupRemediationAction](API_SecurityGroupRemediationAction.md) 
+  [SecurityGroupRuleDescription](API_SecurityGroupRuleDescription.md) 
+  [SecurityServicePolicyData](API_SecurityServicePolicyData.md) 
+  [StatefulEngineOptions](API_StatefulEngineOptions.md) 
+  [StatefulRuleGroup](API_StatefulRuleGroup.md) 
+  [StatelessRuleGroup](API_StatelessRuleGroup.md) 
+  [Tag](API_Tag.md) 
+  [ThirdPartyFirewallFirewallPolicy](API_ThirdPartyFirewallFirewallPolicy.md) 
+  [ThirdPartyFirewallMissingExpectedRouteTableViolation](API_ThirdPartyFirewallMissingExpectedRouteTableViolation.md) 
+  [ThirdPartyFirewallMissingFirewallViolation](API_ThirdPartyFirewallMissingFirewallViolation.md) 
+  [ThirdPartyFirewallMissingSubnetViolation](API_ThirdPartyFirewallMissingSubnetViolation.md) 
+  [ThirdPartyFirewallPolicy](API_ThirdPartyFirewallPolicy.md) 
+  [ViolationDetail](API_ViolationDetail.md) 
+  [WebACLHasIncompatibleConfigurationViolation](API_WebACLHasIncompatibleConfigurationViolation.md) 
+  [WebACLHasOutOfScopeResourcesViolation](API_WebACLHasOutOfScopeResourcesViolation.md) 

# AccountScope


Configures the accounts within the administrator's AWS Organizations organization that the specified Firewall Manager administrator can apply policies to.

## Contents


 ** Accounts **   <a name="fms-Type-AccountScope-Accounts"></a>
The list of accounts within the organization that the specified Firewall Manager administrator either can or cannot apply policies to, based on the value of `ExcludeSpecifiedAccounts`. If `ExcludeSpecifiedAccounts` is set to `true`, then the Firewall Manager administrator can apply policies to all members of the organization except for the accounts in this list. If `ExcludeSpecifiedAccounts` is set to `false`, then the Firewall Manager administrator can only apply policies to the accounts in this list.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** AllAccountsEnabled **   <a name="fms-Type-AccountScope-AllAccountsEnabled"></a>
A boolean value that indicates if the administrator can apply policies to all accounts within an organization. If true, the administrator can apply policies to all accounts within the organization. You can either enable management of all accounts through this operation, or you can specify a list of accounts to manage in `AccountScope$Accounts`. You cannot specify both.  
Type: Boolean  
Required: No

 ** ExcludeSpecifiedAccounts **   <a name="fms-Type-AccountScope-ExcludeSpecifiedAccounts"></a>
A boolean value that excludes the accounts in `AccountScope$Accounts` from the administrator's scope. If true, the Firewall Manager administrator can apply policies to all members of the organization except for the accounts listed in `AccountScope$Accounts`. You can either specify a list of accounts to exclude by `AccountScope$Accounts`, or you can enable management of all accounts by `AccountScope$AllAccountsEnabled`. You cannot specify both.  
Type: Boolean  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AccountScope) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AccountScope) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AccountScope) 

# ActionTarget


Describes a remediation action target.

## Contents


 ** Description **   <a name="fms-Type-ActionTarget-Description"></a>
A description of the remediation action target.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** ResourceId **   <a name="fms-Type-ActionTarget-ResourceId"></a>
The ID of the remediation target.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ActionTarget) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ActionTarget) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ActionTarget) 

# AdminAccountSummary


Contains high level information about the Firewall Manager administrator account.

## Contents


 ** AdminAccount **   <a name="fms-Type-AdminAccountSummary-AdminAccount"></a>
The AWS account ID of the Firewall Manager administrator's account.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** DefaultAdmin **   <a name="fms-Type-AdminAccountSummary-DefaultAdmin"></a>
A boolean value that indicates if the administrator is the default administrator. If true, then this is the default administrator account. The default administrator can manage third-party firewalls and has full administrative scope. There is only one default administrator account per organization. For information about Firewall Manager default administrator accounts, see [Managing Firewall Manager administrators](https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html) in the *Firewall Manager Developer Guide*.  
Type: Boolean  
Required: No

 ** Status **   <a name="fms-Type-AdminAccountSummary-Status"></a>
The current status of the request to onboard a member account as an Firewall Manager administrator.  
+  `ONBOARDING` - The account is onboarding to Firewall Manager as an administrator.
+  `ONBOARDING_COMPLETE` - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their [AdminScope](API_AdminScope.md).
+  `OFFBOARDING` - The account is being removed as an Firewall Manager administrator.
+  `OFFBOARDING_COMPLETE` - The account has been removed as an Firewall Manager administrator.
Type: String  
Valid Values: `ONBOARDING | ONBOARDING_COMPLETE | OFFBOARDING | OFFBOARDING_COMPLETE`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AdminAccountSummary) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AdminAccountSummary) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AdminAccountSummary) 

# AdminScope


Defines the resources that the Firewall Manager administrator can manage. For more information about administrative scope, see [Managing Firewall Manager administrators](https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html) in the *Firewall Manager Developer Guide*.

## Contents


 ** AccountScope **   <a name="fms-Type-AdminScope-AccountScope"></a>
Defines the accounts that the specified Firewall Manager administrator can apply policies to.  
Type: [AccountScope](API_AccountScope.md) object  
Required: No

 ** OrganizationalUnitScope **   <a name="fms-Type-AdminScope-OrganizationalUnitScope"></a>
Defines the AWS Organizations organizational units that the specified Firewall Manager administrator can apply policies to. For more information about OUs in Organizations, see [Managing organizational units (OUs) ](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *Organizations User Guide*.  
Type: [OrganizationalUnitScope](API_OrganizationalUnitScope.md) object  
Required: No

 ** PolicyTypeScope **   <a name="fms-Type-AdminScope-PolicyTypeScope"></a>
Defines the Firewall Manager policy types that the specified Firewall Manager administrator can create and manage.  
Type: [PolicyTypeScope](API_PolicyTypeScope.md) object  
Required: No

 ** RegionScope **   <a name="fms-Type-AdminScope-RegionScope"></a>
Defines the AWS Regions that the specified Firewall Manager administrator can perform actions in.  
Type: [RegionScope](API_RegionScope.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AdminScope) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AdminScope) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AdminScope) 

# App


An individual AWS Firewall Manager application.

## Contents


 ** AppName **   <a name="fms-Type-App-AppName"></a>
The application's name.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** Port **   <a name="fms-Type-App-Port"></a>
The application's port number, for example `80`.  
Type: Long  
Valid Range: Minimum value of 0. Maximum value of 65535.  
Required: Yes

 ** Protocol **   <a name="fms-Type-App-Protocol"></a>
The IP protocol name or number. The name can be one of `tcp`, `udp`, or `icmp`. For information on possible numbers, see [Protocol Numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 20.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/App) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/App) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/App) 

# AppsListData


An AWS Firewall Manager applications list.

## Contents


 ** AppsList **   <a name="fms-Type-AppsListData-AppsList"></a>
An array of applications in the AWS Firewall Manager applications list.  
Type: Array of [App](API_App.md) objects  
Required: Yes

 ** ListName **   <a name="fms-Type-AppsListData-ListName"></a>
The name of the AWS Firewall Manager applications list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** CreateTime **   <a name="fms-Type-AppsListData-CreateTime"></a>
The time that the AWS Firewall Manager applications list was created.  
Type: Timestamp  
Required: No

 ** LastUpdateTime **   <a name="fms-Type-AppsListData-LastUpdateTime"></a>
The time that the AWS Firewall Manager applications list was last updated.  
Type: Timestamp  
Required: No

 ** ListId **   <a name="fms-Type-AppsListData-ListId"></a>
The ID of the AWS Firewall Manager applications list.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** ListUpdateToken **   <a name="fms-Type-AppsListData-ListUpdateToken"></a>
A unique identifier for each update to the list. When you update the list, the update token must match the token of the current version of the application list. You can retrieve the update token by getting the list.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PreviousAppsList **   <a name="fms-Type-AppsListData-PreviousAppsList"></a>
A map of previous version numbers to their corresponding `App` object arrays.  
Type: String to array of [App](API_App.md) objects map  
Key Length Constraints: Minimum length of 1. Maximum length of 2.  
Key Pattern: `^\d{1,2}$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AppsListData) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AppsListData) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AppsListData) 

# AppsListDataSummary


Details of the AWS Firewall Manager applications list.

## Contents


 ** AppsList **   <a name="fms-Type-AppsListDataSummary-AppsList"></a>
An array of `App` objects in the AWS Firewall Manager applications list.  
Type: Array of [App](API_App.md) objects  
Required: No

 ** ListArn **   <a name="fms-Type-AppsListDataSummary-ListArn"></a>
The Amazon Resource Name (ARN) of the applications list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ListId **   <a name="fms-Type-AppsListDataSummary-ListId"></a>
The ID of the applications list.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** ListName **   <a name="fms-Type-AppsListDataSummary-ListName"></a>
The name of the applications list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AppsListDataSummary) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AppsListDataSummary) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AppsListDataSummary) 

# AwsEc2InstanceViolation


Violation detail for an EC2 instance resource.

## Contents


 ** AwsEc2NetworkInterfaceViolations **   <a name="fms-Type-AwsEc2InstanceViolation-AwsEc2NetworkInterfaceViolations"></a>
Violation detail for network interfaces associated with the EC2 instance.  
Type: Array of [AwsEc2NetworkInterfaceViolation](API_AwsEc2NetworkInterfaceViolation.md) objects  
Required: No

 ** ViolationTarget **   <a name="fms-Type-AwsEc2InstanceViolation-ViolationTarget"></a>
The resource ID of the EC2 instance.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AwsEc2InstanceViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AwsEc2InstanceViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AwsEc2InstanceViolation) 

# AwsEc2NetworkInterfaceViolation


Violation detail for network interfaces associated with an EC2 instance.

## Contents


 ** ViolatingSecurityGroups **   <a name="fms-Type-AwsEc2NetworkInterfaceViolation-ViolatingSecurityGroups"></a>
List of security groups that violate the rules specified in the primary security group of the AWS Firewall Manager policy.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-AwsEc2NetworkInterfaceViolation-ViolationTarget"></a>
The resource ID of the network interface.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AwsEc2NetworkInterfaceViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AwsEc2NetworkInterfaceViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AwsEc2NetworkInterfaceViolation) 

# AwsVPCSecurityGroupViolation


Violation detail for the rule violation in a security group when compared to the primary security group of the AWS Firewall Manager policy.

## Contents


 ** PartialMatches **   <a name="fms-Type-AwsVPCSecurityGroupViolation-PartialMatches"></a>
List of rules specified in the security group of the AWS Firewall Manager policy that partially match the `ViolationTarget` rule.  
Type: Array of [PartialMatch](API_PartialMatch.md) objects  
Required: No

 ** PossibleSecurityGroupRemediationActions **   <a name="fms-Type-AwsVPCSecurityGroupViolation-PossibleSecurityGroupRemediationActions"></a>
Remediation options for the rule specified in the `ViolationTarget`.  
Type: Array of [SecurityGroupRemediationAction](API_SecurityGroupRemediationAction.md) objects  
Required: No

 ** ViolationTarget **   <a name="fms-Type-AwsVPCSecurityGroupViolation-ViolationTarget"></a>
The security group rule that is being evaluated.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** ViolationTargetDescription **   <a name="fms-Type-AwsVPCSecurityGroupViolation-ViolationTargetDescription"></a>
A description of the security group that violates the policy.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/AwsVPCSecurityGroupViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/AwsVPCSecurityGroupViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/AwsVPCSecurityGroupViolation) 

# ComplianceViolator


Details of the resource that is not protected by the policy.

## Contents


 ** Metadata **   <a name="fms-Type-ComplianceViolator-Metadata"></a>
Metadata about the resource that doesn't comply with the policy scope.  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 1024.  
Value Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** ResourceId **   <a name="fms-Type-ComplianceViolator-ResourceId"></a>
The resource ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ResourceType **   <a name="fms-Type-ComplianceViolator-ResourceType"></a>
The resource type. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). For example: `AWS::ElasticLoadBalancingV2::LoadBalancer`, `AWS::CloudFront::Distribution`, or `AWS::NetworkFirewall::FirewallPolicy`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolationReason **   <a name="fms-Type-ComplianceViolator-ViolationReason"></a>
The reason that the resource is not protected by the policy.  
Type: String  
Valid Values: `WEB_ACL_MISSING_RULE_GROUP | RESOURCE_MISSING_WEB_ACL | RESOURCE_INCORRECT_WEB_ACL | RESOURCE_MISSING_SHIELD_PROTECTION | RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION | RESOURCE_MISSING_SECURITY_GROUP | RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP | SECURITY_GROUP_UNUSED | SECURITY_GROUP_REDUNDANT | FMS_CREATED_SECURITY_GROUP_EDITED | MISSING_FIREWALL | MISSING_FIREWALL_SUBNET_IN_AZ | MISSING_EXPECTED_ROUTE_TABLE | NETWORK_FIREWALL_POLICY_MODIFIED | FIREWALL_SUBNET_IS_OUT_OF_SCOPE | INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE | FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE | UNEXPECTED_FIREWALL_ROUTES | UNEXPECTED_TARGET_GATEWAY_ROUTES | TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY | INVALID_ROUTE_CONFIGURATION | MISSING_TARGET_GATEWAY | INTERNET_TRAFFIC_NOT_INSPECTED | BLACK_HOLE_ROUTE_DETECTED | BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET | RESOURCE_MISSING_DNS_FIREWALL | ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT | FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT | INVALID_NETWORK_ACL_ENTRY | WEB_ACL_CONFIGURATION_OR_SCOPE_OF_USE`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ComplianceViolator) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ComplianceViolator) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ComplianceViolator) 

# CreateNetworkAclAction


Information about the `CreateNetworkAcl` action in Amazon EC2. This is a remediation option in `RemediationAction`.

## Contents


 ** Description **   <a name="fms-Type-CreateNetworkAclAction-Description"></a>
Brief description of this remediation action.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** FMSCanRemediate **   <a name="fms-Type-CreateNetworkAclAction-FMSCanRemediate"></a>
Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.  
Type: Boolean  
Required: No

 ** Vpc **   <a name="fms-Type-CreateNetworkAclAction-Vpc"></a>
The VPC that's associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/CreateNetworkAclAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/CreateNetworkAclAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/CreateNetworkAclAction) 

# CreateNetworkAclEntriesAction


Information about the `CreateNetworkAclEntries` action in Amazon EC2. This is a remediation option in `RemediationAction`.

## Contents


 ** Description **   <a name="fms-Type-CreateNetworkAclEntriesAction-Description"></a>
Brief description of this remediation action.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** FMSCanRemediate **   <a name="fms-Type-CreateNetworkAclEntriesAction-FMSCanRemediate"></a>
Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.  
Type: Boolean  
Required: No

 ** NetworkAclEntriesToBeCreated **   <a name="fms-Type-CreateNetworkAclEntriesAction-NetworkAclEntriesToBeCreated"></a>
Lists the entries that the remediation action would create.  
Type: Array of [EntryDescription](API_EntryDescription.md) objects  
Required: No

 ** NetworkAclId **   <a name="fms-Type-CreateNetworkAclEntriesAction-NetworkAclId"></a>
The network ACL that's associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/CreateNetworkAclEntriesAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/CreateNetworkAclEntriesAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/CreateNetworkAclEntriesAction) 

# DeleteNetworkAclEntriesAction


Information about the `DeleteNetworkAclEntries` action in Amazon EC2. This is a remediation option in `RemediationAction`. 

