AWS::Route53Resolver::FirewallRuleGroupAssociation - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


An association between a firewall rule group and a VPC, which enables DNS filtering for the VPC.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::Route53Resolver::FirewallRuleGroupAssociation", "Properties" : { "FirewallRuleGroupId" : String, "MutationProtection" : String, "Name" : String, "Priority" : Integer, "Tags" : [ Tag, ... ], "VpcId" : String } }


Type: AWS::Route53Resolver::FirewallRuleGroupAssociation Properties: FirewallRuleGroupId: String MutationProtection: String Name: String Priority: Integer Tags: - Tag VpcId: String



The unique identifier of the firewall rule group.

Required: Yes

Type: String

Minimum: 1

Maximum: 64

Update requires: Replacement


If enabled, this setting disallows modification or removal of the association, to help prevent against accidentally altering DNS firewall protections.

Required: No

Type: String

Allowed values: ENABLED | DISABLED

Update requires: No interruption


The name of the association.

Required: No

Type: String

Pattern: (?!^[0-9]+$)([a-zA-Z0-9\-_' ']+)

Minimum: 0

Maximum: 64

Update requires: No interruption


The setting that determines the processing order of the rule group among the rule groups that are associated with a single VPC. DNS Firewall filters VPC traffic starting from rule group with the lowest numeric priority setting.

You must specify a unique priority for each rule group that you associate with a single VPC. To make it easier to insert rule groups later, leave space between the numbers, for example, use 101, 200, and so on. You can change the priority setting for a rule group association after you create it.

The allowed values for Priority are between 100 and 9900 (excluding 100 and 9900).

Required: Yes

Type: Integer

Update requires: No interruption


A list of the tag keys and values that you want to associate with the rule group.

Required: No

Type: Array of Tag

Maximum: 200

Update requires: No interruption


The unique identifier of the VPC that is associated with the rule group.

Required: Yes

Type: String

Minimum: 1

Maximum: 64

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the FirewallRuleGroupAssociation ID.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name (ARN) of the firewall rule group association.


The date and time that the association was created, in Unix time format and Coordinated Universal Time (UTC).


A unique string defined by you to identify the request. This allows you to retry failed requests without the risk of running the operation twice. This can be any unique string, for example, a timestamp.


The identifier for the association.


The owner of the association, used only for associations that are not managed by you. If you use Amazon Firewall Manager to manage your firewallls from DNS Firewall, then this reports Firewall Manager as the managed owner.


The date and time that the association was last modified, in Unix time format and Coordinated Universal Time (UTC).


The current status of the association.


Additional information about the status of the response, if available.