AWS::NetworkFirewall::RuleGroup RulesSourceList
Stateful inspection criteria for a domain list rule group.
For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.
By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the HOME_NET
rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see AWS::NetworkFirewall::RuleGroup RuleVariables in this guide and Stateful domain list rule groups in Amazon Network Firewall in the
Network Firewall Developer Guide
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "GeneratedRulesType" :
String
, "Targets" :[ String, ... ]
, "TargetTypes" :[ String, ... ]
}
YAML
GeneratedRulesType:
String
Targets:- String
TargetTypes:- String
Properties
GeneratedRulesType
-
Whether you want to allow or deny access to the domains in your target list.
Required: Yes
Type: String
Allowed values:
ALLOWLIST | DENYLIST
Update requires: No interruption
Targets
-
The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:
-
Explicit names. For example,
abc.example.com
matches only the domainabc.example.com
. -
Names that use a domain wildcard, which you indicate with an initial '
.
'. For example,.example.com
matchesexample.com
and matches all subdomains ofexample.com
, such asabc.example.com
andwww.example.com
.
Required: Yes
Type: Array of String
Update requires: No interruption
-
TargetTypes
-
The types of targets to inspect for. Valid values are
TLS_SNI
andHTTP_HOST
.Required: Yes
Type: Array of String
Update requires: No interruption