## Contents


 ** Description **   <a name="fms-Type-DeleteNetworkAclEntriesAction-Description"></a>
Brief description of this remediation action.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** FMSCanRemediate **   <a name="fms-Type-DeleteNetworkAclEntriesAction-FMSCanRemediate"></a>
Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.  
Type: Boolean  
Required: No

 ** NetworkAclEntriesToBeDeleted **   <a name="fms-Type-DeleteNetworkAclEntriesAction-NetworkAclEntriesToBeDeleted"></a>
Lists the entries that the remediation action would delete.  
Type: Array of [EntryDescription](API_EntryDescription.md) objects  
Required: No

 ** NetworkAclId **   <a name="fms-Type-DeleteNetworkAclEntriesAction-NetworkAclId"></a>
The network ACL that's associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/DeleteNetworkAclEntriesAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/DeleteNetworkAclEntriesAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/DeleteNetworkAclEntriesAction) 

# DiscoveredResource


A resource in the organization that's available to be associated with a Firewall Manager resource set.

## Contents


 ** AccountId **   <a name="fms-Type-DiscoveredResource-AccountId"></a>
The AWS account ID associated with the discovered resource.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** Name **   <a name="fms-Type-DiscoveredResource-Name"></a>
The name of the discovered resource.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** Type **   <a name="fms-Type-DiscoveredResource-Type"></a>
The type of the discovered resource.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** URI **   <a name="fms-Type-DiscoveredResource-URI"></a>
The universal resource identifier (URI) of the discovered resource.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/DiscoveredResource) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/DiscoveredResource) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/DiscoveredResource) 

# DnsDuplicateRuleGroupViolation


A DNS Firewall rule group that Firewall Manager tried to associate with a VPC is already associated with the VPC and can't be associated again. 

## Contents


 ** ViolationTarget **   <a name="fms-Type-DnsDuplicateRuleGroupViolation-ViolationTarget"></a>
Information about the VPC ID.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** ViolationTargetDescription **   <a name="fms-Type-DnsDuplicateRuleGroupViolation-ViolationTargetDescription"></a>
A description of the violation that specifies the rule group and VPC.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/DnsDuplicateRuleGroupViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/DnsDuplicateRuleGroupViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/DnsDuplicateRuleGroupViolation) 

# DnsRuleGroupLimitExceededViolation


The VPC that Firewall Manager was applying a DNS Fireall policy to reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed due to the limit. 

## Contents


 ** NumberOfRuleGroupsAlreadyAssociated **   <a name="fms-Type-DnsRuleGroupLimitExceededViolation-NumberOfRuleGroupsAlreadyAssociated"></a>
The number of rule groups currently associated with the VPC.   
Type: Integer  
Valid Range: Minimum value of -2147483648. Maximum value of 2147483647.  
Required: No

 ** ViolationTarget **   <a name="fms-Type-DnsRuleGroupLimitExceededViolation-ViolationTarget"></a>
Information about the VPC ID.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** ViolationTargetDescription **   <a name="fms-Type-DnsRuleGroupLimitExceededViolation-ViolationTargetDescription"></a>
A description of the violation that specifies the rule group and VPC.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/DnsRuleGroupLimitExceededViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/DnsRuleGroupLimitExceededViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/DnsRuleGroupLimitExceededViolation) 

# DnsRuleGroupPriorityConflictViolation


A rule group that Firewall Manager tried to associate with a VPC has the same priority as a rule group that's already associated. 

## Contents


 ** ConflictingPolicyId **   <a name="fms-Type-DnsRuleGroupPriorityConflictViolation-ConflictingPolicyId"></a>
The ID of the Firewall Manager DNS Firewall policy that was already applied to the VPC. This policy contains the rule group that's already associated with the VPC.   
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** ConflictingPriority **   <a name="fms-Type-DnsRuleGroupPriorityConflictViolation-ConflictingPriority"></a>
The priority setting of the two conflicting rule groups.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 10000.  
Required: No

 ** UnavailablePriorities **   <a name="fms-Type-DnsRuleGroupPriorityConflictViolation-UnavailablePriorities"></a>
The priorities of rule groups that are already associated with the VPC. To retry your operation, choose priority settings that aren't in this list for the rule groups in your new DNS Firewall policy.   
Type: Array of integers  
Valid Range: Minimum value of 0. Maximum value of 10000.  
Required: No

 ** ViolationTarget **   <a name="fms-Type-DnsRuleGroupPriorityConflictViolation-ViolationTarget"></a>
Information about the VPC ID.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** ViolationTargetDescription **   <a name="fms-Type-DnsRuleGroupPriorityConflictViolation-ViolationTargetDescription"></a>
A description of the violation that specifies the VPC and the rule group that's already associated with it.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/DnsRuleGroupPriorityConflictViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/DnsRuleGroupPriorityConflictViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/DnsRuleGroupPriorityConflictViolation) 

# EC2AssociateRouteTableAction


The action of associating an EC2 resource, such as a subnet or internet gateway, with a route table.

## Contents


 ** RouteTableId **   <a name="fms-Type-EC2AssociateRouteTableAction-RouteTableId"></a>
The ID of the EC2 route table that is associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2AssociateRouteTableAction-Description"></a>
A description of the EC2 route table that is associated with the remediation action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** GatewayId **   <a name="fms-Type-EC2AssociateRouteTableAction-GatewayId"></a>
The ID of the gateway to be used with the EC2 route table that is associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

 ** SubnetId **   <a name="fms-Type-EC2AssociateRouteTableAction-SubnetId"></a>
The ID of the subnet for the EC2 route table that is associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2AssociateRouteTableAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2AssociateRouteTableAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2AssociateRouteTableAction) 

# EC2CopyRouteTableAction


An action that copies the EC2 route table for use in remediation.

## Contents


 ** RouteTableId **   <a name="fms-Type-EC2CopyRouteTableAction-RouteTableId"></a>
The ID of the copied EC2 route table that is associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** VpcId **   <a name="fms-Type-EC2CopyRouteTableAction-VpcId"></a>
The VPC ID of the copied EC2 route table that is associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2CopyRouteTableAction-Description"></a>
A description of the copied EC2 route table that is associated with the remediation action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2CopyRouteTableAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2CopyRouteTableAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2CopyRouteTableAction) 

# EC2CreateRouteAction


Information about the CreateRoute action in Amazon EC2.

## Contents


 ** RouteTableId **   <a name="fms-Type-EC2CreateRouteAction-RouteTableId"></a>
Information about the ID of the route table for the route.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2CreateRouteAction-Description"></a>
A description of CreateRoute action in Amazon EC2.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** DestinationCidrBlock **   <a name="fms-Type-EC2CreateRouteAction-DestinationCidrBlock"></a>
Information about the IPv4 CIDR address block used for the destination match.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationIpv6CidrBlock **   <a name="fms-Type-EC2CreateRouteAction-DestinationIpv6CidrBlock"></a>
Information about the IPv6 CIDR block destination.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationPrefixListId **   <a name="fms-Type-EC2CreateRouteAction-DestinationPrefixListId"></a>
Information about the ID of a prefix list used for the destination match.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** GatewayId **   <a name="fms-Type-EC2CreateRouteAction-GatewayId"></a>
Information about the ID of an internet gateway or virtual private gateway attached to your VPC.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

 ** VpcEndpointId **   <a name="fms-Type-EC2CreateRouteAction-VpcEndpointId"></a>
Information about the ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2CreateRouteAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2CreateRouteAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2CreateRouteAction) 

# EC2CreateRouteTableAction


Information about the CreateRouteTable action in Amazon EC2.

## Contents


 ** VpcId **   <a name="fms-Type-EC2CreateRouteTableAction-VpcId"></a>
Information about the ID of a VPC.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2CreateRouteTableAction-Description"></a>
A description of the CreateRouteTable action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2CreateRouteTableAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2CreateRouteTableAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2CreateRouteTableAction) 

# EC2DeleteRouteAction


Information about the DeleteRoute action in Amazon EC2.

## Contents


 ** RouteTableId **   <a name="fms-Type-EC2DeleteRouteAction-RouteTableId"></a>
Information about the ID of the route table.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2DeleteRouteAction-Description"></a>
A description of the DeleteRoute action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** DestinationCidrBlock **   <a name="fms-Type-EC2DeleteRouteAction-DestinationCidrBlock"></a>
Information about the IPv4 CIDR range for the route. The value you specify must match the CIDR for the route exactly.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationIpv6CidrBlock **   <a name="fms-Type-EC2DeleteRouteAction-DestinationIpv6CidrBlock"></a>
Information about the IPv6 CIDR range for the route. The value you specify must match the CIDR for the route exactly.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationPrefixListId **   <a name="fms-Type-EC2DeleteRouteAction-DestinationPrefixListId"></a>
Information about the ID of the prefix list for the route.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2DeleteRouteAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2DeleteRouteAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2DeleteRouteAction) 

# EC2ReplaceRouteAction


Information about the ReplaceRoute action in Amazon EC2.

## Contents


 ** RouteTableId **   <a name="fms-Type-EC2ReplaceRouteAction-RouteTableId"></a>
Information about the ID of the route table.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2ReplaceRouteAction-Description"></a>
A description of the ReplaceRoute action in Amazon EC2.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** DestinationCidrBlock **   <a name="fms-Type-EC2ReplaceRouteAction-DestinationCidrBlock"></a>
Information about the IPv4 CIDR address block used for the destination match. The value that you provide must match the CIDR of an existing route in the table.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationIpv6CidrBlock **   <a name="fms-Type-EC2ReplaceRouteAction-DestinationIpv6CidrBlock"></a>
Information about the IPv6 CIDR address block used for the destination match. The value that you provide must match the CIDR of an existing route in the table.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** DestinationPrefixListId **   <a name="fms-Type-EC2ReplaceRouteAction-DestinationPrefixListId"></a>
Information about the ID of the prefix list for the route.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** GatewayId **   <a name="fms-Type-EC2ReplaceRouteAction-GatewayId"></a>
Information about the ID of an internet gateway or virtual private gateway.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2ReplaceRouteAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2ReplaceRouteAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2ReplaceRouteAction) 

# EC2ReplaceRouteTableAssociationAction


Information about the ReplaceRouteTableAssociation action in Amazon EC2.

## Contents


 ** AssociationId **   <a name="fms-Type-EC2ReplaceRouteTableAssociationAction-AssociationId"></a>
Information about the association ID.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** RouteTableId **   <a name="fms-Type-EC2ReplaceRouteTableAssociationAction-RouteTableId"></a>
Information about the ID of the new route table to associate with the subnet.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: Yes

 ** Description **   <a name="fms-Type-EC2ReplaceRouteTableAssociationAction-Description"></a>
A description of the ReplaceRouteTableAssociation action in Amazon EC2.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EC2ReplaceRouteTableAssociationAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EC2ReplaceRouteTableAssociationAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EC2ReplaceRouteTableAssociationAction) 

# EntryDescription


Describes a single rule in a network ACL.

## Contents


 ** EntryDetail **   <a name="fms-Type-EntryDescription-EntryDetail"></a>
Describes a rule in a network ACL.  
Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, AWS processes the entries in the network ACL according to the rule numbers, in ascending order.   
When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.  
Type: [NetworkAclEntry](API_NetworkAclEntry.md) object  
Required: No

 ** EntryRuleNumber **   <a name="fms-Type-EntryDescription-EntryRuleNumber"></a>
The rule number for the entry. ACL entries are processed in ascending order by rule number. In a Firewall Manager network ACL policy, Firewall Manager assigns rule numbers.   
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 2147483647.  
Required: No

 ** EntryType **   <a name="fms-Type-EntryDescription-EntryType"></a>
Specifies whether the entry is managed by Firewall Manager or by a user, and, for Firewall Manager-managed entries, specifies whether the entry is among those that run first in the network ACL or those that run last.   
Type: String  
Valid Values: `FMS_MANAGED_FIRST_ENTRY | FMS_MANAGED_LAST_ENTRY | CUSTOM_ENTRY`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EntryDescription) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EntryDescription) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EntryDescription) 

# EntryViolation


Detailed information about an entry violation in a network ACL. The violation is against the network ACL specification inside the Firewall Manager network ACL policy. This data object is part of `InvalidNetworkAclEntriesViolation`.

## Contents


 ** ActualEvaluationOrder **   <a name="fms-Type-EntryViolation-ActualEvaluationOrder"></a>
The evaluation location within the ordered list of entries where the `ExpectedEntry` is currently located.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** EntriesWithConflicts **   <a name="fms-Type-EntryViolation-EntriesWithConflicts"></a>
The list of entries that are in conflict with `ExpectedEntry`.   
Type: Array of [EntryDescription](API_EntryDescription.md) objects  
Required: No

 ** EntryAtExpectedEvaluationOrder **   <a name="fms-Type-EntryViolation-EntryAtExpectedEvaluationOrder"></a>
The entry that's currently in the `ExpectedEvaluationOrder` location, in place of the expected entry.   
Type: [EntryDescription](API_EntryDescription.md) object  
Required: No

 ** EntryViolationReasons **   <a name="fms-Type-EntryViolation-EntryViolationReasons"></a>
Descriptions of the violations that Firewall Manager found for these entries.   
Type: Array of strings  
Valid Values: `MISSING_EXPECTED_ENTRY | INCORRECT_ENTRY_ORDER | ENTRY_CONFLICT`   
Required: No

 ** ExpectedEntry **   <a name="fms-Type-EntryViolation-ExpectedEntry"></a>
The Firewall Manager-managed network ACL entry that is involved in the entry violation.   
Type: [EntryDescription](API_EntryDescription.md) object  
Required: No

 ** ExpectedEvaluationOrder **   <a name="fms-Type-EntryViolation-ExpectedEvaluationOrder"></a>
The evaluation location within the ordered list of entries where the `ExpectedEntry` should be, according to the network ACL policy specifications.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EntryViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EntryViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EntryViolation) 

# EvaluationResult


Describes the compliance status for the account. An account is considered noncompliant if it includes resources that are not protected by the specified policy or that don't comply with the policy.

## Contents


 ** ComplianceStatus **   <a name="fms-Type-EvaluationResult-ComplianceStatus"></a>
Describes an AWS account's compliance with the AWS Firewall Manager policy.  
Type: String  
Valid Values: `COMPLIANT | NON_COMPLIANT`   
Required: No

 ** EvaluationLimitExceeded **   <a name="fms-Type-EvaluationResult-EvaluationLimitExceeded"></a>
Indicates that over 100 resources are noncompliant with the AWS Firewall Manager policy.  
Type: Boolean  
Required: No

 ** ViolatorCount **   <a name="fms-Type-EvaluationResult-ViolatorCount"></a>
The number of resources that are noncompliant with the specified policy. For AWS WAF and Shield Advanced policies, a resource is considered noncompliant if it is not associated with the policy. For security group policies, a resource is considered noncompliant if it doesn't comply with the rules of the policy and remediation is disabled or not possible.  
Type: Long  
Valid Range: Minimum value of 0.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/EvaluationResult) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/EvaluationResult) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/EvaluationResult) 

# ExpectedRoute


Information about the expected route in the route table.

## Contents


 ** AllowedTargets **   <a name="fms-Type-ExpectedRoute-AllowedTargets"></a>
Information about the allowed targets.  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** ContributingSubnets **   <a name="fms-Type-ExpectedRoute-ContributingSubnets"></a>
Information about the contributing subnets.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** IpV4Cidr **   <a name="fms-Type-ExpectedRoute-IpV4Cidr"></a>
Information about the IPv4 CIDR block.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** IpV6Cidr **   <a name="fms-Type-ExpectedRoute-IpV6Cidr"></a>
Information about the IPv6 CIDR block.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** PrefixListId **   <a name="fms-Type-ExpectedRoute-PrefixListId"></a>
Information about the ID of the prefix list for the route.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** RouteTableId **   <a name="fms-Type-ExpectedRoute-RouteTableId"></a>
Information about the route table ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ExpectedRoute) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ExpectedRoute) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ExpectedRoute) 

# FailedItem


Details of a resource that failed when trying to update it's association to a resource set.

