Syntax Properties Return values Examples

AWS::Route53Resolver::FirewallRuleGroup

High-level information for a firewall rule group. A firewall rule group is a collection of rules that DNS Firewall uses to filter DNS network traffic for a VPC. To retrieve the rules for the rule group, call ListFirewallRules.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Route53Resolver::FirewallRuleGroup",
  "Properties" : {
      "FirewallRules" : [ FirewallRule, ... ],
      "Name" : String,
      "Tags" : [ Tag, ... ]
    }
}

YAML


Type: AWS::Route53Resolver::FirewallRuleGroup
Properties:
  FirewallRules: 
    - FirewallRule
  Name: String
  Tags: 
    - Tag

Properties

FirewallRules

A list of the rules that you have defined.

Required: No

Type: Array of FirewallRule

Update requires: No interruption

Name

The name of the rule group.

Required: No

Type: String

Pattern: (?!^[0-9]+$)([a-zA-Z0-9\-_' ']+)

Minimum: 1

Maximum: 64

Update requires: Replacement

Tags

A list of the tag keys and values that you want to associate with the rule group.

Required: No

Type: Array of Tag

Maximum: 200

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returnsthe FirewallRuleGroupId.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn: The ARN (Amazon Resource Name) of the rule group.
CreationTime: The date and time that the rule group was created, in Unix time format and Coordinated Universal Time (UTC).
CreatorRequestId: A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of running the operation twice. This can be any unique string, for example, a timestamp.
Id: The ID of the rule group.
ModificationTime: The date and time that the rule group was last modified, in Unix time format and Coordinated Universal Time (UTC).
OwnerId: The AWS account ID for the account that created the rule group. When a rule group is shared with your account, this is the account that has shared the rule group with you.
RuleCount: The number of rules in the rule group.
ShareStatus: Whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM).
Status: The status of the domain list.
StatusMessage: Additional information about the status of the rule group, if available.

Examples

Create Firewall rule group

The following example creates a DNS Firewall rule group with associated rules for ALLOW, ALERT, and BLOCK.

JSON


{"Type": "AWS::Route53Resolver::FirewallRuleGroup",
"Properties": {
     "FirewallRules": [
         {
            "Action": "ALERT",
            "FirewallDomainListId": "rslvr-fdl-sampleID1",
            "Priority": 1
         },
         {
            "Action": "BLOCK",
            "BlockResponse": "NODATA",
            "FirewallDomainListId": "rslvr-fdl-sampleID2",
            "Priority": 2
          },
          {
            "Action": "BLOCK",
            "BlockResponse": "NXDOMAIN",
            "FirewallDomainListId": "rslvr-fdl-sampleID3",
            "Priority": 3
          },
          {
            "Action": "BLOCK",
            "BlockResponse": "OVERRIDE",
            "BlockOverrideDnsType": "CNAME",
            "BlockOverrideDomain": "www.example.com",
            "BlockOverrideTtl": 300,
            "FirewallDomainListId": "rslvr-fdl-sampleID4",
            "Priority": 4
          },
          {
            "Action": "ALLOW",
            "FirewallDomainListId": "rslvr-fdl-sampleID5",
            "Priority": 5
          }
        ],
        "Name": "SampleFirewallRuleGroup",
        "Tags": [
          {
            "Key": "LineOfBusiness",
            "Value": "Engineering"
          }
      ]
   }
}

YAML


Type: AWS::Route53Resolver::FirewallRuleGroup
Properties:
   FirewallRules:
      -
        Action: ALERT
        FirewallDomainListId: rslvr-fdl-sampleID1
        Priority: 1
      -
        Action: BLOCK
        BlockResponse: NODATA
        FirewallDomainListId: rslvr-fdl-sampleID2
        Priority: 2
      -
        Action: BLOCK
        BlockResponse: NXDOMAIN
        FirewallDomainListId: rslvr-fdl-sampleID3
        Priority: 3
      -
        Action: BLOCK
        BlockResponse: OVERRIDE
        BlockOverrideDnsType: CNAME
        BlockOverrideDomain: "www.example.com"
        BlockOverrideTtl: 300
        FirewallDomainListId: rslvr-fdl-sampleID4
        Priority: 4
      -
        Action: ALLOW
        FirewallDomainListId: rslvr-fdl-sampleID5
        Priority: 5
        Name: SampleFirewallRuleGroup
    Tags:
      -
         Key: LineOfBusiness
         Value: Engineering

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tag

FirewallRule