AWS Cloud Control v1.26.0, Mar 12 25

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

aws-native.networkfirewall.FirewallPolicy

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

Create FirewallPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new FirewallPolicy(name: string, args: FirewallPolicyArgs, opts?: CustomResourceOptions);

@overload
def FirewallPolicy(resource_name: str,
                   args: FirewallPolicyInitArgs,
                   opts: Optional[ResourceOptions] = None)

@overload
def FirewallPolicy(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   firewall_policy: Optional[FirewallPolicyArgs] = None,
                   description: Optional[str] = None,
                   firewall_policy_name: Optional[str] = None,
                   tags: Optional[Sequence[_root_inputs.TagArgs]] = None)

func NewFirewallPolicy(ctx *Context, name string, args FirewallPolicyArgs, opts ...ResourceOption) (*FirewallPolicy, error)

public FirewallPolicy(string name, FirewallPolicyArgs args, CustomResourceOptions? opts = null)

public FirewallPolicy(String name, FirewallPolicyArgs args)
public FirewallPolicy(String name, FirewallPolicyArgs args, CustomResourceOptions options)

type: aws-native:networkfirewall:FirewallPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args FirewallPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args FirewallPolicyInitArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args FirewallPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args FirewallPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args FirewallPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

FirewallPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The FirewallPolicy resource accepts the following input properties:

FirewallPolicyValue Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicy

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

Description string

A description of the firewall policy.

FirewallPolicyName string

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

Tags List<Pulumi.AwsNative.Inputs.Tag>

An array of key-value pairs to apply to this resource.

For more information, see Tag .

FirewallPolicy FirewallPolicyTypeArgs

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

Description string

A description of the firewall policy.

FirewallPolicyName string

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

Tags TagArgs

An array of key-value pairs to apply to this resource.

For more information, see Tag .

firewallPolicy FirewallPolicy

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

description String

A description of the firewall policy.

firewallPolicyName String

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

tags List<Tag>

An array of key-value pairs to apply to this resource.

For more information, see Tag .

firewallPolicy FirewallPolicy

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

description string

A description of the firewall policy.

firewallPolicyName string

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

tags Tag[]

An array of key-value pairs to apply to this resource.

For more information, see Tag .

firewall_policy FirewallPolicyArgs

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

description str

A description of the firewall policy.

firewall_policy_name str

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

tags Sequence[TagArgs]

An array of key-value pairs to apply to this resource.

For more information, see Tag .

firewallPolicy Property Map

The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.

description String

A description of the firewall policy.

firewallPolicyName String

The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.

tags List<Property Map>

An array of key-value pairs to apply to this resource.

For more information, see Tag .

Outputs

All input properties are implicitly available as output properties. Additionally, the FirewallPolicy resource produces the following output properties:

FirewallPolicyArn string: The Amazon Resource Name (ARN) of the FirewallPolicy .
FirewallPolicyId string: The unique ID of the FirewallPolicy resource.
Id string: The provider-assigned unique ID for this managed resource.

FirewallPolicyArn string: The Amazon Resource Name (ARN) of the FirewallPolicy .
FirewallPolicyId string: The unique ID of the FirewallPolicy resource.
Id string: The provider-assigned unique ID for this managed resource.

firewallPolicyArn String: The Amazon Resource Name (ARN) of the FirewallPolicy .
firewallPolicyId String: The unique ID of the FirewallPolicy resource.
id String: The provider-assigned unique ID for this managed resource.

firewallPolicyArn string: The Amazon Resource Name (ARN) of the FirewallPolicy .
firewallPolicyId string: The unique ID of the FirewallPolicy resource.
id string: The provider-assigned unique ID for this managed resource.

firewall_policy_arn str: The Amazon Resource Name (ARN) of the FirewallPolicy .
firewall_policy_id str: The unique ID of the FirewallPolicy resource.
id str: The provider-assigned unique ID for this managed resource.

firewallPolicyArn String: The Amazon Resource Name (ARN) of the FirewallPolicy .
firewallPolicyId String: The unique ID of the FirewallPolicy resource.
id String: The provider-assigned unique ID for this managed resource.

Supporting Types

FirewallPolicy, FirewallPolicyArgs

StatelessDefaultActions List<string>

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

StatelessFragmentDefaultActions List<string>

The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

PolicyVariables Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyPolicyVariablesProperties

Contains variables that you can use to override default Suricata settings in your firewall policy.

StatefulDefaultActions List<string>

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

StatefulEngineOptions Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulEngineOptions

Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.

StatefulRuleGroupReferences List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulRuleGroupReference>

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

StatelessCustomActions List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyCustomAction>

The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.

StatelessRuleGroupReferences List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatelessRuleGroupReference>

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

TlsInspectionConfigurationArn string

The Amazon Resource Name (ARN) of the TLS inspection configuration.

