Provision Cloud NGFW Resources to your AWS CFT
Table of Contents
Provision Cloud NGFW Resources to your AWS CFT
Create Cloud NGFW resources and provision them to your
AWS CloudFormation template.
The Cloud NGFW provides flexibility to
provision resources to your AWS CloudFormation template (CFT) by
allowing you to create your own resources.
Use the
You must enable Programmatic
access before using CloudFormation Registry with the Cloud NGFW.
PaloAltoNetworks::CloudNGFW::RuleStack
and PaloAltoNetworks::CloudNGFW::NGFW
schemas
to integrate the Cloud NGFW into your AWS CloudFormation template.
Use the provided syntax in this document to define Cloud NGFW firewall configuration
settings that you can integrate with AWS CloudFormation Registry.PaloAltoNetworks::CloudNGFW::RuleStack schema
- JSON{ "Type" : "PaloAltoNetworks::CloudNGFW::RuleStack", "Properties" : { "RuleStackName" : String, "RuleStack" : RuleStack, "RuleList" : [ Rule, ... ], "SecurityObjects" : SecurityObjects, "CustomSecurityProfiles":CustomSecurityProfiles, } }YAMLType:PaloAltoNetworks::CloudNGFW::RuleStack Properties: RuleStackName: String RuleStack: RuleStack RuleList: - Rule SecurityObjects: SecurityObjects CustomSecurityProfiles: CustomSecurityProfiles ProgrammaticAccessToken: StringElementDescriptionRuleStackNameEnter a descriptiveNamefor your rulestack.JSON“RuleStackName” : String,YAMLRuleStackName: StringRuleStackEnter aDescriptionfor your rulestack. The description includes:JSON{ "Scope" : String, "Profiles" : RuleStackProfiles, "Description" : String "Deploy" : String }YAMLScope: String Profiles: RuleStackProfiles Description: String Deploy: StringRuleStackProfilesIdentifyProfilesfor the specified rulestack. Profiles include:JSON{ "AntiSpywareProfile" : String, "AntiVirusProfile" : String, "VulnerabilityProfile" : String, "URLFilteringProfile" : String, "FileBlockingProfile" : String, "OutboundTrustCertificate" : String, "OutboundUntrustCertificate" : String }YAMLAntiSpywareProfile: String AntiVirusProfile: String VulnerabilityProfile: String URLFilteringProfile: String FileBlockingProfile: String OutboundTrustCertificate: String OutboundUntrustCertificate: StringRuleEstablishRulesfor the rulestack. Rules include:JSON{ "RuleName" : String, "Description" : String, "RuleListType" : String, "Priority" : Integer, "Enabled" : Boolean, "Source" : RuleSource, "NegateSource" : Boolean, "Destination" : RuleDestination, "NegateDestination" : Boolean, "Applications" : [ String, ... ], "Category" : UrlCategory, "Protocol" : String, "AuditComment" : String, "Action" : String, "Logging" : Boolean, "DecryptionRuleType" : String, "Tags" : [ Tag, ... ] }YAMLRuleName: String Description: String RuleListType: String Priority: Integer Enabled: Boolean Source: RuleSource NegateSource: Boolean Destination: RuleDestination NegateDestination: Boolean Applications: - String Category: UrlCategory Protocol: String AuditComment: String Action: String Logging: Boolean DecryptionRuleType: String Tags: - TagRuleSourceSet the collection of rules usingRuleSource. RuleSource includes:JSON{ "Cidrs" : [ String, ... ], "PrefixLists" : [ String, ... ], "Countries" : [ String, ... ], "Feeds" : [ String, ... ] // RuleStackname? }YAMLcidrs: - String PrefixLists: - String Countries: - String Feeds: - StringRuleDestinationSet theRuleDestinationfor the web service supporting the confirmation URL and one or more data collection URLs. RuleDestination includes:JSON{ "Cidrs" : [ String, ... ], "FqdnLists" : [ String, ... ], "PrefixLists" : [ String, ... ], "Countries" : [ String, ... ], "Feeds" : [ String, ... ] // RuleStackname? }YAMLCidrs: - String FqdnLists: - String PrefixLists: - String Countries: - String Feeds: - StringTagSpecify aTagfor the