## Contents


 ** Reason **   <a name="fms-Type-FailedItem-Reason"></a>
The reason the resource's association could not be updated.  
Type: String  
Valid Values: `NOT_VALID_ARN | NOT_VALID_PARTITION | NOT_VALID_REGION | NOT_VALID_SERVICE | NOT_VALID_RESOURCE_TYPE | NOT_VALID_ACCOUNT_ID`   
Required: No

 ** URI **   <a name="fms-Type-FailedItem-URI"></a>
The univeral resource indicator (URI) of the resource that failed.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/FailedItem) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/FailedItem) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/FailedItem) 

# FirewallSubnetIsOutOfScopeViolation


Contains details about the firewall subnet that violates the policy scope.

## Contents


 ** FirewallSubnetId **   <a name="fms-Type-FirewallSubnetIsOutOfScopeViolation-FirewallSubnetId"></a>
The ID of the firewall subnet that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SubnetAvailabilityZone **   <a name="fms-Type-FirewallSubnetIsOutOfScopeViolation-SubnetAvailabilityZone"></a>
The Availability Zone of the firewall subnet that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** SubnetAvailabilityZoneId **   <a name="fms-Type-FirewallSubnetIsOutOfScopeViolation-SubnetAvailabilityZoneId"></a>
The Availability Zone ID of the firewall subnet that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** VpcEndpointId **   <a name="fms-Type-FirewallSubnetIsOutOfScopeViolation-VpcEndpointId"></a>
The VPC endpoint ID of the firewall subnet that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** VpcId **   <a name="fms-Type-FirewallSubnetIsOutOfScopeViolation-VpcId"></a>
The VPC ID of the firewall subnet that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation) 

# FirewallSubnetMissingVPCEndpointViolation


The violation details for a firewall subnet's VPC endpoint that's deleted or missing.

## Contents


 ** FirewallSubnetId **   <a name="fms-Type-FirewallSubnetMissingVPCEndpointViolation-FirewallSubnetId"></a>
The ID of the firewall that this VPC endpoint is associated with.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SubnetAvailabilityZone **   <a name="fms-Type-FirewallSubnetMissingVPCEndpointViolation-SubnetAvailabilityZone"></a>
The name of the Availability Zone of the deleted VPC subnet.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** SubnetAvailabilityZoneId **   <a name="fms-Type-FirewallSubnetMissingVPCEndpointViolation-SubnetAvailabilityZoneId"></a>
The ID of the Availability Zone of the deleted VPC subnet.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** VpcId **   <a name="fms-Type-FirewallSubnetMissingVPCEndpointViolation-VpcId"></a>
The resource ID of the VPC associated with the deleted VPC subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/FirewallSubnetMissingVPCEndpointViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/FirewallSubnetMissingVPCEndpointViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/FirewallSubnetMissingVPCEndpointViolation) 

# FMSPolicyUpdateFirewallCreationConfigAction


Contains information about the actions that you can take to remediate scope violations caused by your policy's `FirewallCreationConfig`. `FirewallCreationConfig` is an optional configuration that you can use to choose which Availability Zones Firewall Manager creates Network Firewall endpoints in.

## Contents


 ** Description **   <a name="fms-Type-FMSPolicyUpdateFirewallCreationConfigAction-Description"></a>
Describes the remedial action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** FirewallCreationConfig **   <a name="fms-Type-FMSPolicyUpdateFirewallCreationConfigAction-FirewallCreationConfig"></a>
A `FirewallCreationConfig` that you can copy into your current policy's [SecurityServiceData](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html) in order to remedy scope violations.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 30000.  
Pattern: `^((?!\\[nr]).)+`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction) 

# InvalidNetworkAclEntriesViolation


Violation detail for the entries in a network ACL resource.

## Contents


 ** CurrentAssociatedNetworkAcl **   <a name="fms-Type-InvalidNetworkAclEntriesViolation-CurrentAssociatedNetworkAcl"></a>
The network ACL containing the entry violations.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** EntryViolations **   <a name="fms-Type-InvalidNetworkAclEntriesViolation-EntryViolations"></a>
Detailed information about the entry violations in the network ACL.   
Type: Array of [EntryViolation](API_EntryViolation.md) objects  
Required: No

 ** Subnet **   <a name="fms-Type-InvalidNetworkAclEntriesViolation-Subnet"></a>
The subnet that's associated with the network ACL.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SubnetAvailabilityZone **   <a name="fms-Type-InvalidNetworkAclEntriesViolation-SubnetAvailabilityZone"></a>
The Availability Zone where the network ACL is in use.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** Vpc **   <a name="fms-Type-InvalidNetworkAclEntriesViolation-Vpc"></a>
The VPC where the violation was found.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/InvalidNetworkAclEntriesViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/InvalidNetworkAclEntriesViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/InvalidNetworkAclEntriesViolation) 

# NetworkAclCommonPolicy


Defines a Firewall Manager network ACL policy. This is used in the `PolicyOption` of a `SecurityServicePolicyData` for a `Policy`, when the `SecurityServicePolicyData` type is set to `NETWORK_ACL_COMMON`. 

For information about network ACLs, see [Control traffic to subnets using network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the *Amazon Virtual Private Cloud User Guide*. 

## Contents


 ** NetworkAclEntrySet **   <a name="fms-Type-NetworkAclCommonPolicy-NetworkAclEntrySet"></a>
The definition of the first and last rules for the network ACL policy.   
Type: [NetworkAclEntrySet](API_NetworkAclEntrySet.md) object  
Required: Yes

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkAclCommonPolicy) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkAclCommonPolicy) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkAclCommonPolicy) 

# NetworkAclEntry


Describes a rule in a network ACL.

Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the network ACL, AWS processes the entries in the network ACL according to the rule numbers, in ascending order. 

When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.

## Contents


 ** Egress **   <a name="fms-Type-NetworkAclEntry-Egress"></a>
Indicates whether the rule is an egress, or outbound, rule (applied to traffic leaving the subnet). If it's not an egress rule, then it's an ingress, or inbound, rule.  
Type: Boolean  
Required: Yes

 ** Protocol **   <a name="fms-Type-NetworkAclEntry-Protocol"></a>
The protocol number. A value of "-1" means all protocols.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: Yes

 ** RuleAction **   <a name="fms-Type-NetworkAclEntry-RuleAction"></a>
Indicates whether to allow or deny the traffic that matches the rule.  
Type: String  
Valid Values: `allow | deny`   
Required: Yes

 ** CidrBlock **   <a name="fms-Type-NetworkAclEntry-CidrBlock"></a>
The IPv4 network range to allow or deny, in CIDR notation.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Required: No

 ** IcmpTypeCode **   <a name="fms-Type-NetworkAclEntry-IcmpTypeCode"></a>
ICMP protocol: The ICMP type and code.  
Type: [NetworkAclIcmpTypeCode](API_NetworkAclIcmpTypeCode.md) object  
Required: No

 ** Ipv6CidrBlock **   <a name="fms-Type-NetworkAclEntry-Ipv6CidrBlock"></a>
The IPv6 network range to allow or deny, in CIDR notation.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Required: No

 ** PortRange **   <a name="fms-Type-NetworkAclEntry-PortRange"></a>
TCP or UDP protocols: The range of ports the rule applies to.  
Type: [NetworkAclPortRange](API_NetworkAclPortRange.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkAclEntry) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkAclEntry) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkAclEntry) 

# NetworkAclEntrySet


The configuration of the first and last rules for the network ACL policy, and the remediation settings for each. 

## Contents


 ** ForceRemediateForFirstEntries **   <a name="fms-Type-NetworkAclEntrySet-ForceRemediateForFirstEntries"></a>
Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.   
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the * AWS Firewall Manager Developer Guide*.  
Type: Boolean  
Required: Yes

 ** ForceRemediateForLastEntries **   <a name="fms-Type-NetworkAclEntrySet-ForceRemediateForLastEntries"></a>
Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.   
If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the * AWS Firewall Manager Developer Guide*.  
Type: Boolean  
Required: Yes

 ** FirstEntries **   <a name="fms-Type-NetworkAclEntrySet-FirstEntries"></a>
The rules that you want to run first in the Firewall Manager managed network ACLs.   
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. 
You must specify at least one first entry or one last entry in any network ACL policy.   
Type: Array of [NetworkAclEntry](API_NetworkAclEntry.md) objects  
Required: No

 ** LastEntries **   <a name="fms-Type-NetworkAclEntrySet-LastEntries"></a>
The rules that you want to run last in the Firewall Manager managed network ACLs.   
Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. 
You must specify at least one first entry or one last entry in any network ACL policy.   
Type: Array of [NetworkAclEntry](API_NetworkAclEntry.md) objects  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkAclEntrySet) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkAclEntrySet) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkAclEntrySet) 

# NetworkAclIcmpTypeCode


ICMP protocol: The ICMP type and code.

## Contents


 ** Code **   <a name="fms-Type-NetworkAclIcmpTypeCode-Code"></a>
ICMP code.   
Type: Integer  
Valid Range: Minimum value of -2147483648. Maximum value of 2147483647.  
Required: No

 ** Type **   <a name="fms-Type-NetworkAclIcmpTypeCode-Type"></a>
ICMP type.   
Type: Integer  
Valid Range: Minimum value of -2147483648. Maximum value of 2147483647.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkAclIcmpTypeCode) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkAclIcmpTypeCode) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkAclIcmpTypeCode) 

# NetworkAclPortRange


TCP or UDP protocols: The range of ports the rule applies to.

## Contents


 ** From **   <a name="fms-Type-NetworkAclPortRange-From"></a>
The beginning port number of the range.   
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 65535.  
Required: No

 ** To **   <a name="fms-Type-NetworkAclPortRange-To"></a>
The ending port number of the range.   
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 65535.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkAclPortRange) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkAclPortRange) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkAclPortRange) 

# NetworkFirewallBlackHoleRouteDetectedViolation


Violation detail for an internet gateway route with an inactive state in the customer subnet route table or Network Firewall subnet route table.

## Contents


 ** RouteTableId **   <a name="fms-Type-NetworkFirewallBlackHoleRouteDetectedViolation-RouteTableId"></a>
Information about the route table ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoutes **   <a name="fms-Type-NetworkFirewallBlackHoleRouteDetectedViolation-ViolatingRoutes"></a>
Information about the route or routes that are in violation.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallBlackHoleRouteDetectedViolation-ViolationTarget"></a>
The subnet that has an inactive state.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallBlackHoleRouteDetectedViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallBlackHoleRouteDetectedViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallBlackHoleRouteDetectedViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallBlackHoleRouteDetectedViolation) 

# NetworkFirewallInternetTrafficNotInspectedViolation


Violation detail for the subnet for which internet traffic that hasn't been inspected.

## Contents


 ** ActualFirewallSubnetRoutes **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ActualFirewallSubnetRoutes"></a>
The actual firewall subnet routes.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** ActualInternetGatewayRoutes **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ActualInternetGatewayRoutes"></a>
The actual internet gateway routes.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** CurrentFirewallSubnetRouteTable **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-CurrentFirewallSubnetRouteTable"></a>
Information about the subnet route table for the current firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** CurrentInternetGatewayRouteTable **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-CurrentInternetGatewayRouteTable"></a>
The current route table for the internet gateway.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedFirewallEndpoint **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ExpectedFirewallEndpoint"></a>
The expected endpoint for the current firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedFirewallSubnetRoutes **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ExpectedFirewallSubnetRoutes"></a>
The firewall subnet routes that are expected.  
Type: Array of [ExpectedRoute](API_ExpectedRoute.md) objects  
Required: No

 ** ExpectedInternetGatewayRoutes **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ExpectedInternetGatewayRoutes"></a>
The internet gateway routes that are expected.  
Type: Array of [ExpectedRoute](API_ExpectedRoute.md) objects  
Required: No

 ** FirewallSubnetId **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-FirewallSubnetId"></a>
The firewall subnet ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** InternetGatewayId **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-InternetGatewayId"></a>
The internet gateway ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** IsRouteTableUsedInDifferentAZ **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-IsRouteTableUsedInDifferentAZ"></a>
Information about whether the route table is used in another Availability Zone.  
Type: Boolean  
Required: No

 ** RouteTableId **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-RouteTableId"></a>
Information about the route table ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SubnetAvailabilityZone **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-SubnetAvailabilityZone"></a>
The subnet Availability Zone.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** SubnetId **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-SubnetId"></a>
The subnet ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoutes **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-ViolatingRoutes"></a>
The route or routes that are in violation.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallInternetTrafficNotInspectedViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallInternetTrafficNotInspectedViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallInternetTrafficNotInspectedViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallInternetTrafficNotInspectedViolation) 

# NetworkFirewallInvalidRouteConfigurationViolation


Violation detail for the improperly configured subnet route. It's possible there is a missing route table route, or a configuration that causes traffic to cross an Availability Zone boundary.

## Contents


 ** ActualFirewallEndpoint **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ActualFirewallEndpoint"></a>
The actual firewall endpoint.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ActualFirewallSubnetId **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ActualFirewallSubnetId"></a>
The actual subnet ID for the firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ActualFirewallSubnetRoutes **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ActualFirewallSubnetRoutes"></a>
The actual firewall subnet routes that are expected.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** ActualInternetGatewayRoutes **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ActualInternetGatewayRoutes"></a>
The actual internet gateway routes.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** AffectedSubnets **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-AffectedSubnets"></a>
The subnets that are affected.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** CurrentFirewallSubnetRouteTable **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-CurrentFirewallSubnetRouteTable"></a>
The subnet route table for the current firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** CurrentInternetGatewayRouteTable **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-CurrentInternetGatewayRouteTable"></a>
The route table for the current internet gateway.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedFirewallEndpoint **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ExpectedFirewallEndpoint"></a>
The firewall endpoint that's expected.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedFirewallSubnetId **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ExpectedFirewallSubnetId"></a>
The expected subnet ID for the firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedFirewallSubnetRoutes **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ExpectedFirewallSubnetRoutes"></a>
The firewall subnet routes that are expected.  
Type: Array of [ExpectedRoute](API_ExpectedRoute.md) objects  
Required: No

 ** ExpectedInternetGatewayRoutes **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ExpectedInternetGatewayRoutes"></a>
The expected routes for the internet gateway.  
Type: Array of [ExpectedRoute](API_ExpectedRoute.md) objects  
Required: No

 ** InternetGatewayId **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-InternetGatewayId"></a>
The internet gateway ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** IsRouteTableUsedInDifferentAZ **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-IsRouteTableUsedInDifferentAZ"></a>
Information about whether the route table is used in another Availability Zone.  
Type: Boolean  
Required: No

 ** RouteTableId **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-RouteTableId"></a>
The route table ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoute **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-ViolatingRoute"></a>
The route that's in violation.  
Type: [Route](API_Route.md) object  
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallInvalidRouteConfigurationViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallInvalidRouteConfigurationViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallInvalidRouteConfigurationViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallInvalidRouteConfigurationViolation) 

# NetworkFirewallMissingExpectedRoutesViolation


Violation detail for an expected route missing in AWS Network Firewall.

