Struct aws_sdk_fms::types::Policy

source · 
#[non_exhaustive]
pub struct Policy {
Show 15 fields
    pub policy_id: Option<String>,
    pub policy_name: String,
    pub policy_update_token: Option<String>,
    pub security_service_policy_data: Option<SecurityServicePolicyData>,
    pub resource_type: String,
    pub resource_type_list: Option<Vec<String>>,
    pub resource_tags: Option<Vec<ResourceTag>>,
    pub exclude_resource_tags: bool,
    pub remediation_enabled: bool,
    pub delete_unused_fm_managed_resources: bool,
    pub include_map: Option<HashMap<CustomerPolicyScopeIdType, Vec<String>>>,
    pub exclude_map: Option<HashMap<CustomerPolicyScopeIdType, Vec<String>>>,
    pub resource_set_ids: Option<Vec<String>>,
    pub policy_description: Option<String>,
    pub policy_status: Option<CustomerPolicyStatus>,

}
Expand description

An Firewall Manager policy.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§policy_id: Option<String>

The ID of the Firewall Manager policy.

§policy_name: String

The name of the Firewall Manager policy.

§policy_update_token: Option<String>

A unique identifier for each update to the policy. When issuing a PutPolicy request, the PolicyUpdateToken in the request must match the PolicyUpdateToken of the current policy version. To get the PolicyUpdateToken of the current policy version, use a GetPolicy request.

§security_service_policy_data: Option<SecurityServicePolicyData>

Details about the security service that is being used to protect the resources.

§resource_type: String

The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.

The following are valid resource types for each Firewall Manager policy type:

  • Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.

  • WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.

  • Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.

  • Network ACL - AWS::EC2::Subnet.

  • Security group usage audit - AWS::EC2::SecurityGroup.

  • Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.

  • DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.

§resource_type_list: Option<Vec<String>>

An array of ResourceType objects. Use this only to specify multiple resource types. To specify a single resource type, use ResourceType.

§resource_tags: Option<Vec<ResourceTag>>

An array of ResourceTag objects.

§exclude_resource_tags: bool

If set to True, resources with the tags that are specified in the ResourceTag array are not in scope of the policy. If set to False, and the ResourceTag array is not null, only resources with the specified tags are in scope of the policy.

§remediation_enabled: bool

Indicates if the policy should be automatically applied to new resources.

§delete_unused_fm_managed_resources: bool

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

This option is not available for Shield Advanced or WAF Classic policies.

§include_map: Option<HashMap<CustomerPolicyScopeIdType, Vec<String>>>

Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager applies the policy to all accounts specified by the IncludeMap, and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap.

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]}.

  • Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.

  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.

§exclude_map: Option<HashMap<CustomerPolicyScopeIdType, Vec<String>>>

Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager applies the policy to all accounts specified by the IncludeMap, and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap.

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]}.

  • Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.

  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.

§resource_set_ids: Option<Vec<String>>

The unique identifiers of the resource sets used by the policy.

§policy_description: Option<String>

The definition of the Network Firewall firewall policy.

§policy_status: Option<CustomerPolicyStatus>

Indicates whether the policy is in or out of an admin's policy or Region scope.

  • ACTIVE - The administrator can manage and delete the policy.

  • OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.

Implementations§

source§

impl Policy

source

pub fn policy_id(&self) -> Option<&str>

The ID of the Firewall Manager policy.

source

pub fn policy_name(&self) -> &str

The name of the Firewall Manager policy.

source

pub fn policy_update_token(&self) -> Option<&str>

A unique identifier for each update to the policy. When issuing a PutPolicy request, the PolicyUpdateToken in the request must match the PolicyUpdateToken of the current policy version. To get the PolicyUpdateToken of the current policy version, use a GetPolicy request.

source

pub fn security_service_policy_data(&self) -> Option<&SecurityServicePolicyData>

Details about the security service that is being used to protect the resources.

source

pub fn resource_type(&self) -> &str

The type of resource protected by or in scope of the policy. This is in the format shown in the Amazon Web Services Resource Types Reference. To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.

The following are valid resource types for each Firewall Manager policy type:

  • Amazon Web Services WAF Classic - AWS::ApiGateway::Stage, AWS::CloudFront::Distribution, and AWS::ElasticLoadBalancingV2::LoadBalancer.

  • WAF - AWS::ApiGateway::Stage, AWS::ElasticLoadBalancingV2::LoadBalancer, and AWS::CloudFront::Distribution.

  • Shield Advanced - AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and AWS::CloudFront::Distribution.

  • Network ACL - AWS::EC2::Subnet.

  • Security group usage audit - AWS::EC2::SecurityGroup.

  • Security group content audit - AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and AWS::EC2::Instance.

  • DNS Firewall, Network Firewall, and third-party firewall - AWS::EC2::VPC.

source

pub fn resource_type_list(&self) -> &[String]

An array of ResourceType objects. Use this only to specify multiple resource types. To specify a single resource type, use ResourceType.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .resource_type_list.is_none().

source

pub fn resource_tags(&self) -> &[ResourceTag]

An array of ResourceTag objects.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .resource_tags.is_none().

source

pub fn exclude_resource_tags(&self) -> bool

If set to True, resources with the tags that are specified in the ResourceTag array are not in scope of the policy. If set to False, and the ResourceTag array is not null, only resources with the specified tags are in scope of the policy.

source

pub fn remediation_enabled(&self) -> bool

Indicates if the policy should be automatically applied to new resources.

source

pub fn delete_unused_fm_managed_resources(&self) -> bool

Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

This option is not available for Shield Advanced or WAF Classic policies.

source

pub fn include_map( &self ) -> Option<&HashMap<CustomerPolicyScopeIdType, Vec<String>>>

Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager applies the policy to all accounts specified by the IncludeMap, and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap.

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]}.

  • Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.

  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.

source

pub fn exclude_map( &self ) -> Option<&HashMap<CustomerPolicyScopeIdType, Vec<String>>>

Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager applies the policy to all accounts specified by the IncludeMap, and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap.

You can specify account IDs, OUs, or a combination:

  • Specify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”]}.

  • Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.

  • Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.

source

pub fn resource_set_ids(&self) -> &[String]

The unique identifiers of the resource sets used by the policy.

If no value was sent for this field, a default will be set. If you want to determine if no value was sent, use .resource_set_ids.is_none().

source

pub fn policy_description(&self) -> Option<&str>

The definition of the Network Firewall firewall policy.

source

pub fn policy_status(&self) -> Option<&CustomerPolicyStatus>

Indicates whether the policy is in or out of an admin's policy or Region scope.

  • ACTIVE - The administrator can manage and delete the policy.

  • OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.

source§

impl Policy

source

pub fn builder() -> PolicyBuilder

Creates a new builder-style object to manufacture Policy.

Trait Implementations§

source§

impl Clone for Policy

source§

fn clone(&self) -> Policy

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Policy

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl PartialEq for Policy

source§

fn eq(&self, other: &Policy) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl StructuralPartialEq for Policy

Auto Trait Implementations§

§

impl Freeze for Policy

§

impl RefUnwindSafe for Policy

§

impl Send for Policy

§

impl Sync for Policy

§

impl Unpin for Policy

§

impl UnwindSafe for Policy

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> IntoEither for T

source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more