rulestack. A Tag includes:JSON{ "Key" : String, "Value" : String }YAMLKey: String Value: StringUrlCategoryUse theUrlCategoryto match criteria in authentication, decryption, QoS, and security policy rules. UrlCategory includes:JSON{ "URLCategoryNames" : [ String, ... ], "Feeds" : [ String, ... ] }YAMLURLCategoryNames: - String Feeds: - StringSecurityObjectsSet theSecurityObjectsfor the rulestack. SecurityObjects include:JSON{ "PrefixLists" : PrefixList, "FqdnLists" : FqdnList, "CustomUrlCategories" : CustomUrlCategory, "IntelligentFeeds" : IntelligentFeed, "CertificateLists" : CertificateList }YAMLPrefixList: PrefixList FqdnList: FqdnList CustomUrlCategory: CustomUrlCategory IntelligentFeed: IntelligentFeed CertificateList: CertificateListCustomSecurityProfilesSetCustomSecurityProfilesto minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms. CustomSecurityProfiles include:JSON{ "FileBlocking" : FileBlocking }YAMLFileBlocking: FileBlockingPrefixListsUsePrefixListto filter routes based on prefixes. By defining an order number and IP prefixes, a branch or a data center ION device can permit or deny routes. The dynamic, auto-generated prefix list is based on what the ION device advertises. Prefixes can be split or non-split. A PrefixList includes:JSON{ "Name" : String, "PrefixList" : [ String, ... ], "AuditComment" : String, "Description" : String }YAMLName: String PrefixList: - String AuditComment: String Description: StringFqdnListsWith theFqdnListsobject, DNS provides the FQDN resolution to the IP addresses, removing the need to know the IP addresses and manually updating them every time the FQDN resolves to a new IP address. FqdnLists include:JSON{ "Name" : String, "Description" : String, "FqdnList" : [ String, ... ], "AuditComment" : String }YAMLName: String Description: String FqdnList: - String AuditComment: StringCustomUrlCategoriesUseCustomURLCategoriesto create a custom URL filtering object to specify exceptions to URL category enforcement, and to create a custom URL category based on multiple URL categories:
- Define exceptions to URL category enforcement—Create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong.
- Define a custom URL category based on multiple PAN-DB categories—This allows you to target enforcement for websites that match a set of categories. The website or page must match all the categories defined as part of the custom category.
CustomURLCategories include:JSON{ "URLTargets" : [ String, ... ], "Name" : String, "Description" : String, "Action" : String, "AuditComment" : String }YAMLURLTargets: - String Name: String Description: String Action: String AuditComment: StringIntelligentFeedsUseIntelligentFeedsto continually feed the most up-to-date threat intelligence data. IntelligentFeeds include:JSON{ "Name" : String, "Description" : String, "Certificate" : String, "FeedURL" : String, "Type" : String, "Frequency" : String, "Time" : Integer, "AuditComment" : String }YAMLName: String Description: String Certificate: String FeedURL: String Type: String Frequency: String Time: Integer AuditComment: StringCertificateObjectsUseCertificateObjectsto define elements of the certificate. CertificateObjects includes:JSON{ "Name" : String, "Description" : String, "CertificateSignerArn" : String, "CertificateSelfSigned" : Boolean, "AuditComment" : String }YAMLName: String Description: String CertificateSignerArn: String CertificateSelfSigned: Boolean AuditComment: StringFileBlockingUseFileBlockingto identify specific file types that you want to block or monitor. For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download. FileBlocking includes:JSON{ "Direction" : String, "FileType" : String, "Description" : String, "Action" : String, "AuditComment" : String }YAMLDirection: String FileType: String Description: String Action: String AuditComment: StringPaloAltoNetworks::CloudNGFW::NGFW schema- JSON{ "Type": "PaloAltoNetworks::CloudNGFW::NGFW", "Properties" : { "Description" : String, "EndpointMode" : String, "FirewallName" : String, "RuleStackName" : String, "RuleStackName" : String, "SubnetMappings" : [ String, ... ], "Tags" : [ Map, ... ], "VpcId" : String, "UpdateToken" : String, "LogDestinationConfigs" : [ LogProfileConfig, ... ], "CloudWatchMetricNamespace" : String, }YAMLType: PaloAltoNetworks::CloudNGFW::NGFWProperties: AppIdVersion: String AutomaticUpgradeAppIdVersion: Boolean Description: String EndpointMode: String FirewallName: String RuleStackName: String RuleStackName: String SubnetMappings: - String Tags: - Map VpcId: String UpdateToken: String LogDestinationConfigs: - LogProfileConfig CloudWatchMetricNamespace: String ProgrammaticAccessToken: StringElementDescriptionLogProfileConfigUseLogProfileConfigto display entries for change to the firewall configuration.JSON{ "LogDestination" : String, "LogDestinationType" : String, "LogType" : String}YAMLLogDestination: String LogDestinationType: String LogType: StringActivate public extensionsTo ship logs in AWS CloudWatch, Configure Logging for Cloud NGFW on AWS.Activate both thePaloAltoNetworks::CloudNGFW::NGFWandPaloAltoNetworks::CloudNGFW::RuleStackpublic extensions for your account:
Stack OutputsYou can access these resource attributes as stack outputs:FirewallResource: "/properties/ReadFirewall", "/properties/ReadFirewall/AccountId", "/properties/ReadFirewall/AppIdVersion", "/properties/ReadFirewall/AutomaticUpgradeAppIdVersion", "/properties/ReadFirewall/EndpointMode", "/properties/ReadFirewall/FirewallName", "/properties/ReadFirewall/MultiVpcEnable", "/properties/ReadFirewall/Description", "/properties/ReadFirewall/VpcId", "/properties/ReadFirewall/SubnetMappings", "/properties/ReadFirewall/LinkId", "/properties/ReadFirewall/Attachments", "/properties/ReadFirewall/LinkStatus", "/properties/ReadFirewall/FirewallStatus", "/properties/ReadFirewall/RuleStackStatus", "/properties/ReadFirewall/FailureReason", "/properties/ReadFirewall/EndpointServiceName", "/properties/ReadFirewall/Tags", "/properties/ReadFirewall/RuleStackName", "/properties/ReadFirewall/GlobalRuleStackName" RuleStackResource: "/properties/RuleStackCandidate", "/properties/RuleStackRunning", "/properties/RuleStackCandidate/AccountId", "/properties/RuleStackRunning/AccountId", "/properties/RuleStackCandidate/Scope", "/properties/RuleStackRunning/Scope", "/properties/RuleStackCandidate/MinAppIdVersion", "/properties/RuleStackRunning/MinAppIdVersion", "/properties/RuleStackCandidate/Description", "/properties/RuleStackRunning/Description", "/properties/RuleStackRunning/Profiles/AntiSpywareProfile", "/properties/RuleStackCandidate/Profiles/AntiSpywareProfile", "/properties/RuleStackRunning/Profiles/AntiVirusProfile", "/properties/RuleStackCandidate/Profiles/AntiVirusProfile", "/properties/RuleStackCandidate/Profiles/VulnerabilityProfile", "/properties/RuleStackRunning/Profiles/VulnerabilityProfile", "/properties/RuleStackCandidate/Profiles/URLFilteringProfile", "/properties/RuleStackRunning/Profiles/URLFilteringProfile", "/properties/RuleStackCandidate/Profiles/FileBlockingProfile", "/properties/RuleStackRunning/Profiles/FileBlockingProfileExecution roleUse the following for the execution role:Trust relationship:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "resources.cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{customer-account-id}" }, "StringLike": { "aws:SourceArn": "arn:aws:cloudformation:*:{customer-account-id}":type/resource/PaloAltoNetworks-CloudNGFW-NGFW/*" } } }, { "Effect": "Allow", "Principal": { "Service": "resources.cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": {customer-account-id}" }, "StringLike": { "aws:SourceArn": "arn:aws:cloudformation:*:{customer-account-id}":type/resource/PaloAltoNetworks-CloudNGFW-RuleStack/*" } } } ] } Tags: CloudNGFWRulestackAdmin: Yes CloudNGFWFirewallAdmin: Yes CloudNGFWGlobalRulestackAdmin: Yes Permissions: AmazonAPIGatewayInvokeFullAccessCreate a role and then use the role ARN to configure the execution role ARN during activation. You cannot create a resource without configuring the execution role during activation.CloudFormation Firewall Resource Schema ExampleUse the following for as an example for the rulestack schema:{ "typeName": "PaloAltoNetworks::CloudNGFW::NGFW", "description": "A Firewall resource offers Palo Alto Networks next-generation firewall capabilities with built-in resiliency, scalability, and life-cycle management.", "sourceUrl": "https://github.com/aws-cloudformation/aws-cloudformation-rpdk.git", "definitions" : { "LogProfileConfig": { "title": "LogProfileConfig", "description": "Add Log profile config", "type": "object", "properties": { "LogDestination": { "title": "Logdestination", "minLength": 1, "maxLength": 128, "type": "string" }, "LogDestinationType": { "title": "Logdestinationtype", "enum": ["S3", "CloudWatchLogs", "KinesisDataFirehose"], "type": "string" }, "LogType": { "title": "Logtype", "enum": ["TRAFFIC", "DECRYPTION", "THREAT"], "type": "string" } }, "required": ["LogDestination", "LogDestinationType", "LogType"], "additionalProperties": false }, "SubnetMappings": { "type": "array", "items": { "type": "object", "properties": { "AvailabilityZone": { "title": "availabilityZone", "type": "string" }, "SubnetId": { "title": "subnetId", "type": "string" } }, "additionalProperties": false } } }, "properties": { "AccountId": { "title": "Accountid", "pattern": "^[0-9]+$", "type": "string", "minLength": 1 }, "AppIdVersion": { "title": "Appidversion", "minLength": 1, "maxLength": 64, "pattern": "^[0-9]+-[0-9]+$", "type": "string" }, "AutomaticUpgradeAppIdVersion": { "title": "Automaticupgradeappidversion", "default": true, "type": "boolean" }, "Description": { "title": "Description", "type": "string", "minLength": 1 }, "EndpointMode": { "title": "Endpointmode: CustomerManaged Or ServiceManaged", "enum": ["ServiceManaged", "CustomerManaged"], "type": "string" }, "FirewallName": { "title": "Firewallname", "minLength": 1, "maxLength": 128, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "MultiVpcEnable": { "title": "MultiVpcEnable", "type": "boolean" }, "RuleStackName": { "title": "Rulestackname", "type": "string", "minLength": 1 }, "SubnetMappings": { "$ref": "#/definitions/SubnetMappings" }, "AssociateSubnetMappings": { "$ref": "#/definitions/SubnetMappings" }, "DisassociateSubnetMappings": { "$ref": "#/definitions/SubnetMappings" }, "Tags": { "title": "Tags", "type": "array", "items": { "type": "object" } }, "VpcId": { "title": "Vpcid", "type": "string", "minLength": 1 }, "LinkId": { "title": "LinkId", "type": "string", "minLength": 1 }, "LogDestinationConfigs": { "title": "Logdestinationconfigs", "type": "array", "items": { "$ref": "#/definitions/LogProfileConfig" } }, "CloudWatchMetricNamespace": { "title": "Cloudwatchmetricnamespace", "type": "string", "minLength": 1 } }, "additionalProperties": false, "required": [ "FirewallName" ], "createOnlyProperties": [ "/properties/FirewallName" ], "primaryIdentifier": [ "/properties/FirewallName" ], "handlers": { "create": { "permissions": [ "execute-api:Invoke" ] }, "read": { "permissions": [ "execute-api:Invoke" ] }, "update": { "permissions": [ "execute-api:Invoke" ] }, "delete": { "permissions": [ "execute-api:Invoke" ] } } }Rulestack