## Contents


 ** ExpectedRoutes **   <a name="fms-Type-NetworkFirewallMissingExpectedRoutesViolation-ExpectedRoutes"></a>
The expected routes.  
Type: Array of [ExpectedRoute](API_ExpectedRoute.md) objects  
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallMissingExpectedRoutesViolation-ViolationTarget"></a>
The target of the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallMissingExpectedRoutesViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallMissingExpectedRoutesViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallMissingExpectedRoutesViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallMissingExpectedRoutesViolation) 

# NetworkFirewallMissingExpectedRTViolation


Violation detail for AWS Network Firewall for a subnet that's not associated to the expected Firewall Manager managed route table.

## Contents


 ** AvailabilityZone **   <a name="fms-Type-NetworkFirewallMissingExpectedRTViolation-AvailabilityZone"></a>
The Availability Zone of a violating subnet.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** CurrentRouteTable **   <a name="fms-Type-NetworkFirewallMissingExpectedRTViolation-CurrentRouteTable"></a>
The resource ID of the current route table that's associated with the subnet, if one is available.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedRouteTable **   <a name="fms-Type-NetworkFirewallMissingExpectedRTViolation-ExpectedRouteTable"></a>
The resource ID of the route table that should be associated with the subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallMissingExpectedRTViolation-ViolationTarget"></a>
The ID of the AWS Network Firewall or VPC resource that's in violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-NetworkFirewallMissingExpectedRTViolation-VPC"></a>
The resource ID of the VPC associated with a violating subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallMissingExpectedRTViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallMissingExpectedRTViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallMissingExpectedRTViolation) 

# NetworkFirewallMissingFirewallViolation


Violation detail for AWS Network Firewall for a subnet that doesn't have a Firewall Manager managed firewall in its VPC. 

## Contents


 ** AvailabilityZone **   <a name="fms-Type-NetworkFirewallMissingFirewallViolation-AvailabilityZone"></a>
The Availability Zone of a violating subnet.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** TargetViolationReason **   <a name="fms-Type-NetworkFirewallMissingFirewallViolation-TargetViolationReason"></a>
The reason the resource has this violation, if one is available.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `\w+`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallMissingFirewallViolation-ViolationTarget"></a>
The ID of the AWS Network Firewall or VPC resource that's in violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-NetworkFirewallMissingFirewallViolation-VPC"></a>
The resource ID of the VPC associated with a violating subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallMissingFirewallViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallMissingFirewallViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallMissingFirewallViolation) 

# NetworkFirewallMissingSubnetViolation


Violation detail for AWS Network Firewall for an Availability Zone that's missing the expected Firewall Manager managed subnet.

## Contents


 ** AvailabilityZone **   <a name="fms-Type-NetworkFirewallMissingSubnetViolation-AvailabilityZone"></a>
The Availability Zone of a violating subnet.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** TargetViolationReason **   <a name="fms-Type-NetworkFirewallMissingSubnetViolation-TargetViolationReason"></a>
The reason the resource has this violation, if one is available.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `\w+`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallMissingSubnetViolation-ViolationTarget"></a>
The ID of the AWS Network Firewall or VPC resource that's in violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-NetworkFirewallMissingSubnetViolation-VPC"></a>
The resource ID of the VPC associated with a violating subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallMissingSubnetViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallMissingSubnetViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallMissingSubnetViolation) 

# NetworkFirewallPolicy


Configures the firewall policy deployment model of AWS Network Firewall. For information about Network Firewall deployment models, see [AWS Network Firewall example architectures with routing](https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html) in the *Network Firewall Developer Guide*.

## Contents


 ** FirewallDeploymentModel **   <a name="fms-Type-NetworkFirewallPolicy-FirewallDeploymentModel"></a>
Defines the deployment model to use for the firewall policy. To use a distributed model, set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `NULL`.  
Type: String  
Valid Values: `CENTRALIZED | DISTRIBUTED`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallPolicy) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallPolicy) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallPolicy) 

# NetworkFirewallPolicyDescription


The definition of the AWS Network Firewall firewall policy.

## Contents


 ** StatefulDefaultActions **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatefulDefaultActions"></a>
The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.  
 Valid values of the stateful default action:   
+ aws:drop\$1strict
+ aws:drop\$1established
+ aws:alert\$1strict
+ aws:alert\$1established
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9]+$`   
Required: No

 ** StatefulEngineOptions **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatefulEngineOptions"></a>
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.  
Type: [StatefulEngineOptions](API_StatefulEngineOptions.md) object  
Required: No

 ** StatefulRuleGroups **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatefulRuleGroups"></a>
The stateful rule groups that are used in the Network Firewall firewall policy.   
Type: Array of [StatefulRuleGroup](API_StatefulRuleGroup.md) objects  
Required: No

 ** StatelessCustomActions **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatelessCustomActions"></a>
Names of custom actions that are available for use in the stateless default actions settings.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9]+$`   
Required: No

 ** StatelessDefaultActions **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatelessDefaultActions"></a>
The actions to take on packets that don't match any of the stateless rule groups.   
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9]+$`   
Required: No

 ** StatelessFragmentDefaultActions **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatelessFragmentDefaultActions"></a>
The actions to take on packet fragments that don't match any of the stateless rule groups.   
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9]+$`   
Required: No

 ** StatelessRuleGroups **   <a name="fms-Type-NetworkFirewallPolicyDescription-StatelessRuleGroups"></a>
The stateless rule groups that are used in the Network Firewall firewall policy.   
Type: Array of [StatelessRuleGroup](API_StatelessRuleGroup.md) objects  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallPolicyDescription) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallPolicyDescription) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallPolicyDescription) 

# NetworkFirewallPolicyModifiedViolation


Violation detail for AWS Network Firewall for a firewall policy that has a different [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md) than is required by the Firewall Manager policy. 

## Contents


 ** CurrentPolicyDescription **   <a name="fms-Type-NetworkFirewallPolicyModifiedViolation-CurrentPolicyDescription"></a>
The policy that's currently in use in the individual account.   
Type: [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md) object  
Required: No

 ** ExpectedPolicyDescription **   <a name="fms-Type-NetworkFirewallPolicyModifiedViolation-ExpectedPolicyDescription"></a>
The policy that should be in use in the individual account in order to be compliant.   
Type: [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md) object  
Required: No

 ** ViolationTarget **   <a name="fms-Type-NetworkFirewallPolicyModifiedViolation-ViolationTarget"></a>
The ID of the AWS Network Firewall or VPC resource that's in violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallPolicyModifiedViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallPolicyModifiedViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallPolicyModifiedViolation) 

# NetworkFirewallStatefulRuleGroupOverride


The setting that allows the policy owner to change the behavior of the rule group within a policy.

## Contents


 ** Action **   <a name="fms-Type-NetworkFirewallStatefulRuleGroupOverride-Action"></a>
The action that changes the rule group from `DROP` to `ALERT`. This only applies to managed rule groups.  
Type: String  
Valid Values: `DROP_TO_ALERT`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallStatefulRuleGroupOverride) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallStatefulRuleGroupOverride) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallStatefulRuleGroupOverride) 

# NetworkFirewallUnexpectedFirewallRoutesViolation


Violation detail for an unexpected route that's present in a route table.

## Contents


 ** FirewallEndpoint **   <a name="fms-Type-NetworkFirewallUnexpectedFirewallRoutesViolation-FirewallEndpoint"></a>
The endpoint of the firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** FirewallSubnetId **   <a name="fms-Type-NetworkFirewallUnexpectedFirewallRoutesViolation-FirewallSubnetId"></a>
The subnet ID for the firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** RouteTableId **   <a name="fms-Type-NetworkFirewallUnexpectedFirewallRoutesViolation-RouteTableId"></a>
The ID of the route table.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoutes **   <a name="fms-Type-NetworkFirewallUnexpectedFirewallRoutesViolation-ViolatingRoutes"></a>
The routes that are in violation.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallUnexpectedFirewallRoutesViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallUnexpectedFirewallRoutesViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallUnexpectedFirewallRoutesViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallUnexpectedFirewallRoutesViolation) 

# NetworkFirewallUnexpectedGatewayRoutesViolation


Violation detail for an unexpected gateway route that’s present in a route table.

## Contents


 ** GatewayId **   <a name="fms-Type-NetworkFirewallUnexpectedGatewayRoutesViolation-GatewayId"></a>
Information about the gateway ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** RouteTableId **   <a name="fms-Type-NetworkFirewallUnexpectedGatewayRoutesViolation-RouteTableId"></a>
Information about the route table.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoutes **   <a name="fms-Type-NetworkFirewallUnexpectedGatewayRoutesViolation-ViolatingRoutes"></a>
The routes that are in violation.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** VpcId **   <a name="fms-Type-NetworkFirewallUnexpectedGatewayRoutesViolation-VpcId"></a>
Information about the VPC ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/NetworkFirewallUnexpectedGatewayRoutesViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/NetworkFirewallUnexpectedGatewayRoutesViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/NetworkFirewallUnexpectedGatewayRoutesViolation) 

# OrganizationalUnitScope


Defines the Organizations organizational units (OUs) that the specified Firewall Manager administrator can apply policies to. For more information about OUs in Organizations, see [Managing organizational units (OUs) ](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *Organizations User Guide*.

## Contents


 ** AllOrganizationalUnitsEnabled **   <a name="fms-Type-OrganizationalUnitScope-AllOrganizationalUnitsEnabled"></a>
A boolean value that indicates if the administrator can apply policies to all OUs within an organization. If true, the administrator can manage all OUs within the organization. You can either enable management of all OUs through this operation, or you can specify OUs to manage in `OrganizationalUnitScope$OrganizationalUnits`. You cannot specify both.  
Type: Boolean  
Required: No

 ** ExcludeSpecifiedOrganizationalUnits **   <a name="fms-Type-OrganizationalUnitScope-ExcludeSpecifiedOrganizationalUnits"></a>
A boolean value that excludes the OUs in `OrganizationalUnitScope$OrganizationalUnits` from the administrator's scope. If true, the Firewall Manager administrator can apply policies to all OUs in the organization except for the OUs listed in `OrganizationalUnitScope$OrganizationalUnits`. You can either specify a list of OUs to exclude by `OrganizationalUnitScope$OrganizationalUnits`, or you can enable management of all OUs by `OrganizationalUnitScope$AllOrganizationalUnitsEnabled`. You cannot specify both.  
Type: Boolean  
Required: No

 ** OrganizationalUnits **   <a name="fms-Type-OrganizationalUnitScope-OrganizationalUnits"></a>
The list of OUs within the organization that the specified Firewall Manager administrator either can or cannot apply policies to, based on the value of `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits`. If `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set to `true`, then the Firewall Manager administrator can apply policies to all OUs in the organization except for the OUs in this list. If `OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits` is set to `false`, then the Firewall Manager administrator can only apply policies to the OUs in this list.  
Type: Array of strings  
Length Constraints: Minimum length of 16. Maximum length of 68.  
Pattern: `^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/OrganizationalUnitScope) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/OrganizationalUnitScope) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/OrganizationalUnitScope) 

# PartialMatch


The reference rule that partially matches the `ViolationTarget` rule and violation reason.

## Contents


 ** Reference **   <a name="fms-Type-PartialMatch-Reference"></a>
The reference rule from the primary security group of the AWS Firewall Manager policy.  
Type: String  
Required: No

 ** TargetViolationReasons **   <a name="fms-Type-PartialMatch-TargetViolationReasons"></a>
The violation reason.  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `\w+`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PartialMatch) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PartialMatch) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PartialMatch) 

# Policy


An AWS Firewall Manager policy.

## Contents


 ** ExcludeResourceTags **   <a name="fms-Type-Policy-ExcludeResourceTags"></a>
If set to `True`, resources with the tags that are specified in the `ResourceTag` array are not in scope of the policy. If set to `False`, and the `ResourceTag` array is not null, only resources with the specified tags are in scope of the policy.  
Type: Boolean  
Required: Yes

 ** PolicyName **   <a name="fms-Type-Policy-PolicyName"></a>
The name of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** RemediationEnabled **   <a name="fms-Type-Policy-RemediationEnabled"></a>
Indicates if the policy should be automatically applied to new resources.  
Type: Boolean  
Required: Yes

 ** ResourceType **   <a name="fms-Type-Policy-ResourceType"></a>
The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList`.  
The following are valid resource types for each Firewall Manager policy type:  
+  AWS WAF Classic - `AWS::ApiGateway::Stage`, `AWS::CloudFront::Distribution`, and `AWS::ElasticLoadBalancingV2::LoadBalancer`.
+  AWS WAF - `AWS::ApiGateway::Stage`, `AWS::ElasticLoadBalancingV2::LoadBalancer`, and `AWS::CloudFront::Distribution`.
+ Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer`, `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::EC2::EIP`, and `AWS::CloudFront::Distribution`.
+ Network ACL - `AWS::EC2::Subnet`.
+ Security group usage audit - `AWS::EC2::SecurityGroup`.
+ Security group content audit - `AWS::EC2::SecurityGroup`, `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`.
+ DNS Firewall, AWS Network Firewall, and third-party firewall - `AWS::EC2::VPC`.
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** SecurityServicePolicyData **   <a name="fms-Type-Policy-SecurityServicePolicyData"></a>
Details about the security service that is being used to protect the resources.  
Type: [SecurityServicePolicyData](API_SecurityServicePolicyData.md) object  
Required: Yes

 ** DeleteUnusedFMManagedResources **   <a name="fms-Type-Policy-DeleteUnusedFMManagedResources"></a>
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.   
By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.   
This option is not available for Shield Advanced or AWS WAF Classic policies.  
Type: Boolean  
Required: No

 ** ExcludeMap **   <a name="fms-Type-Policy-ExcludeMap"></a>
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.  
You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap`, AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap`, and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap`, then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap`.  
You can specify account IDs, OUs, or a combination:   
+ Specify account IDs by setting the key to `ACCOUNT`. For example, the following is a valid map: `{“ACCOUNT” : [“accountID1”, “accountID2”]}`.
+ Specify OUs by setting the key to `ORG_UNIT`. For example, the following is a valid map: `{“ORG_UNIT” : [“ouid111”, “ouid112”]}`.
+ Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}`.
Type: String to array of strings map  
Valid Keys: `ACCOUNT | ORG_UNIT`   
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** IncludeMap **   <a name="fms-Type-Policy-IncludeMap"></a>
Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.  
You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap`, AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap`, and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap`, then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap`.  
You can specify account IDs, OUs, or a combination:   
+ Specify account IDs by setting the key to `ACCOUNT`. For example, the following is a valid map: `{“ACCOUNT” : [“accountID1”, “accountID2”]}`.
+ Specify OUs by setting the key to `ORG_UNIT`. For example, the following is a valid map: `{“ORG_UNIT” : [“ouid111”, “ouid112”]}`.
+ Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}`.
Type: String to array of strings map  
Valid Keys: `ACCOUNT | ORG_UNIT`   
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PolicyDescription **   <a name="fms-Type-Policy-PolicyDescription"></a>
Your description of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PolicyId **   <a name="fms-Type-Policy-PolicyId"></a>
The ID of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** PolicyStatus **   <a name="fms-Type-Policy-PolicyStatus"></a>
Indicates whether the policy is in or out of an admin's policy or Region scope.  
+  `ACTIVE` - The administrator can manage and delete the policy.
+  `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.
Type: String  
Valid Values: `ACTIVE | OUT_OF_ADMIN_SCOPE`   
Required: No

 ** PolicyUpdateToken **   <a name="fms-Type-Policy-PolicyUpdateToken"></a>
A unique identifier for each update to the policy. When issuing a `PutPolicy` request, the `PolicyUpdateToken` in the request must match the `PolicyUpdateToken` of the current policy version. To get the `PolicyUpdateToken` of the current policy version, use a `GetPolicy` request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ResourceSetIds **   <a name="fms-Type-Policy-ResourceSetIds"></a>
The unique identifiers of the resource sets used by the policy.  
Type: Array of strings  
Length Constraints: Fixed length of 22.  
Pattern: `^[a-z0-9A-Z]{22}$`   
Required: No

 ** ResourceTagLogicalOperator **   <a name="fms-Type-Policy-ResourceTagLogicalOperator"></a>
Specifies whether to combine multiple resource tags with AND, so that a resource must have all tags to be included or excluded, or OR, so that a resource must have at least one tag.  
Default: `AND`   
Type: String  
Valid Values: `AND | OR`   
Required: No

 ** ResourceTags **   <a name="fms-Type-Policy-ResourceTags"></a>
An array of `ResourceTag` objects.  
Type: Array of [ResourceTag](API_ResourceTag.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 50 items.  
Required: No

 ** ResourceTypeList **   <a name="fms-Type-Policy-ResourceTypeList"></a>
An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType`.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/Policy) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/Policy) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/Policy) 

# PolicyComplianceDetail


Describes the noncompliant resources in a member account for a specific AWS Firewall Manager policy. A maximum of 100 entries are displayed. If more than 100 resources are noncompliant, `EvaluationLimitExceeded` is set to `True`.