StatelessDefaultActions []string

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

StatelessFragmentDefaultActions []string

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

PolicyVariables FirewallPolicyPolicyVariablesProperties

Contains variables that you can use to override default Suricata settings in your firewall policy.

StatefulDefaultActions []string

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

StatefulEngineOptions FirewallPolicyStatefulEngineOptions

StatefulRuleGroupReferences []FirewallPolicyStatefulRuleGroupReference

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

StatelessCustomActions []FirewallPolicyCustomAction

StatelessRuleGroupReferences []FirewallPolicyStatelessRuleGroupReference

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

TlsInspectionConfigurationArn string

The Amazon Resource Name (ARN) of the TLS inspection configuration.

statelessDefaultActions List<String>

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

statelessFragmentDefaultActions List<String>

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

policyVariables FirewallPolicyPolicyVariablesProperties

Contains variables that you can use to override default Suricata settings in your firewall policy.

statefulDefaultActions List<String>

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

statefulEngineOptions FirewallPolicyStatefulEngineOptions

statefulRuleGroupReferences List<FirewallPolicyStatefulRuleGroupReference>

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

statelessCustomActions List<FirewallPolicyCustomAction>

statelessRuleGroupReferences List<FirewallPolicyStatelessRuleGroupReference>

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

tlsInspectionConfigurationArn String

The Amazon Resource Name (ARN) of the TLS inspection configuration.

statelessDefaultActions string[]

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

statelessFragmentDefaultActions string[]

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

policyVariables FirewallPolicyPolicyVariablesProperties

Contains variables that you can use to override default Suricata settings in your firewall policy.

statefulDefaultActions string[]

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

statefulEngineOptions FirewallPolicyStatefulEngineOptions

statefulRuleGroupReferences FirewallPolicyStatefulRuleGroupReference[]

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

statelessCustomActions FirewallPolicyCustomAction[]

statelessRuleGroupReferences FirewallPolicyStatelessRuleGroupReference[]

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

tlsInspectionConfigurationArn string

The Amazon Resource Name (ARN) of the TLS inspection configuration.

stateless_default_actions Sequence[str]

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

stateless_fragment_default_actions Sequence[str]

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

policy_variables FirewallPolicyPolicyVariablesProperties

Contains variables that you can use to override default Suricata settings in your firewall policy.

stateful_default_actions Sequence[str]

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

stateful_engine_options FirewallPolicyStatefulEngineOptions

stateful_rule_group_references Sequence[FirewallPolicyStatefulRuleGroupReference]

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

stateless_custom_actions Sequence[FirewallPolicyCustomAction]

stateless_rule_group_references Sequence[FirewallPolicyStatelessRuleGroupReference]

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

tls_inspection_configuration_arn str

The Amazon Resource Name (ARN) of the TLS inspection configuration.

statelessDefaultActions List<String>

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

statelessFragmentDefaultActions List<String>

You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

policyVariables Property Map

Contains variables that you can use to override default Suricata settings in your firewall policy.

statefulDefaultActions List<String>

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

statefulEngineOptions Property Map

statefulRuleGroupReferences List<Property Map>

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

statelessCustomActions List<Property Map>

statelessRuleGroupReferences List<Property Map>

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

tlsInspectionConfigurationArn String

The Amazon Resource Name (ARN) of the TLS inspection configuration.

FirewallPolicyActionDefinition, FirewallPolicyActionDefinitionArgs

PublishMetricAction Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

PublishMetricAction FirewallPolicyPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

publishMetricAction FirewallPolicyPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

publishMetricAction FirewallPolicyPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

publish_metric_action FirewallPolicyPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

publishMetricAction Property Map

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

FirewallPolicyCustomAction, FirewallPolicyCustomActionArgs

ActionDefinition Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyActionDefinition: The custom action associated with the action name.
ActionName string: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

ActionDefinition FirewallPolicyActionDefinition: The custom action associated with the action name.
ActionName string: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

actionDefinition FirewallPolicyActionDefinition: The custom action associated with the action name.
actionName String: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

actionDefinition FirewallPolicyActionDefinition: The custom action associated with the action name.
actionName string: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

action_definition FirewallPolicyActionDefinition: The custom action associated with the action name.
action_name str: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

actionDefinition Property Map: The custom action associated with the action name.
actionName String: The descriptive name of the custom action. You can't change the name of a custom action after you create it.

FirewallPolicyDimension, FirewallPolicyDimensionArgs

Value string: The value to use in the custom metric dimension.

Value string: The value to use in the custom metric dimension.

value String: The value to use in the custom metric dimension.

value string: The value to use in the custom metric dimension.

value str: The value to use in the custom metric dimension.

value String: The value to use in the custom metric dimension.