Schema ExampleUse the following as an example for the rulestack schema:{ "typeName": "PaloAltoNetworks::CloudNGFW::RuleStack", "description": "A rulestack defines the NGFW's advanced access control (APP-ID, URL Filtering) and threat prevention behavior.", "sourceUrl": "https://github.com/aws-cloudformation/aws-cloudformation-rpdk.git", "definitions": { "RuleStack": { "title": "RuleStack", "type": "object", "properties": { "AccountId": { "title": "Accountid", "pattern": "^[0-9]+$", "type": "string", "minLength": 1 }, "Scope": { "title": "Scope", "default": "Local", "enum": ["Local", "Global"], "type": "string" }, "LookupXForwardedFor": { "title": "LookupXForwardedFor", "default": "None", "enum": ["SecurityPolicy", "None"], "type": "string" }, "MinAppIdVersion": { "title": "Minappidversion", "default": "8433-6838", "pattern": "8\\d\\d\\d\\-\\d\\d\\d\\d", "type": "string" }, "Profiles": { "$ref": "#/definitions/RuleStackProfiles" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" }, "Deploy": { "title": "Deploy", "description": "Deploy RuleStack YES/NO", "default": "YES", "type": "string" } }, "additionalProperties": false }, "RuleStackProfiles": { "title": "RuleStackProfiles", "type": "object", "properties": { "AntiSpywareProfile": { "title": "Antispywareprofile", "default": "BestPractice", "enum": ["BestPractice", "None"], "type": "string" }, "AntiVirusProfile": { "title": "Antivirusprofile", "default": "BestPractice", "enum": ["BestPractice", "None"], "type": "string" }, "VulnerabilityProfile": { "title": "Vulnerabilityprofile", "default": "BestPractice", "enum": ["BestPractice", "None"], "type": "string" }, "URLFilteringProfile": { "title": "Urlfilteringprofile", "default": "None", "enum": ["BestPractice", "None"], "type": "string" }, "FileBlockingProfile": { "title": "Fileblockingprofile", "default": "BestPractice", "enum": ["Custom", "BestPractice", "None"], "type": "string" }, "OutboundTrustCertificate": { "title": "Outboundtrustcertificate", "maxLength": 63, "type": "string" }, "OutboundUntrustCertificate": { "title": "Outbounduntrustcertificate", "maxLength": 63, "type": "string" } }, "additionalProperties": false }, "Tag": { "title": "Tag", "type": "object", "properties": { "Key": { "title": "Key", "minLength": 1, "maxLength": 128, "type": "string" }, "Value": { "title": "Value", "minLength": 1, "maxLength": 128, "type": "string" } }, "required": ["Key", "Value"], "additionalProperties": false }, "Rule" : { "title": "Rule", "type": "object", "properties": { "RuleName": { "title": "Rulename", "minLength": 1, "maxLength": 48, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" }, "RuleListType": { "title": "RuleListType", "description": "RuleList type: LocalRule, PreRule, PostRule", "type": "string" }, "Priority": { "title": "Priority", "description": "Priority of the Rule", "type": "integer" }, "Enabled": { "title": "Enabled", "default": true, "type": "boolean" }, "Source": { "$ref": "#/definitions/RuleSource" }, "NegateSource": { "title": "Negatesource", "default": false, "type": "boolean" }, "Destination": { "$ref": "#/definitions/RuleDestination" }, "NegateDestination": { "title": "Negatedestination", "default": false, "type": "boolean" }, "Applications": { "title": "Applications", "default": ["any"], "type": "array", "items": { "type": "string", "maxLength": 63 } }, "Category": { "$ref": "#/definitions/UrlCategory" }, "Protocol": { "title": "Protocol", "default": "application-default", "maxLength": 63, "type": "string" }, "ProtPortList": { "title": "ProtPortList", "type": "array", "items": { "type": "string", "maxLength": 63 } }, "AuditComment": { "title": "Auditcomment", "maxLength": 