## Contents


 ** EvaluationLimitExceeded **   <a name="fms-Type-PolicyComplianceDetail-EvaluationLimitExceeded"></a>
Indicates if over 100 resources are noncompliant with the AWS Firewall Manager policy.  
Type: Boolean  
Required: No

 ** ExpiredAt **   <a name="fms-Type-PolicyComplianceDetail-ExpiredAt"></a>
A timestamp that indicates when the returned information should be considered out of date.  
Type: Timestamp  
Required: No

 ** IssueInfoMap **   <a name="fms-Type-PolicyComplianceDetail-IssueInfoMap"></a>
Details about problems with dependent services, such as AWS WAF or AWS Config, and the error message received that indicates the problem with the service.  
Type: String to string map  
Valid Keys: `AWSCONFIG | AWSWAF | AWSSHIELD_ADVANCED | AWSVPC`   
Value Length Constraints: Minimum length of 1. Maximum length of 4096.  
Value Pattern: `^([\p{L}\p{Z}\p{N}_.:/=,+\-@]*)$`   
Required: No

 ** MemberAccount **   <a name="fms-Type-PolicyComplianceDetail-MemberAccount"></a>
The AWS account ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** PolicyId **   <a name="fms-Type-PolicyComplianceDetail-PolicyId"></a>
The ID of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** PolicyOwner **   <a name="fms-Type-PolicyComplianceDetail-PolicyOwner"></a>
The AWS account that created the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** Violators **   <a name="fms-Type-PolicyComplianceDetail-Violators"></a>
An array of resources that aren't protected by the AWS WAF or Shield Advanced policy or that aren't in compliance with the security group policy.  
Type: Array of [ComplianceViolator](API_ComplianceViolator.md) objects  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PolicyComplianceDetail) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PolicyComplianceDetail) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PolicyComplianceDetail) 

# PolicyComplianceStatus


Indicates whether the account is compliant with the specified policy. An account is considered noncompliant if it includes resources that are not protected by the policy, for AWS WAF and Shield Advanced policies, or that are noncompliant with the policy, for security group policies.

## Contents


 ** EvaluationResults **   <a name="fms-Type-PolicyComplianceStatus-EvaluationResults"></a>
An array of `EvaluationResult` objects.  
Type: Array of [EvaluationResult](API_EvaluationResult.md) objects  
Required: No

 ** IssueInfoMap **   <a name="fms-Type-PolicyComplianceStatus-IssueInfoMap"></a>
Details about problems with dependent services, such as AWS WAF or AWS Config, and the error message received that indicates the problem with the service.  
Type: String to string map  
Valid Keys: `AWSCONFIG | AWSWAF | AWSSHIELD_ADVANCED | AWSVPC`   
Value Length Constraints: Minimum length of 1. Maximum length of 4096.  
Value Pattern: `^([\p{L}\p{Z}\p{N}_.:/=,+\-@]*)$`   
Required: No

 ** LastUpdated **   <a name="fms-Type-PolicyComplianceStatus-LastUpdated"></a>
Timestamp of the last update to the `EvaluationResult` objects.  
Type: Timestamp  
Required: No

 ** MemberAccount **   <a name="fms-Type-PolicyComplianceStatus-MemberAccount"></a>
The member account ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

 ** PolicyId **   <a name="fms-Type-PolicyComplianceStatus-PolicyId"></a>
The ID of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** PolicyName **   <a name="fms-Type-PolicyComplianceStatus-PolicyName"></a>
The name of the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PolicyOwner **   <a name="fms-Type-PolicyComplianceStatus-PolicyOwner"></a>
The AWS account that created the AWS Firewall Manager policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PolicyComplianceStatus) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PolicyComplianceStatus) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PolicyComplianceStatus) 

# PolicyOption


Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.

## Contents


 ** NetworkAclCommonPolicy **   <a name="fms-Type-PolicyOption-NetworkAclCommonPolicy"></a>
Defines a Firewall Manager network ACL policy.   
Type: [NetworkAclCommonPolicy](API_NetworkAclCommonPolicy.md) object  
Required: No

 ** NetworkFirewallPolicy **   <a name="fms-Type-PolicyOption-NetworkFirewallPolicy"></a>
Defines the deployment model to use for the firewall policy.  
Type: [NetworkFirewallPolicy](API_NetworkFirewallPolicy.md) object  
Required: No

 ** ThirdPartyFirewallPolicy **   <a name="fms-Type-PolicyOption-ThirdPartyFirewallPolicy"></a>
Defines the policy options for a third-party firewall policy.  
Type: [ThirdPartyFirewallPolicy](API_ThirdPartyFirewallPolicy.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PolicyOption) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PolicyOption) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PolicyOption) 

# PolicySummary


Details of the AWS Firewall Manager policy. 

## Contents


 ** DeleteUnusedFMManagedResources **   <a name="fms-Type-PolicySummary-DeleteUnusedFMManagedResources"></a>
Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.   
By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.   
This option is not available for Shield Advanced or AWS WAF Classic policies.  
Type: Boolean  
Required: No

 ** PolicyArn **   <a name="fms-Type-PolicySummary-PolicyArn"></a>
The Amazon Resource Name (ARN) of the specified policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PolicyId **   <a name="fms-Type-PolicySummary-PolicyId"></a>
The ID of the specified policy.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** PolicyName **   <a name="fms-Type-PolicySummary-PolicyName"></a>
The name of the specified policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PolicyStatus **   <a name="fms-Type-PolicySummary-PolicyStatus"></a>
Indicates whether the policy is in or out of an admin's policy or Region scope.  
+  `ACTIVE` - The administrator can manage and delete the policy.
+  `OUT_OF_ADMIN_SCOPE` - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.
Type: String  
Valid Values: `ACTIVE | OUT_OF_ADMIN_SCOPE`   
Required: No

 ** RemediationEnabled **   <a name="fms-Type-PolicySummary-RemediationEnabled"></a>
Indicates if the policy should be automatically applied to new resources.  
Type: Boolean  
Required: No

 ** ResourceType **   <a name="fms-Type-PolicySummary-ResourceType"></a>
The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html).   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SecurityServiceType **   <a name="fms-Type-PolicySummary-SecurityServiceType"></a>
The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy.  
Type: String  
Valid Values: `WAF | WAFV2 | SHIELD_ADVANCED | SECURITY_GROUPS_COMMON | SECURITY_GROUPS_CONTENT_AUDIT | SECURITY_GROUPS_USAGE_AUDIT | NETWORK_FIREWALL | DNS_FIREWALL | THIRD_PARTY_FIREWALL | IMPORT_NETWORK_FIREWALL | NETWORK_ACL_COMMON`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PolicySummary) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PolicySummary) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PolicySummary) 

# PolicyTypeScope


Defines the policy types that the specified Firewall Manager administrator can manage.

## Contents


 ** AllPolicyTypesEnabled **   <a name="fms-Type-PolicyTypeScope-AllPolicyTypesEnabled"></a>
Allows the specified Firewall Manager administrator to manage all Firewall Manager policy types, except for third-party policy types. Third-party policy types can only be managed by the Firewall Manager default administrator.  
Type: Boolean  
Required: No

 ** PolicyTypes **   <a name="fms-Type-PolicyTypeScope-PolicyTypes"></a>
The list of policy types that the specified Firewall Manager administrator can manage.  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 32 items.  
Valid Values: `WAF | WAFV2 | SHIELD_ADVANCED | SECURITY_GROUPS_COMMON | SECURITY_GROUPS_CONTENT_AUDIT | SECURITY_GROUPS_USAGE_AUDIT | NETWORK_FIREWALL | DNS_FIREWALL | THIRD_PARTY_FIREWALL | IMPORT_NETWORK_FIREWALL | NETWORK_ACL_COMMON`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PolicyTypeScope) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PolicyTypeScope) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PolicyTypeScope) 

# PossibleRemediationAction


A list of remediation actions.

## Contents


 ** OrderedRemediationActions **   <a name="fms-Type-PossibleRemediationAction-OrderedRemediationActions"></a>
The ordered list of remediation actions.  
Type: Array of [RemediationActionWithOrder](API_RemediationActionWithOrder.md) objects  
Required: Yes

 ** Description **   <a name="fms-Type-PossibleRemediationAction-Description"></a>
A description of the list of remediation actions.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** IsDefaultAction **   <a name="fms-Type-PossibleRemediationAction-IsDefaultAction"></a>
Information about whether an action is taken by default.  
Type: Boolean  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PossibleRemediationAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PossibleRemediationAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PossibleRemediationAction) 

# PossibleRemediationActions


A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.

## Contents


 ** Actions **   <a name="fms-Type-PossibleRemediationActions-Actions"></a>
Information about the actions.  
Type: Array of [PossibleRemediationAction](API_PossibleRemediationAction.md) objects  
Required: No

 ** Description **   <a name="fms-Type-PossibleRemediationActions-Description"></a>
A description of the possible remediation actions list.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/PossibleRemediationActions) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/PossibleRemediationActions) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/PossibleRemediationActions) 

# ProtocolsListData


An AWS Firewall Manager protocols list.

## Contents


 ** ListName **   <a name="fms-Type-ProtocolsListData-ListName"></a>
The name of the AWS Firewall Manager protocols list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** ProtocolsList **   <a name="fms-Type-ProtocolsListData-ProtocolsList"></a>
An array of protocols in the AWS Firewall Manager protocols list.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 20.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** CreateTime **   <a name="fms-Type-ProtocolsListData-CreateTime"></a>
The time that the AWS Firewall Manager protocols list was created.  
Type: Timestamp  
Required: No

 ** LastUpdateTime **   <a name="fms-Type-ProtocolsListData-LastUpdateTime"></a>
The time that the AWS Firewall Manager protocols list was last updated.  
Type: Timestamp  
Required: No

 ** ListId **   <a name="fms-Type-ProtocolsListData-ListId"></a>
The ID of the AWS Firewall Manager protocols list.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** ListUpdateToken **   <a name="fms-Type-ProtocolsListData-ListUpdateToken"></a>
A unique identifier for each update to the list. When you update the list, the update token must match the token of the current version of the application list. You can retrieve the update token by getting the list.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** PreviousProtocolsList **   <a name="fms-Type-ProtocolsListData-PreviousProtocolsList"></a>
A map of previous version numbers to their corresponding protocol arrays.  
Type: String to array of strings map  
Key Length Constraints: Minimum length of 1. Maximum length of 2.  
Key Pattern: `^\d{1,2}$`   
Length Constraints: Minimum length of 1. Maximum length of 20.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ProtocolsListData) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ProtocolsListData) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ProtocolsListData) 

# ProtocolsListDataSummary


Details of the AWS Firewall Manager protocols list.

## Contents


 ** ListArn **   <a name="fms-Type-ProtocolsListDataSummary-ListArn"></a>
The Amazon Resource Name (ARN) of the specified protocols list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ListId **   <a name="fms-Type-ProtocolsListDataSummary-ListId"></a>
The ID of the specified protocols list.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: No

 ** ListName **   <a name="fms-Type-ProtocolsListDataSummary-ListName"></a>
The name of the specified protocols list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ProtocolsList **   <a name="fms-Type-ProtocolsListDataSummary-ProtocolsList"></a>
An array of protocols in the AWS Firewall Manager protocols list.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 20.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ProtocolsListDataSummary) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ProtocolsListDataSummary) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ProtocolsListDataSummary) 

# RegionScope


Defines the AWS Regions that the specified Firewall Manager administrator can manage.

## Contents


 ** AllRegionsEnabled **   <a name="fms-Type-RegionScope-AllRegionsEnabled"></a>
Allows the specified Firewall Manager administrator to manage all AWS Regions.  
Type: Boolean  
Required: No

 ** Regions **   <a name="fms-Type-RegionScope-Regions"></a>
The AWS Regions that the specified Firewall Manager administrator can perform actions in.  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 64 items.  
Length Constraints: Minimum length of 6. Maximum length of 32.  
Pattern: `^(af|ap|ca|eu|il|me|mx|sa|us|cn|us-gov)-\w+-\d+$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/RegionScope) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/RegionScope) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/RegionScope) 

# RemediationAction


Information about an individual action you can take to remediate a violation.

## Contents


 ** CreateNetworkAclAction **   <a name="fms-Type-RemediationAction-CreateNetworkAclAction"></a>
Information about the `CreateNetworkAcl` action in Amazon EC2.  
Type: [CreateNetworkAclAction](API_CreateNetworkAclAction.md) object  
Required: No

 ** CreateNetworkAclEntriesAction **   <a name="fms-Type-RemediationAction-CreateNetworkAclEntriesAction"></a>
Information about the `CreateNetworkAclEntries` action in Amazon EC2.  
Type: [CreateNetworkAclEntriesAction](API_CreateNetworkAclEntriesAction.md) object  
Required: No

 ** DeleteNetworkAclEntriesAction **   <a name="fms-Type-RemediationAction-DeleteNetworkAclEntriesAction"></a>
Information about the `DeleteNetworkAclEntries` action in Amazon EC2.  
Type: [DeleteNetworkAclEntriesAction](API_DeleteNetworkAclEntriesAction.md) object  
Required: No

 ** Description **   <a name="fms-Type-RemediationAction-Description"></a>
A description of a remediation action.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** EC2AssociateRouteTableAction **   <a name="fms-Type-RemediationAction-EC2AssociateRouteTableAction"></a>
Information about the AssociateRouteTable action in the Amazon EC2 API.  
Type: [EC2AssociateRouteTableAction](API_EC2AssociateRouteTableAction.md) object  
Required: No

 ** EC2CopyRouteTableAction **   <a name="fms-Type-RemediationAction-EC2CopyRouteTableAction"></a>
Information about the CopyRouteTable action in the Amazon EC2 API.  
Type: [EC2CopyRouteTableAction](API_EC2CopyRouteTableAction.md) object  
Required: No

 ** EC2CreateRouteAction **   <a name="fms-Type-RemediationAction-EC2CreateRouteAction"></a>
Information about the CreateRoute action in the Amazon EC2 API.  
Type: [EC2CreateRouteAction](API_EC2CreateRouteAction.md) object  
Required: No

 ** EC2CreateRouteTableAction **   <a name="fms-Type-RemediationAction-EC2CreateRouteTableAction"></a>
Information about the CreateRouteTable action in the Amazon EC2 API.  
Type: [EC2CreateRouteTableAction](API_EC2CreateRouteTableAction.md) object  
Required: No

 ** EC2DeleteRouteAction **   <a name="fms-Type-RemediationAction-EC2DeleteRouteAction"></a>
Information about the DeleteRoute action in the Amazon EC2 API.  
Type: [EC2DeleteRouteAction](API_EC2DeleteRouteAction.md) object  
Required: No

 ** EC2ReplaceRouteAction **   <a name="fms-Type-RemediationAction-EC2ReplaceRouteAction"></a>
Information about the ReplaceRoute action in the Amazon EC2 API.  
Type: [EC2ReplaceRouteAction](API_EC2ReplaceRouteAction.md) object  
Required: No

 ** EC2ReplaceRouteTableAssociationAction **   <a name="fms-Type-RemediationAction-EC2ReplaceRouteTableAssociationAction"></a>
Information about the ReplaceRouteTableAssociation action in the Amazon EC2 API.  
Type: [EC2ReplaceRouteTableAssociationAction](API_EC2ReplaceRouteTableAssociationAction.md) object  
Required: No

 ** FMSPolicyUpdateFirewallCreationConfigAction **   <a name="fms-Type-RemediationAction-FMSPolicyUpdateFirewallCreationConfigAction"></a>
The remedial action to take when updating a firewall configuration.  
Type: [FMSPolicyUpdateFirewallCreationConfigAction](API_FMSPolicyUpdateFirewallCreationConfigAction.md) object  
Required: No

 ** ReplaceNetworkAclAssociationAction **   <a name="fms-Type-RemediationAction-ReplaceNetworkAclAssociationAction"></a>
Information about the `ReplaceNetworkAclAssociation` action in Amazon EC2.   
Type: [ReplaceNetworkAclAssociationAction](API_ReplaceNetworkAclAssociationAction.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/RemediationAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/RemediationAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/RemediationAction) 

# RemediationActionWithOrder


An ordered list of actions you can take to remediate a violation.