FirewallPolicyIpSet, FirewallPolicyIpSetArgs

Definition List<string>: The list of IP addresses and address ranges, in CIDR notation.

Definition []string: The list of IP addresses and address ranges, in CIDR notation.

definition List<String>: The list of IP addresses and address ranges, in CIDR notation.

definition string[]: The list of IP addresses and address ranges, in CIDR notation.

definition Sequence[str]: The list of IP addresses and address ranges, in CIDR notation.

definition List<String>: The list of IP addresses and address ranges, in CIDR notation.

FirewallPolicyOverrideAction, FirewallPolicyOverrideActionArgs

DropToAlert: DROP_TO_ALERT

FirewallPolicyOverrideActionDropToAlert: DROP_TO_ALERT

DropToAlert: DROP_TO_ALERT

DropToAlert: DROP_TO_ALERT

DROP_TO_ALERT: DROP_TO_ALERT

"DROP_TO_ALERT": DROP_TO_ALERT

FirewallPolicyPolicyVariablesProperties, FirewallPolicyPolicyVariablesPropertiesArgs

RuleVariables Dictionary<string, Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyIpSet>

RuleVariables map[string]FirewallPolicyIpSet

ruleVariables Map<String,FirewallPolicyIpSet>

ruleVariables {[key: string]: FirewallPolicyIpSet}

rule_variables Mapping[str, FirewallPolicyIpSet]

ruleVariables Map<Property Map>

FirewallPolicyPublishMetricAction, FirewallPolicyPublishMetricActionArgs

Dimensions List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyDimension>

Dimensions []FirewallPolicyDimension

dimensions List<FirewallPolicyDimension>

dimensions FirewallPolicyDimension[]

dimensions Sequence[FirewallPolicyDimension]

dimensions List<Property Map>

FirewallPolicyRuleOrder, FirewallPolicyRuleOrderArgs

DefaultActionOrder: DEFAULT_ACTION_ORDER
StrictOrder: STRICT_ORDER

FirewallPolicyRuleOrderDefaultActionOrder: DEFAULT_ACTION_ORDER
FirewallPolicyRuleOrderStrictOrder: STRICT_ORDER

DefaultActionOrder: DEFAULT_ACTION_ORDER
StrictOrder: STRICT_ORDER

DefaultActionOrder: DEFAULT_ACTION_ORDER
StrictOrder: STRICT_ORDER

DEFAULT_ACTION_ORDER: DEFAULT_ACTION_ORDER
STRICT_ORDER: STRICT_ORDER

"DEFAULT_ACTION_ORDER": DEFAULT_ACTION_ORDER
"STRICT_ORDER": STRICT_ORDER

FirewallPolicyStatefulEngineOptions, FirewallPolicyStatefulEngineOptionsArgs

FlowTimeouts Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

RuleOrder Pulumi.AwsNative.NetworkFirewall.FirewallPolicyRuleOrder

Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .

StreamExceptionPolicy Pulumi.AwsNative.NetworkFirewall.FirewallPolicyStreamExceptionPolicy

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

FlowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

RuleOrder FirewallPolicyRuleOrder

StreamExceptionPolicy FirewallPolicyStreamExceptionPolicy

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

flowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

ruleOrder FirewallPolicyRuleOrder

streamExceptionPolicy FirewallPolicyStreamExceptionPolicy

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

flowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

ruleOrder FirewallPolicyRuleOrder

streamExceptionPolicy FirewallPolicyStreamExceptionPolicy

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

flow_timeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

rule_order FirewallPolicyRuleOrder

stream_exception_policy FirewallPolicyStreamExceptionPolicy

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

flowTimeouts Property Map

Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.

ruleOrder "DEFAULT_ACTION_ORDER" | "STRICT_ORDER"

streamExceptionPolicy "DROP" | "CONTINUE" | "REJECT"

Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties, FirewallPolicyStatefulEngineOptionsFlowTimeoutsPropertiesArgs

TcpIdleTimeoutSeconds int

TcpIdleTimeoutSeconds int

tcpIdleTimeoutSeconds Integer

tcpIdleTimeoutSeconds number

tcp_idle_timeout_seconds int

tcpIdleTimeoutSeconds Number

FirewallPolicyStatefulRuleGroupOverride, FirewallPolicyStatefulRuleGroupOverrideArgs

Action Pulumi.AwsNative.NetworkFirewall.FirewallPolicyOverrideAction: The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

Action FirewallPolicyOverrideAction: The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

action FirewallPolicyOverrideAction: The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

action FirewallPolicyOverrideAction: The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

action FirewallPolicyOverrideAction: The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

action "DROP_TO_ALERT": The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

FirewallPolicyStatefulRuleGroupReference, FirewallPolicyStatefulRuleGroupReferenceArgs

ResourceArn string

The Amazon Resource Name (ARN) of the stateful rule group.