512, "type": "string" }, "Action": { "title": "Action", "default": "Allow", "enum": ["Allow", "DenySilent", "DenyResetServer", "DenyResetBoth"], "type": "string" }, "Logging": { "title": "Logging", "default": false, "type": "boolean" }, "DecryptionRuleType": { "title": "Decryptionruletype", "enum": ["SSLOutboundInspection", "SSLInboundInspection", "SSLOutboundNoInspection", "SSLInboundNoInspection"], "type": "string" }, "InboundInspectionCertificate": { "title": "InboundInspectionCertificate", "type": "string", "maxLength": 63 }, "Tags": { "title": "Tags", "maxItems": 200, "type": "array", "items": { "$ref": "#/definitions/Tag" } } }, "required": ["RuleName", "RuleListType", "Priority"], "additionalProperties": false }, "RuleSource": { "title": "RuleSource", "type": "object", "properties": { "Cidrs": { "title": "Cidrs", "type": "array", "items": { "type": "string", "maxLength": 24 } }, "PrefixLists": { "title": "Prefixlists", "type": "array", "items": { "type": "string", "maxLength": 63 } }, "Countries": { "title": "Countries", "description": "Country code", "type": "array", "items": { "type": "string", "maxLength": 2 } }, "Feeds": { "title": "Feeds", "type": "array", "items": { "type": "string", "maxLength": 63 } } }, "additionalProperties": false }, "RuleDestination": { "title": "RuleDestination", "type": "object", "properties": { "Cidrs": { "title": "Cidrs", "type": "array", "items": { "type": "string", "maxLength": 24 } }, "FqdnLists": { "title": "Fqdnlists", "type": "array", "items": { "type": "string", "maxLength": 63 } }, "PrefixLists": { "title": "Prefixlists", "type": "array", "items": { "type": "string", "maxLength": 63 } }, "Countries": { "title": "Countries", "description": "Country code", "type": "array", "items": { "type": "string", "maxLength": 2 } }, "Feeds": { "title": "Feeds", "type": "array", "items": { "type": "string", "maxLength": 63 } } }, "additionalProperties": false }, "UrlCategory": { "title": "UrlCategory", "type": "object", "properties": { "URLCategoryNames": { "title": "Urlcategorynames", "type": "array", "items": { "type": "string", "maxLength": 128 } }, "Feeds": { "title": "Feeds", "type": "array", "items": { "type": "string", "maxLength": 63 } } }, "additionalProperties": false }, "CustomSecurityProfiles":{ "description": "Custom Security Profiles object", "type": "object", "properties": { "FileBlocking": { "$ref": "#/definitions/FileBlocking" } }, "additionalProperties": false }, "FileBlocking":{ "title": "FileBlocking", "type": "object", "properties": { "Direction": { "title": "Direction", "default": "both", "enum": ["upload", "download", "both"], "type": "string" }, "FileType": { "title": "FileType", "type": "string" }, "Description": { "title": "Description", "minLength": 1, "maxLength": 255, "type": "string" }, "Action": { "title": "Action", "default": "alert", "enum": ["alert", "block", "continue"], "type": "string" }, "AuditComment": { "title": "Auditcomment", "type": "string" } }, "required": ["FileType"], "additionalProperties": false }, "SecurityObjects": { "description": "Security objects", "type": "object", "properties": { "PrefixLists": { "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/PrefixList" } }, "FqdnLists": { "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/FqdnList" } }, "CustomUrlCategories": { "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/CustomUrlCategory" } }, "IntelligentFeeds": { "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/IntelligentFeed" } }, "CertificateObjects":{ "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/CertObject" } } }, "additionalProperties": false }, "PrefixList": { "title": "PrefixList", "description": "SecurityObjects PrefixList", "type": "object", "properties": { "Name": { "title": "Name", "minLength": 1, "maxLength": 58, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "PrefixList": { "title": "Prefixlist", "type": "array", "items": { "type": "string" } }, "AuditComment": { "title": "Auditcomment", "maxLength": 512, "type": "string" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" } }, "required": ["Name", "PrefixList"], "additionalProperties": false }, "FqdnList":{ "title": "FqdnList", "type": "object", "properties": { "Name": { "title": "Name", "minLength": 1, "maxLength": 58, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" }, "FqdnList": { "title": "Fqdnlist", "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 255, "pattern": "^[a-zA-Z0-9._-]+$" } }, "AuditComment": { "title": "Auditcomment", "maxLength": 512, "type": "string" } }, "required": ["Name", "FqdnList"], "additionalProperties": false }, "CustomUrlCategory":{ "title": "CustomURLCategory", "type": "object", "properties": { "URLTargets": { "title": "Urltargets", "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 255 } }, "Name": { "title": "Name", "minLength": 1, "maxLength": 58, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "Description": { "title": "Description", "minLength": 1, "maxLength": 255, "type": "string" }, "Action": { "title": "Action", "type": "string", "default": "none", "enum": ["none", "allow", "alert", "block"] }, "AuditComment": { "title": "Auditcomment", "type": "string" } }, "required": ["URLTargets"], "additionalProperties": false }, "IntelligentFeed":{ "title": "IntelligentFeed", "type": "object", "properties": { "Name": { "title": "Name", "minLength": 1, "maxLength": 63, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" }, "Certificate": { "title": "Certificate", "type": "string" }, "FeedURL": { "title": "Feedurl", "minLength": 1, "maxLength": 255, "pattern": "^(http|https)://.+$", "type": "string" }, "Type": { "title": "Type", "enum": ["IP_LIST", "URL_LIST"], "type": "string" }, "Frequency": { "title": "Frequency", "enum": ["HOURLY", "DAILY"], "type": "string" }, "Time": { "title": "Time", "default": 3, "minimum": 0, "maximum": 23, "type": "integer" }, "AuditComment": { "title": "Auditcomment", "maxLength": 512, "type": "string" } }, "required": ["Name", "FeedURL", "Type", "Frequency"], "additionalProperties": false }, "CertObject":{ "title": "Certificate Object", "type": "object", "properties": { "Name": { "title": "Name", "minLength": 1, "maxLength": 63, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "Description": { "title": "Description", "maxLength": 512, "type": "string" }, "CertificateSignerArn": { "title": "Certificatesignerarn", "type": "string" }, "CertificateSelfSigned": { "title": "Certificateselfsigned", "default": false, "type": "boolean" }, "AuditComment": { "title": "Auditcomment", "maxLength": 512, "type": "string" } }, "required": ["Name"], "additionalProperties": false } }, "properties": { "RuleStackName": { "description": "Rule stack name", "minLength": 1, "maxLength": 128, "pattern": "^[a-zA-Z0-9-]+$", "type": "string" }, "RuleStack": { "$ref": "#/definitions/RuleStack" }, "RuleList": { "description": "list of rules", "type": "array", "uniqueItems": false, "items": { "$ref": "#/definitions/Rule" } }, "SecurityObjects": { "$ref": "#/definitions/SecurityObjects" }, "CustomSecurityProfiles": { "$ref": "#/definitions/CustomSecurityProfiles" } }, "additionalProperties": false, "required": [ "RuleStackName" ], "createOnlyProperties": [ "/properties/RuleStackName" ], "primaryIdentifier": [ "/properties/RuleStackName" ], "handlers": { "create": { "permissions": [ "execute-api:Invoke" ] }, "read": { "permissions": [ "execute-api:Invoke" ] }, "update": { "permissions": [ "execute-api:Invoke" ] }, "delete": { "permissions": [ "execute-api:Invoke" ] } } }