## Contents


 ** Order **   <a name="fms-Type-RemediationActionWithOrder-Order"></a>
The order of the remediation actions in the list.  
Type: Integer  
Valid Range: Minimum value of -2147483648. Maximum value of 2147483647.  
Required: No

 ** RemediationAction **   <a name="fms-Type-RemediationActionWithOrder-RemediationAction"></a>
Information about an action you can take to remediate a violation.  
Type: [RemediationAction](API_RemediationAction.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/RemediationActionWithOrder) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/RemediationActionWithOrder) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/RemediationActionWithOrder) 

# ReplaceNetworkAclAssociationAction


Information about the `ReplaceNetworkAclAssociation` action in Amazon EC2. This is a remediation option in `RemediationAction`.

## Contents


 ** AssociationId **   <a name="fms-Type-ReplaceNetworkAclAssociationAction-AssociationId"></a>
Describes a remediation action target.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

 ** Description **   <a name="fms-Type-ReplaceNetworkAclAssociationAction-Description"></a>
Brief description of this remediation action.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** FMSCanRemediate **   <a name="fms-Type-ReplaceNetworkAclAssociationAction-FMSCanRemediate"></a>
Indicates whether it is possible for Firewall Manager to perform this remediation action. A false value indicates that auto remediation is disabled or Firewall Manager is unable to perform the action due to a conflict of some kind.  
Type: Boolean  
Required: No

 ** NetworkAclId **   <a name="fms-Type-ReplaceNetworkAclAssociationAction-NetworkAclId"></a>
The network ACL that's associated with the remediation action.  
Type: [ActionTarget](API_ActionTarget.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ReplaceNetworkAclAssociationAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ReplaceNetworkAclAssociationAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ReplaceNetworkAclAssociationAction) 

# Resource


Details of a resource that is associated to an Firewall Manager resource set.

## Contents


 ** URI **   <a name="fms-Type-Resource-URI"></a>
The resource's universal resource indicator (URI).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** AccountId **   <a name="fms-Type-Resource-AccountId"></a>
The AWS account ID that the associated resource belongs to.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/Resource) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/Resource) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/Resource) 

# ResourceSet


A set of resources to include in a policy.

## Contents


 ** Name **   <a name="fms-Type-ResourceSet-Name"></a>
The descriptive name of the resource set. You can't change the name of a resource set after you create it.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** ResourceTypeList **   <a name="fms-Type-ResourceSet-ResourceTypeList"></a>
Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** Description **   <a name="fms-Type-ResourceSet-Description"></a>
A description of the resource set.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** Id **   <a name="fms-Type-ResourceSet-Id"></a>
A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.  
Type: String  
Length Constraints: Fixed length of 22.  
Pattern: `^[a-z0-9A-Z]{22}$`   
Required: No

 ** LastUpdateTime **   <a name="fms-Type-ResourceSet-LastUpdateTime"></a>
The last time that the resource set was changed.  
Type: Timestamp  
Required: No

 ** ResourceSetStatus **   <a name="fms-Type-ResourceSet-ResourceSetStatus"></a>
Indicates whether the resource set is in or out of an admin's Region scope.  
+  `ACTIVE` - The administrator can manage and delete the resource set.
+  `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource set, but they can't edit or delete the resource set. Existing protections stay in place. Any new resource that come into scope of the resource set won't be protected.
Type: String  
Valid Values: `ACTIVE | OUT_OF_ADMIN_SCOPE`   
Required: No

 ** UpdateToken **   <a name="fms-Type-ResourceSet-UpdateToken"></a>
An optional token that you can use for optimistic locking. Firewall Manager returns a token to your requests that access the resource set. The token marks the state of the resource set resource at the time of the request. Update tokens are not allowed when creating a resource set. After creation, each subsequent update call to the resource set requires the update token.   
To make an unconditional change to the resource set, omit the token in your update request. Without the token, Firewall Manager performs your updates regardless of whether the resource set has changed since you last retrieved it.  
To make a conditional change to the resource set, provide the token in your update request. Firewall Manager uses the token to ensure that the resource set hasn't changed since you last retrieved it. If it has changed, the operation fails with an `InvalidTokenException`. If this happens, retrieve the resource set again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ResourceSet) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ResourceSet) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ResourceSet) 

# ResourceSetSummary


Summarizes the resource sets used in a policy.

## Contents


 ** Description **   <a name="fms-Type-ResourceSetSummary-Description"></a>
A description of the resource set.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** Id **   <a name="fms-Type-ResourceSetSummary-Id"></a>
A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.  
Type: String  
Length Constraints: Fixed length of 22.  
Pattern: `^[a-z0-9A-Z]{22}$`   
Required: No

 ** LastUpdateTime **   <a name="fms-Type-ResourceSetSummary-LastUpdateTime"></a>
The last time that the resource set was changed.  
Type: Timestamp  
Required: No

 ** Name **   <a name="fms-Type-ResourceSetSummary-Name"></a>
The descriptive name of the resource set. You can't change the name of a resource set after you create it.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ResourceSetStatus **   <a name="fms-Type-ResourceSetSummary-ResourceSetStatus"></a>
Indicates whether the resource set is in or out of an admin's Region scope.  
+  `ACTIVE` - The administrator can manage and delete the resource set.
+  `OUT_OF_ADMIN_SCOPE` - The administrator can view the resource set, but they can't edit or delete the resource set. Existing protections stay in place. Any new resource that come into scope of the resource set won't be protected.
Type: String  
Valid Values: `ACTIVE | OUT_OF_ADMIN_SCOPE`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ResourceSetSummary) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ResourceSetSummary) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ResourceSetSummary) 

# ResourceTag


The resource tags that AWS Firewall Manager uses to determine if a particular resource should be included or excluded from the AWS Firewall Manager policy. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value. If you add more than one tag to a policy, you can specify whether to combine them using the logical AND operator or the logical OR operator. For more information, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

Every resource tag must have a string value, either a non-empty string or an empty string. If you don't provide a value for a resource tag, Firewall Manager saves the value as an empty string: "". When Firewall Manager compares tags, it only matches two tags if they have the same key and the same value. A tag with an empty string value only matches with tags that also have an empty string value. 

## Contents


 ** Key **   <a name="fms-Type-ResourceTag-Key"></a>
The resource tag key.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:\/=+\-@*\\]*)$`   
Required: Yes

 ** Value **   <a name="fms-Type-ResourceTag-Value"></a>
The resource tag value. To specify an empty string value, either don't provide this or specify it as "".   
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:\/=+\-@*\\]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ResourceTag) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ResourceTag) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ResourceTag) 

# ResourceViolation


Violation detail based on resource type.

## Contents


 ** AwsEc2InstanceViolation **   <a name="fms-Type-ResourceViolation-AwsEc2InstanceViolation"></a>
Violation detail for an EC2 instance.  
Type: [AwsEc2InstanceViolation](API_AwsEc2InstanceViolation.md) object  
Required: No

 ** AwsEc2NetworkInterfaceViolation **   <a name="fms-Type-ResourceViolation-AwsEc2NetworkInterfaceViolation"></a>
Violation detail for a network interface.  
Type: [AwsEc2NetworkInterfaceViolation](API_AwsEc2NetworkInterfaceViolation.md) object  
Required: No

 ** AwsVPCSecurityGroupViolation **   <a name="fms-Type-ResourceViolation-AwsVPCSecurityGroupViolation"></a>
Violation detail for security groups.  
Type: [AwsVPCSecurityGroupViolation](API_AwsVPCSecurityGroupViolation.md) object  
Required: No

 ** DnsDuplicateRuleGroupViolation **   <a name="fms-Type-ResourceViolation-DnsDuplicateRuleGroupViolation"></a>
Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager tried to associate with a VPC is already associated with the VPC and can't be associated again.   
Type: [DnsDuplicateRuleGroupViolation](API_DnsDuplicateRuleGroupViolation.md) object  
Required: No

 ** DnsRuleGroupLimitExceededViolation **   <a name="fms-Type-ResourceViolation-DnsRuleGroupLimitExceededViolation"></a>
Violation detail for a DNS Firewall policy that indicates that the VPC reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed.   
Type: [DnsRuleGroupLimitExceededViolation](API_DnsRuleGroupLimitExceededViolation.md) object  
Required: No

 ** DnsRuleGroupPriorityConflictViolation **   <a name="fms-Type-ResourceViolation-DnsRuleGroupPriorityConflictViolation"></a>
Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager tried to associate with a VPC has the same priority as a rule group that's already associated.   
Type: [DnsRuleGroupPriorityConflictViolation](API_DnsRuleGroupPriorityConflictViolation.md) object  
Required: No

 ** FirewallSubnetIsOutOfScopeViolation **   <a name="fms-Type-ResourceViolation-FirewallSubnetIsOutOfScopeViolation"></a>
Contains details about the firewall subnet that violates the policy scope.  
Type: [FirewallSubnetIsOutOfScopeViolation](API_FirewallSubnetIsOutOfScopeViolation.md) object  
Required: No

 ** FirewallSubnetMissingVPCEndpointViolation **   <a name="fms-Type-ResourceViolation-FirewallSubnetMissingVPCEndpointViolation"></a>
The violation details for a third-party firewall's VPC endpoint subnet that was deleted.  
Type: [FirewallSubnetMissingVPCEndpointViolation](API_FirewallSubnetMissingVPCEndpointViolation.md) object  
Required: No

 ** InvalidNetworkAclEntriesViolation **   <a name="fms-Type-ResourceViolation-InvalidNetworkAclEntriesViolation"></a>
Violation detail for the entries in a network ACL resource.  
Type: [InvalidNetworkAclEntriesViolation](API_InvalidNetworkAclEntriesViolation.md) object  
Required: No

 ** NetworkFirewallBlackHoleRouteDetectedViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallBlackHoleRouteDetectedViolation"></a>
Violation detail for an internet gateway route with an inactive state in the customer subnet route table or Network Firewall subnet route table.  
Type: [NetworkFirewallBlackHoleRouteDetectedViolation](API_NetworkFirewallBlackHoleRouteDetectedViolation.md) object  
Required: No

 ** NetworkFirewallInternetTrafficNotInspectedViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallInternetTrafficNotInspectedViolation"></a>
Violation detail for the subnet for which internet traffic hasn't been inspected.  
Type: [NetworkFirewallInternetTrafficNotInspectedViolation](API_NetworkFirewallInternetTrafficNotInspectedViolation.md) object  
Required: No

 ** NetworkFirewallInvalidRouteConfigurationViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallInvalidRouteConfigurationViolation"></a>
The route configuration is invalid.  
Type: [NetworkFirewallInvalidRouteConfigurationViolation](API_NetworkFirewallInvalidRouteConfigurationViolation.md) object  
Required: No

 ** NetworkFirewallMissingExpectedRoutesViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallMissingExpectedRoutesViolation"></a>
Expected routes are missing from AWS Network Firewall.  
Type: [NetworkFirewallMissingExpectedRoutesViolation](API_NetworkFirewallMissingExpectedRoutesViolation.md) object  
Required: No

 ** NetworkFirewallMissingExpectedRTViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallMissingExpectedRTViolation"></a>
Violation detail for an Network Firewall policy that indicates that a subnet is not associated with the expected Firewall Manager managed route table.   
Type: [NetworkFirewallMissingExpectedRTViolation](API_NetworkFirewallMissingExpectedRTViolation.md) object  
Required: No

 ** NetworkFirewallMissingFirewallViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallMissingFirewallViolation"></a>
Violation detail for an Network Firewall policy that indicates that a subnet has no Firewall Manager managed firewall in its VPC.   
Type: [NetworkFirewallMissingFirewallViolation](API_NetworkFirewallMissingFirewallViolation.md) object  
Required: No

 ** NetworkFirewallMissingSubnetViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallMissingSubnetViolation"></a>
Violation detail for an Network Firewall policy that indicates that an Availability Zone is missing the expected Firewall Manager managed subnet.  
Type: [NetworkFirewallMissingSubnetViolation](API_NetworkFirewallMissingSubnetViolation.md) object  
Required: No

 ** NetworkFirewallPolicyModifiedViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallPolicyModifiedViolation"></a>
Violation detail for an Network Firewall policy that indicates that a firewall policy in an individual account has been modified in a way that makes it noncompliant. For example, the individual account owner might have deleted a rule group, changed the priority of a stateless rule group, or changed a policy default action.  
Type: [NetworkFirewallPolicyModifiedViolation](API_NetworkFirewallPolicyModifiedViolation.md) object  
Required: No

 ** NetworkFirewallUnexpectedFirewallRoutesViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallUnexpectedFirewallRoutesViolation"></a>
There's an unexpected firewall route.  
Type: [NetworkFirewallUnexpectedFirewallRoutesViolation](API_NetworkFirewallUnexpectedFirewallRoutesViolation.md) object  
Required: No

 ** NetworkFirewallUnexpectedGatewayRoutesViolation **   <a name="fms-Type-ResourceViolation-NetworkFirewallUnexpectedGatewayRoutesViolation"></a>
There's an unexpected gateway route.  
Type: [NetworkFirewallUnexpectedGatewayRoutesViolation](API_NetworkFirewallUnexpectedGatewayRoutesViolation.md) object  
Required: No

 ** PossibleRemediationActions **   <a name="fms-Type-ResourceViolation-PossibleRemediationActions"></a>
A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.  
Type: [PossibleRemediationActions](API_PossibleRemediationActions.md) object  
Required: No

 ** RouteHasOutOfScopeEndpointViolation **   <a name="fms-Type-ResourceViolation-RouteHasOutOfScopeEndpointViolation"></a>
Contains details about the route endpoint that violates the policy scope.  
Type: [RouteHasOutOfScopeEndpointViolation](API_RouteHasOutOfScopeEndpointViolation.md) object  
Required: No

 ** ThirdPartyFirewallMissingExpectedRouteTableViolation **   <a name="fms-Type-ResourceViolation-ThirdPartyFirewallMissingExpectedRouteTableViolation"></a>
The violation details for a third-party firewall that has the Firewall Manager managed route table that was associated with the third-party firewall has been deleted.  
Type: [ThirdPartyFirewallMissingExpectedRouteTableViolation](API_ThirdPartyFirewallMissingExpectedRouteTableViolation.md) object  
Required: No

 ** ThirdPartyFirewallMissingFirewallViolation **   <a name="fms-Type-ResourceViolation-ThirdPartyFirewallMissingFirewallViolation"></a>
The violation details for a third-party firewall that's been deleted.  
Type: [ThirdPartyFirewallMissingFirewallViolation](API_ThirdPartyFirewallMissingFirewallViolation.md) object  
Required: No

 ** ThirdPartyFirewallMissingSubnetViolation **   <a name="fms-Type-ResourceViolation-ThirdPartyFirewallMissingSubnetViolation"></a>
The violation details for a third-party firewall's subnet that's been deleted.  
Type: [ThirdPartyFirewallMissingSubnetViolation](API_ThirdPartyFirewallMissingSubnetViolation.md) object  
Required: No

 ** WebACLHasIncompatibleConfigurationViolation **   <a name="fms-Type-ResourceViolation-WebACLHasIncompatibleConfigurationViolation"></a>
The violation details for a web ACL whose configuration is incompatible with the Firewall Manager policy.   
Type: [WebACLHasIncompatibleConfigurationViolation](API_WebACLHasIncompatibleConfigurationViolation.md) object  
Required: No

 ** WebACLHasOutOfScopeResourcesViolation **   <a name="fms-Type-ResourceViolation-WebACLHasOutOfScopeResourcesViolation"></a>
The violation details for a web ACL that's associated with at least one resource that's out of scope of the Firewall Manager policy.   
Type: [WebACLHasOutOfScopeResourcesViolation](API_WebACLHasOutOfScopeResourcesViolation.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ResourceViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ResourceViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ResourceViolation) 

# Route


Describes a route in a route table.