Override Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulRuleGroupOverride

The action that allows the policy owner to override the behavior of the rule group within a policy.

Priority int

An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

ResourceArn string

The Amazon Resource Name (ARN) of the stateful rule group.

Override FirewallPolicyStatefulRuleGroupOverride

The action that allows the policy owner to override the behavior of the rule group within a policy.

Priority int

resourceArn String

The Amazon Resource Name (ARN) of the stateful rule group.

override FirewallPolicyStatefulRuleGroupOverride

The action that allows the policy owner to override the behavior of the rule group within a policy.

priority Integer

resourceArn string

The Amazon Resource Name (ARN) of the stateful rule group.

override FirewallPolicyStatefulRuleGroupOverride

The action that allows the policy owner to override the behavior of the rule group within a policy.

priority number

resource_arn str

The Amazon Resource Name (ARN) of the stateful rule group.

override FirewallPolicyStatefulRuleGroupOverride

The action that allows the policy owner to override the behavior of the rule group within a policy.

priority int

resourceArn String

The Amazon Resource Name (ARN) of the stateful rule group.

override Property Map

The action that allows the policy owner to override the behavior of the rule group within a policy.

priority Number

FirewallPolicyStatelessRuleGroupReference, FirewallPolicyStatelessRuleGroupReferenceArgs

Priority int: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
ResourceArn string: The Amazon Resource Name (ARN) of the stateless rule group.

Priority int: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
ResourceArn string: The Amazon Resource Name (ARN) of the stateless rule group.

priority Integer: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
resourceArn String: The Amazon Resource Name (ARN) of the stateless rule group.

priority number: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
resourceArn string: The Amazon Resource Name (ARN) of the stateless rule group.

priority int: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
resource_arn str: The Amazon Resource Name (ARN) of the stateless rule group.

priority Number: An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
resourceArn String: The Amazon Resource Name (ARN) of the stateless rule group.

FirewallPolicyStreamExceptionPolicy, FirewallPolicyStreamExceptionPolicyArgs

Drop: DROP
Continue: CONTINUE
Reject: REJECT

FirewallPolicyStreamExceptionPolicyDrop: DROP
FirewallPolicyStreamExceptionPolicyContinue: CONTINUE
FirewallPolicyStreamExceptionPolicyReject: REJECT

Drop: DROP
Continue: CONTINUE
Reject: REJECT

Drop: DROP
Continue: CONTINUE
Reject: REJECT

DROP: DROP
CONTINUE_: CONTINUE
REJECT: REJECT

"DROP": DROP
"CONTINUE": CONTINUE
"REJECT": REJECT

Tag, TagArgs

Key string: The key name of the tag
Value string: The value of the tag

Key string: The key name of the tag
Value string: The value of the tag

key String: The key name of the tag
value String: The value of the tag

key string: The key name of the tag
value string: The value of the tag

key str: The key name of the tag
value str: The value of the tag

key String: The key name of the tag
value String: The value of the tag

Package Details

Repository: AWS Native pulumi/pulumi-aws-native
License: Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

aws-native.networkfirewall.FirewallPolicy

On this page

On this page

Create FirewallPolicy Resource

Constructor syntax

Parameters

FirewallPolicy Resource Properties

Inputs

Outputs

Supporting Types

FirewallPolicy, FirewallPolicyArgs

FirewallPolicyActionDefinition, FirewallPolicyActionDefinitionArgs

FirewallPolicyCustomAction, FirewallPolicyCustomActionArgs

FirewallPolicyDimension, FirewallPolicyDimensionArgs

FirewallPolicyIpSet, FirewallPolicyIpSetArgs

FirewallPolicyOverrideAction, FirewallPolicyOverrideActionArgs

FirewallPolicyPolicyVariablesProperties, FirewallPolicyPolicyVariablesPropertiesArgs

FirewallPolicyPublishMetricAction, FirewallPolicyPublishMetricActionArgs

FirewallPolicyRuleOrder, FirewallPolicyRuleOrderArgs

FirewallPolicyStatefulEngineOptions, FirewallPolicyStatefulEngineOptionsArgs

FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties, FirewallPolicyStatefulEngineOptionsFlowTimeoutsPropertiesArgs

FirewallPolicyStatefulRuleGroupOverride, FirewallPolicyStatefulRuleGroupOverrideArgs

FirewallPolicyStatefulRuleGroupReference, FirewallPolicyStatefulRuleGroupReferenceArgs

FirewallPolicyStatelessRuleGroupReference, FirewallPolicyStatelessRuleGroupReferenceArgs

FirewallPolicyStreamExceptionPolicy, FirewallPolicyStreamExceptionPolicyArgs

Tag, TagArgs

Package Details

On this page

On this page