## Contents


 ** Destination **   <a name="fms-Type-Route-Destination"></a>
The destination of the route.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** DestinationType **   <a name="fms-Type-Route-DestinationType"></a>
The type of destination for the route.  
Type: String  
Valid Values: `IPV4 | IPV6 | PREFIX_LIST`   
Required: No

 ** Target **   <a name="fms-Type-Route-Target"></a>
The route's target.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** TargetType **   <a name="fms-Type-Route-TargetType"></a>
The type of target for the route.  
Type: String  
Valid Values: `GATEWAY | CARRIER_GATEWAY | INSTANCE | LOCAL_GATEWAY | NAT_GATEWAY | NETWORK_INTERFACE | VPC_ENDPOINT | VPC_PEERING_CONNECTION | EGRESS_ONLY_INTERNET_GATEWAY | TRANSIT_GATEWAY`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/Route) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/Route) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/Route) 

# RouteHasOutOfScopeEndpointViolation


Contains details about the route endpoint that violates the policy scope.

## Contents


 ** CurrentFirewallSubnetRouteTable **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-CurrentFirewallSubnetRouteTable"></a>
The route table associated with the current firewall subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** CurrentInternetGatewayRouteTable **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-CurrentInternetGatewayRouteTable"></a>
The current route table associated with the Internet Gateway.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** FirewallSubnetId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-FirewallSubnetId"></a>
The ID of the firewall subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** FirewallSubnetRoutes **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-FirewallSubnetRoutes"></a>
The list of firewall subnet routes.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** InternetGatewayId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-InternetGatewayId"></a>
The ID of the Internet Gateway.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** InternetGatewayRoutes **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-InternetGatewayRoutes"></a>
The routes in the route table associated with the Internet Gateway.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** RouteTableId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-RouteTableId"></a>
The ID of the route table.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** SubnetAvailabilityZone **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-SubnetAvailabilityZone"></a>
The subnet's Availability Zone.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** SubnetAvailabilityZoneId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-SubnetAvailabilityZoneId"></a>
The ID of the subnet's Availability Zone.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** SubnetId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-SubnetId"></a>
The ID of the subnet associated with the route that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolatingRoutes **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-ViolatingRoutes"></a>
The list of routes that violate the route table.  
Type: Array of [Route](API_Route.md) objects  
Required: No

 ** VpcId **   <a name="fms-Type-RouteHasOutOfScopeEndpointViolation-VpcId"></a>
The VPC ID of the route that violates the policy scope.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation) 

# SecurityGroupRemediationAction


Remediation option for the rule specified in the `ViolationTarget`.

## Contents


 ** Description **   <a name="fms-Type-SecurityGroupRemediationAction-Description"></a>
Brief description of the action that will be performed.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** IsDefaultAction **   <a name="fms-Type-SecurityGroupRemediationAction-IsDefaultAction"></a>
Indicates if the current action is the default action.  
Type: Boolean  
Required: No

 ** RemediationActionType **   <a name="fms-Type-SecurityGroupRemediationAction-RemediationActionType"></a>
The remediation action that will be performed.  
Type: String  
Valid Values: `REMOVE | MODIFY`   
Required: No

 ** RemediationResult **   <a name="fms-Type-SecurityGroupRemediationAction-RemediationResult"></a>
The final state of the rule specified in the `ViolationTarget` after it is remediated.  
Type: [SecurityGroupRuleDescription](API_SecurityGroupRuleDescription.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/SecurityGroupRemediationAction) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/SecurityGroupRemediationAction) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/SecurityGroupRemediationAction) 

# SecurityGroupRuleDescription


Describes a set of permissions for a security group rule.

## Contents


 ** FromPort **   <a name="fms-Type-SecurityGroupRuleDescription-FromPort"></a>
The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of `-1` indicates all ICMP/ICMPv6 types.  
Type: Long  
Valid Range: Minimum value of 0. Maximum value of 65535.  
Required: No

 ** IPV4Range **   <a name="fms-Type-SecurityGroupRuleDescription-IPV4Range"></a>
The IPv4 ranges for the security group rule.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** IPV6Range **   <a name="fms-Type-SecurityGroupRuleDescription-IPV6Range"></a>
The IPv6 ranges for the security group rule.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[a-f0-9:./]+`   
Required: No

 ** PrefixListId **   <a name="fms-Type-SecurityGroupRuleDescription-PrefixListId"></a>
The ID of the prefix list for the security group rule.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** Protocol **   <a name="fms-Type-SecurityGroupRuleDescription-Protocol"></a>
The IP protocol name (`tcp`, `udp`, `icmp`, `icmpv6`) or number.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** ToPort **   <a name="fms-Type-SecurityGroupRuleDescription-ToPort"></a>
The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of `-1` indicates all ICMP/ICMPv6 codes.  
Type: Long  
Valid Range: Minimum value of 0. Maximum value of 65535.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/SecurityGroupRuleDescription) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/SecurityGroupRuleDescription) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/SecurityGroupRuleDescription) 

# SecurityServicePolicyData


Details about the security service that is being used to protect the resources.

## Contents


 ** Type **   <a name="fms-Type-SecurityServicePolicyData-Type"></a>
The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support.  
Type: String  
Valid Values: `WAF | WAFV2 | SHIELD_ADVANCED | SECURITY_GROUPS_COMMON | SECURITY_GROUPS_CONTENT_AUDIT | SECURITY_GROUPS_USAGE_AUDIT | NETWORK_FIREWALL | DNS_FIREWALL | THIRD_PARTY_FIREWALL | IMPORT_NETWORK_FIREWALL | NETWORK_ACL_COMMON`   
Required: Yes

 ** ManagedServiceData **   <a name="fms-Type-SecurityServicePolicyData-ManagedServiceData"></a>
Details about the service that are specific to the service type, in JSON format.   
+ Example: `DNS_FIREWALL` 

   `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"` 
**Note**  
Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
+ Example: `IMPORT_NETWORK_FIREWALL` 

   `"{\"type\":\"IMPORT_NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:drop\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:pass\"],\"networkFirewallStatelessCustomActions\":[],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder\",\"priority\":8}],\"networkFirewallStatefulEngineOptions\":{\"ruleOrder\":\"STRICT_ORDER\"},\"networkFirewallStatefulDefaultActions\":[\"aws:drop_strict\"]}}"` 

   `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"` 
**Note**  
Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
+ Example: `NETWORK_FIREWALL` - Centralized deployment model

   `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"` 

   To use the centralized deployment model, you must set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `CENTRALIZED`. 
+ Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration

   ` "{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}" ` 

   With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `NULL`. 
+ Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management

   ` "{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}" ` 

  To use the distributed deployment model, you must set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `NULL`. 
+ Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration

   `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}" ` 

   With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig`. To configure the Availability Zones in `firewallCreationConfig`, specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters. 

  To use the distributed deployment model, you must set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `NULL`. 
+ Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management

   `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}" ` 

  To use the distributed deployment model, you must set [PolicyOption](https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) to `NULL`. 
+ Example: `SECURITY_GROUPS_COMMON` 

   `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"sg-03b1f67d69ed00197\"}],\"revertManualSecurityGroupChanges\":true,\"exclusiveResourceSecurityGroupManagement\":true,\"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"enableSecurityGroupReferencesDistribution\":true}"` 
+ Example: `SECURITY_GROUPS_COMMON` - Security group tag distribution 

   `""{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"revertManualSecurityGroupChanges\":true,\"exclusiveResourceSecurityGroupManagement\":false,\"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":false,\"enableTagDistribution\":true}""` 

   Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set `revertManualSecurityGroupChanges` to `true`, otherwise Firewall Manager won't be able to create the policy. When you enable `revertManualSecurityGroupChanges`, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant. 

   Firewall Manager won't distribute system tags added by AWS services into the replica security groups. System tags begin with the `aws:` prefix. 
+ Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns 

   `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` 
+ Example: `SECURITY_GROUPS_CONTENT_AUDIT` 

   `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"preManagedOptions\":[{\"denyProtocolAllValue\":true},{\"auditSgDirection\":{\"type\":\"ALL\"}}],\"securityGroups\":[{\"id\":\"sg-049b2393a25468971\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"` 

  The security group action for content audit can be `ALLOW` or `DENY`. For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
+ Example: `SECURITY_GROUPS_USAGE_AUDIT` 

   `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true,\"optionalDelayForUnusedInMinutes\":60}"` 
+ Example: `SHIELD_ADVANCED` with web ACL management

   `"{\"type\":\"SHIELD_ADVANCED\",\"optimizeUnassociatedWebACL\":true}"` 

  If you set `optimizeUnassociatedWebACL` to `true`, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

  Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.

  If you set `optimizeUnassociatedWebACL` to `false`, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
+ Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions and ALB 

   `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false, \"optimizeUnassociatedWebACL\":true|false}"` 

  For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"` 

  The default value for `automaticResponseStatus` is `IGNORED`. The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED`. The default value for `overrideCustomerWebaclClassic` is `false`.

  For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
+ Example: `THIRD_PARTY_FIREWALL` 

  Replace `THIRD_PARTY_FIREWALL_NAME` with the name of the third-party firewall.

   `"{ "type":"THIRD_PARTY_FIREWALL", "thirdPartyFirewall":"THIRD_PARTY_FIREWALL_NAME", "thirdPartyFirewallConfig":{ "thirdPartyFirewallPolicyList":["global-1"] }, "firewallDeploymentModel":{ "distributedFirewallDeploymentModel":{ "distributedFirewallOrchestrationConfig":{ "firewallCreationConfig":{ "endpointLocation":{ "availabilityZoneConfigList":[ { "availabilityZoneName":"${AvailabilityZone}" } ] } }, "allowedIPV4CidrList":[ ] } } } }"` 
+ Example: `WAFV2` - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override 

   `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupType\":\"ManagedRuleGroup\",\"overrideAction\":{\"type\":\"NONE\"},\"sampledRequestsEnabled\":true,\"excludeRules\":[],\"managedRuleGroupIdentifier\":{\"managedRuleGroupName\":\"AWSManagedRulesAntiDDoSRuleSet\",\"vendorName\":\"AWS\",\"versionEnabled\":null,\"version\":null,\"managedRuleGroupConfigs\":[{\"awsmanagedRulesAntiDDoSRuleSet\":{\"clientSideActionConfig\":{\"challenge\":{\"usageOfAction\":\"ENABLED\",\"sensitivity\":\"HIGH\",\"exemptUriRegularExpressions\":[\"\\\\/api\\\\/|\\\\.(acc|avi|css|gif|ico|jpe?g|js|json|mp[34]|ogg|otf|pdf|png|tiff?|ttf|webm|webp|woff2?|xml)$\"]}},\"sensitivityToBlock\":\"LOW\"}}]}},{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesATPRuleSet\",\"managedRuleGroupConfigs\":[{\"awsmanagedRulesATPRuleSet\":{\"loginPath\":\"/loginpath\",\"requestInspection\":{\"payloadType\":\"FORM_ENCODED|JSON\",\"usernameField\":{\"identifier\":\"/form/username\"},\"passwordField\":{\"identifier\":\"/form/password\"}}}}]},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true},{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesBotControlRuleSet\",\"managedRuleGroupConfigs\":[{\"awsmanagedRulesBotControlRuleSet\":{\"inspectionLevel\":\"TARGETED|COMMON\"}}]},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true,\"ruleActionOverrides\":[{\"name\":\"Rule1\",\"actionToUse\":{\"allow|block|count|captcha|challenge\":{}}},{\"name\":\"Rule2\",\"actionToUse\":{\"allow|block|count|captcha|challenge\":{}}}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\":null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":null,\"sampledRequestsEnabledForDefaultActions\":true,\"optimizeUnassociatedWebACL\":true}"` 
  +  Anti-DDoS - For information about `AWSManagedRulesAntiDDoSRuleSet` managed rule groups, see [AWSManagedRulesAntiDDoSRuleSet](https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesAntiDDoSRuleSet.html) in the * AWS WAF API Reference*. 
**Note**  
In most cases, we recommend that you give `AWSManagedRulesAntiDDoSRuleSet` priority above other rule groups. Rule groups you create with IPSets in them should be prioritized above the `AWSManagedRulesAntiDDoSRuleSet`. In the console, the `AWSManagedRulesAntiDDoSRuleSet` is set to the highest priority by default, but you can adjust the priority when adding rule groups.
  + Bot Control - For information about `AWSManagedRulesBotControlRuleSet` managed rule groups, see [AWSManagedRulesBotControlRuleSet](https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html) in the * AWS WAF API Reference*.
  + Fraud Control account takeover prevention (ATP) - For information about the properties available for `AWSManagedRulesATPRuleSet` managed rule groups, see [AWSManagedRulesATPRuleSet](https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html) in the * AWS WAF API Reference*.
  + Optimize unassociated web ACL - If you set `optimizeUnassociatedWebACL` to `true`, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

    Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.

    If you set `optimizeUnassociatedWebACL` to `false` Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.
  + Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a `RuleActionOverrides` add the `Name` of the rule to override, and `ActionToUse`, which is the new action to use for the rule. For information about using rule action override, see [RuleActionOverride](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleActionOverride.html) in the * AWS WAF API Reference*.
+ Example: `WAFV2` - `CAPTCHA` and `Challenge` configs 

   `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAdminProtectionRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\":null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":null,\"sampledRequestsEnabledForDefaultActions\":true,\"captchaConfig\":{\"immunityTimeProperty\":{\"immunityTime\":500}},\"challengeConfig\":{\"immunityTimeProperty\":{\"immunityTime\":800}},\"tokenDomains\":[\"google.com\",\"amazon.com\"],\"associationConfig\":{\"requestBody\":{\"CLOUDFRONT\":{\"defaultSizeInspectionLimit\":\"KB_16\"}}}}"` 
  +  `CAPTCHA` and `Challenge` configs - If you update the policy's values for `associationConfig`, `captchaConfig`, `challengeConfig`, or `tokenDomains`, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's `associationConfig`, `captchaConfig`, `challengeConfig`, or `tokenDomains` values, the values in your local web ACLs will remain unchanged. For information about association configs, see [AssociationConfig](https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociationConfig.html). For information about CAPTCHA and Challenge configs, see [CaptchaConfig](https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html) and [ChallengeConfig](https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html) in the * AWS WAF API Reference*.
  +  `defaultSizeInspectionLimit` - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. For more information, see [DefaultSizeInspectionLimit](https://docs.aws.amazon.com/waf/latest/APIReference/API_RequestBodyAssociatedResourceTypeConfig.html#WAF-Type-RequestBodyAssociatedResourceTypeConfig-DefaultSizeInspectionLimit) in the * AWS WAF API Reference*.
+ Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning 

   `"{\"preProcessRuleGroups\":[{\"ruleGroupType\":\"ManagedRuleGroup\",\"overrideAction\":{\"type\":\"NONE\"},\"sampledRequestsEnabled\":true,\"managedRuleGroupIdentifier\":{\"managedRuleGroupName\":\"AWSManagedRulesAdminProtectionRuleSet\",\"vendorName\":\"AWS\",\"managedRuleGroupConfigs\":null}}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\":null,\"tokenDomains\":null,\"customResponse\":null,\"type\":\"WAFV2\",\"overrideCustomerWebACLAssociation\":false,\"sampledRequestsEnabledForDefaultActions\":true,\"optimizeUnassociatedWebACL\":true,\"webACLSource\":\"RETROFIT_EXISTING\"}"` 

   To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true`, and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true`, or if you omit `versionEnabled`, then Firewall Manager uses the default version of the AWS WAF managed rule group. 
+ Example: `WAFV2` - Logging configurations 

   `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null, \"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\": {\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\", \"managedRuleGroupName\":\"AWSManagedRulesAdminProtectionRuleSet\"} ,\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[], \"sampledRequestsEnabled\":true}],\"postProcessRuleGroups\":[], \"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\" :null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\" :false,\"loggingConfiguration\":{\"logDestinationConfigs\": [\"arn:aws:s3:::aws-waf-logs-example-bucket\"] ,\"redactedFields\":[],\"loggingFilterConfigs\":{\"defaultBehavior\":\"KEEP\", \"filters\":[{\"behavior\":\"KEEP\",\"requirement\":\"MEETS_ALL\", \"conditions\":[{\"actionCondition\":\"CAPTCHA\"},{\"actionCondition\": \"CHALLENGE\"}, {\"actionCondition\":\"EXCLUDED_AS_COUNT\"}]}]}},\"sampledRequestsEnabledForDefaultActions\":true}"` 

  Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the `logDestinationConfigs` in your `loggingConfiguration`. For information about AWS WAF logging configurations, see [LoggingConfiguration](https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html) in the * AWS WAF API Reference* 

  In the `loggingConfiguration`, you can specify one `logDestinationConfigs`. Optionally provide as many as 20 `redactedFields`. The `RedactedFieldType` must be one of `URI`, `QUERY_STRING`, `HEADER`, or `METHOD`.
+ Example: ` AWS WAF Classic` 

   `"{\"ruleGroups\":[{\"id\":\"78cb36c0-1b5e-4d7d-82b2-cf48d3ad9659\",\"overrideAction\":{\"type\":\"NONE\"}}],\"overrideCustomerWebACLAssociation\":true,\"defaultAction\":{\"type\":\"ALLOW\"},\"type\":\"WAF\"}"` 
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 30000.  
Pattern: `^((?!\\[nr]).)+`   
Required: No

 ** PolicyOption **   <a name="fms-Type-SecurityServicePolicyData-PolicyOption"></a>
Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.  
Type: [PolicyOption](API_PolicyOption.md) object  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/SecurityServicePolicyData) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/SecurityServicePolicyData) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/SecurityServicePolicyData) 

# StatefulEngineOptions


Configuration settings for the handling of the stateful rule groups in a Network Firewall firewall policy.

## Contents


 ** RuleOrder **   <a name="fms-Type-StatefulEngineOptions-RuleOrder"></a>
Indicates how to manage the order of stateful rule evaluation for the policy. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see [Evaluation order for stateful rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) in the * AWS Network Firewall Developer Guide*.  
Default: `DEFAULT_ACTION_ORDER`   
Type: String  
Valid Values: `STRICT_ORDER | DEFAULT_ACTION_ORDER`   
Required: No

 ** StreamExceptionPolicy **   <a name="fms-Type-StatefulEngineOptions-StreamExceptionPolicy"></a>
Indicates how Network Firewall should handle traffic when a network connection breaks midstream.  
+  `DROP` - Fail closed and drop all subsequent traffic going to the firewall.
+  `CONTINUE` - Continue to apply rules to subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on context. For example, with a stateful rule that drops HTTP traffic, Network Firewall won't match subsequent traffic because the it won't have the context from session initialization, which defines the application layer protocol as HTTP. However, a TCP-layer rule using a `flow:stateless` rule would still match, and so would the `aws:drop_strict` default action. 
+  `REJECT` - Fail closed and drop all subsequent traffic going to the firewall. With this option, Network Firewall also sends a TCP reject packet back to the client so the client can immediately establish a new session. With the new session, Network Firewall will have context and will apply rules appropriately.

  For applications that are reliant on long-lived TCP connections that trigger Gateway Load Balancer idle timeouts, this is the recommended setting. 
+  `FMS_IGNORE` - Firewall Manager doesn't monitor or modify the Network Firewall stream exception policy settings. 
For more information, see [Stream exception policy in your firewall policy](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stream-exception-policy.html) in the * AWS Network Firewall Developer Guide*.  
Default: `FMS_IGNORE`   
Type: String  
Valid Values: `DROP | CONTINUE | REJECT | FMS_IGNORE`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/StatefulEngineOptions) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/StatefulEngineOptions) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/StatefulEngineOptions) 

# StatefulRuleGroup


 AWS Network Firewall stateful rule group, used in a [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md). 

## Contents


 ** Override **   <a name="fms-Type-StatefulRuleGroup-Override"></a>
The action that allows the policy owner to override the behavior of the rule group within a policy.  
Type: [NetworkFirewallStatefulRuleGroupOverride](API_NetworkFirewallStatefulRuleGroupOverride.md) object  
Required: No

 ** Priority **   <a name="fms-Type-StatefulRuleGroup-Priority"></a>
An integer setting that indicates the order in which to run the stateful rule groups in a single Network Firewall firewall policy. This setting only applies to firewall policies that specify the `STRICT_ORDER` rule order in the stateful engine options settings.  
 Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. For information about   
 You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.   
Type: Integer  
Required: No

 ** ResourceId **   <a name="fms-Type-StatefulRuleGroup-ResourceId"></a>
The resource ID of the rule group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** RuleGroupName **   <a name="fms-Type-StatefulRuleGroup-RuleGroupName"></a>
The name of the rule group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9-]+$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/StatefulRuleGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/StatefulRuleGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/StatefulRuleGroup) 

# StatelessRuleGroup


 AWS Network Firewall stateless rule group, used in a [NetworkFirewallPolicyDescription](API_NetworkFirewallPolicyDescription.md). 

## Contents


 ** Priority **   <a name="fms-Type-StatelessRuleGroup-Priority"></a>
The priority of the rule group. AWS Network Firewall evaluates the stateless rule groups in a firewall policy starting from the lowest priority setting.   
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 65535.  
Required: No

 ** ResourceId **   <a name="fms-Type-StatelessRuleGroup-ResourceId"></a>
The resource ID of the rule group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** RuleGroupName **   <a name="fms-Type-StatelessRuleGroup-RuleGroupName"></a>
The name of the rule group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^[a-zA-Z0-9-]+$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/StatelessRuleGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/StatelessRuleGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/StatelessRuleGroup) 

# Tag


A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. 

## Contents


 ** Key **   <a name="fms-Type-Tag-Key"></a>
Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** Value **   <a name="fms-Type-Tag-Value"></a>
Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/Tag) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/Tag) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/Tag) 

# ThirdPartyFirewallFirewallPolicy


Configures the third-party firewall's firewall policy.

## Contents


 ** FirewallPolicyId **   <a name="fms-Type-ThirdPartyFirewallFirewallPolicy-FirewallPolicyId"></a>
The ID of the specified firewall policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** FirewallPolicyName **   <a name="fms-Type-ThirdPartyFirewallFirewallPolicy-FirewallPolicyName"></a>
The name of the specified firewall policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ThirdPartyFirewallFirewallPolicy) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ThirdPartyFirewallFirewallPolicy) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ThirdPartyFirewallFirewallPolicy) 

# ThirdPartyFirewallMissingExpectedRouteTableViolation


The violation details for a third-party firewall that's not associated with an AWS Firewall Manager managed route table.

## Contents


 ** AvailabilityZone **   <a name="fms-Type-ThirdPartyFirewallMissingExpectedRouteTableViolation-AvailabilityZone"></a>
The Availability Zone of the firewall subnet that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** CurrentRouteTable **   <a name="fms-Type-ThirdPartyFirewallMissingExpectedRouteTableViolation-CurrentRouteTable"></a>
The resource ID of the current route table that's associated with the subnet, if one is available.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ExpectedRouteTable **   <a name="fms-Type-ThirdPartyFirewallMissingExpectedRouteTableViolation-ExpectedRouteTable"></a>
The resource ID of the route table that should be associated with the subnet.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-ThirdPartyFirewallMissingExpectedRouteTableViolation-ViolationTarget"></a>
The ID of the third-party firewall or VPC resource that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-ThirdPartyFirewallMissingExpectedRouteTableViolation-VPC"></a>
The resource ID of the VPC associated with a fireawll subnet that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ThirdPartyFirewallMissingExpectedRouteTableViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ThirdPartyFirewallMissingExpectedRouteTableViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ThirdPartyFirewallMissingExpectedRouteTableViolation) 

# ThirdPartyFirewallMissingFirewallViolation


The violation details about a third-party firewall's subnet that doesn't have a Firewall Manager managed firewall in its VPC.

## Contents


 ** AvailabilityZone **   <a name="fms-Type-ThirdPartyFirewallMissingFirewallViolation-AvailabilityZone"></a>
The Availability Zone of the third-party firewall that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** TargetViolationReason **   <a name="fms-Type-ThirdPartyFirewallMissingFirewallViolation-TargetViolationReason"></a>
The reason the resource is causing this violation, if a reason is available.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `\w+`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-ThirdPartyFirewallMissingFirewallViolation-ViolationTarget"></a>
The ID of the third-party firewall that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-ThirdPartyFirewallMissingFirewallViolation-VPC"></a>
The resource ID of the VPC associated with a third-party firewall.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ThirdPartyFirewallMissingFirewallViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ThirdPartyFirewallMissingFirewallViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ThirdPartyFirewallMissingFirewallViolation) 

# ThirdPartyFirewallMissingSubnetViolation


The violation details for a third-party firewall for an Availability Zone that's missing the Firewall Manager managed subnet.

## Contents


 ** AvailabilityZone **   <a name="fms-Type-ThirdPartyFirewallMissingSubnetViolation-AvailabilityZone"></a>
The Availability Zone of a subnet that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** TargetViolationReason **   <a name="fms-Type-ThirdPartyFirewallMissingSubnetViolation-TargetViolationReason"></a>
The reason the resource is causing the violation, if a reason is available.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `\w+`   
Required: No

 ** ViolationTarget **   <a name="fms-Type-ThirdPartyFirewallMissingSubnetViolation-ViolationTarget"></a>
The ID of the third-party firewall or VPC resource that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Pattern: `.*`   
Required: No

 ** VPC **   <a name="fms-Type-ThirdPartyFirewallMissingSubnetViolation-VPC"></a>
The resource ID of the VPC associated with a subnet that's causing the violation.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ThirdPartyFirewallMissingSubnetViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ThirdPartyFirewallMissingSubnetViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ThirdPartyFirewallMissingSubnetViolation) 

# ThirdPartyFirewallPolicy


Configures the deployment model for the third-party firewall.

## Contents


 ** FirewallDeploymentModel **   <a name="fms-Type-ThirdPartyFirewallPolicy-FirewallDeploymentModel"></a>
Defines the deployment model to use for the third-party firewall policy.  
Type: String  
Valid Values: `CENTRALIZED | DISTRIBUTED`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ThirdPartyFirewallPolicy) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ThirdPartyFirewallPolicy) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ThirdPartyFirewallPolicy) 

# ViolationDetail


Violations for a resource based on the specified AWS Firewall Manager policy and AWS account.

## Contents


 ** MemberAccount **   <a name="fms-Type-ViolationDetail-MemberAccount"></a>
The AWS account that the violation details were requested for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^[0-9]+$`   
Required: Yes

 ** PolicyId **   <a name="fms-Type-ViolationDetail-PolicyId"></a>
The ID of the AWS Firewall Manager policy that the violation details were requested for.  
Type: String  
Length Constraints: Fixed length of 36.  
Pattern: `^[a-z0-9A-Z-]{36}$`   
Required: Yes

 ** ResourceId **   <a name="fms-Type-ViolationDetail-ResourceId"></a>
The resource ID that the violation details were requested for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** ResourceType **   <a name="fms-Type-ViolationDetail-ResourceType"></a>
The resource type that the violation details were requested for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: Yes

 ** ResourceViolations **   <a name="fms-Type-ViolationDetail-ResourceViolations"></a>
List of violations for the requested resource.  
Type: Array of [ResourceViolation](API_ResourceViolation.md) objects  
Required: Yes

 ** ResourceDescription **   <a name="fms-Type-ViolationDetail-ResourceDescription"></a>
Brief description for the requested resource.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** ResourceTags **   <a name="fms-Type-ViolationDetail-ResourceTags"></a>
The `ResourceTag` objects associated with the resource.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 200 items.  
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/ViolationDetail) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/ViolationDetail) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/ViolationDetail) 

# WebACLHasIncompatibleConfigurationViolation


The violation details for a web ACL whose configuration is incompatible with the Firewall Manager policy. 

## Contents


 ** Description **   <a name="fms-Type-WebACLHasIncompatibleConfigurationViolation-Description"></a>
Information about the problems that Firewall Manager encountered with the web ACL configuration.   
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 1024.  
Required: No

 ** WebACLArn **   <a name="fms-Type-WebACLHasIncompatibleConfigurationViolation-WebACLArn"></a>
The Amazon Resource Name (ARN) of the web ACL.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/WebACLHasIncompatibleConfigurationViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/WebACLHasIncompatibleConfigurationViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/WebACLHasIncompatibleConfigurationViolation) 

# WebACLHasOutOfScopeResourcesViolation


The violation details for a web ACL that's associated with at least one resource that's out of scope of the Firewall Manager policy. 

## Contents


 ** OutOfScopeResourceList **   <a name="fms-Type-WebACLHasOutOfScopeResourcesViolation-OutOfScopeResourceList"></a>
An array of Amazon Resource Name (ARN) for the resources that are out of scope of the policy and are associated with the web ACL.   
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

 ** WebACLArn **   <a name="fms-Type-WebACLHasOutOfScopeResourcesViolation-WebACLArn"></a>
The Amazon Resource Name (ARN) of the web ACL.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`   
Required: No

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/fms-2018-01-01/WebACLHasOutOfScopeResourcesViolation) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/fms-2018-01-01/WebACLHasOutOfScopeResourcesViolation) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/fms-2018-01-01/WebACLHasOutOfScopeResourcesViolation)