This product is not supported for your selected Datadog site. ().
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

aws_network_firewall_tls_configuration

account_id

Type: STRING

tags

Type: UNORDERED_LIST_STRING

tls_inspection_configuration

Type: STRUCT
Provider name: TLSInspectionConfiguration
Description: The object that defines a TLS inspection configuration. This, along with TLSInspectionConfigurationResponse, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration. Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see Inspecting SSL/TLS traffic with TLS inspection configurations in the Network Firewall Developer Guide.

  • server_certificate_configurations
    Type: UNORDERED_LIST_STRUCT
    Provider name: ServerCertificateConfigurations
    Description: Lists the server certificate configurations that are associated with the TLS configuration.
    • certificate_authority_arn
      Type: STRING
      Provider name: CertificateAuthorityArn
      Description: The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection. The following limitations apply:
      • You can use CA certificates that you imported into ACM, but you can’t generate CA certificates with ACM.
      • You can’t use certificates issued by Private Certificate Authority.
      For more information about configuring certificates for outbound inspection, see Using SSL/TLS certificates with TLS inspection configurations in the Network Firewall Developer Guide. For information about working with certificates in ACM, see Importing certificates in the Certificate Manager User Guide.
    • check_certificate_revocation_status
      Type: STRUCT
      Provider name: CheckCertificateRevocationStatus
      Description: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a CertificateAuthorityArn in ServerCertificateConfiguration.
      • revoked_status_action
        Type: STRING
        Provider name: RevokedStatusAction
        Description: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status.
        • PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection.
        • DROP - Network Firewall closes the connection and drops subsequent packets for that connection.
        • REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.
      • unknown_status_action
        Type: STRING
        Provider name: UnknownStatusAction
        Description: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate.
        • PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection.
        • DROP - Network Firewall closes the connection and drops subsequent packets for that connection.
        • REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. REJECT is available only for TCP traffic.
    • scopes
      Type: UNORDERED_LIST_STRUCT
      Provider name: Scopes
      Description: A list of scopes.
      • destination_ports
        Type: UNORDERED_LIST_STRUCT
        Provider name: DestinationPorts
        Description: The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any destination port. You can specify individual ports, for example 1994, and you can specify port ranges, such as 1990:1994.
        • from_port
          Type: INT32
          Provider name: FromPort
          Description: The lower limit of the port range. This must be less than or equal to the ToPort specification.
        • to_port
          Type: INT32
          Provider name: ToPort
          Description: The upper limit of the port range. This must be greater than or equal to the FromPort specification.
      • destinations
        Type: UNORDERED_LIST_STRUCT
        Provider name: Destinations
        Description: The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any destination address.
        • address_definition
          Type: STRING
          Provider name: AddressDefinition
          Description: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples:
          • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.
          • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
          • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.
          • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.
          For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
      • protocols
        Type: UNORDERED_LIST_INT32
        Provider name: Protocols
        Description: The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol. Network Firewall currently supports only TCP.
      • source_ports
        Type: UNORDERED_LIST_STRUCT
        Provider name: SourcePorts
        Description: The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any source port. You can specify individual ports, for example 1994, and you can specify port ranges, such as 1990:1994.
        • from_port
          Type: INT32
          Provider name: FromPort
          Description: The lower limit of the port range. This must be less than or equal to the ToPort specification.
        • to_port
          Type: INT32
          Provider name: ToPort
          Description: The upper limit of the port range. This must be greater than or equal to the FromPort specification.
      • sources
        Type: UNORDERED_LIST_STRUCT
        Provider name: Sources
        Description: The source IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any source address.
        • address_definition
          Type: STRING
          Provider name: AddressDefinition
          Description: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples:
          • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.
          • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
          • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.
          • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.
          For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
    • server_certificates
      Type: UNORDERED_LIST_STRUCT
      Provider name: ServerCertificates
      Description: The list of server certificates to use for inbound SSL/TLS inspection.
      • resource_arn
        Type: STRING
        Provider name: ResourceArn
        Description: The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS server certificate that’s used for inbound SSL/TLS inspection.

tls_inspection_configuration_response

Type: STRUCT
Provider name: TLSInspectionConfigurationResponse
Description: The high-level properties of a TLS inspection configuration. This, along with the TLSInspectionConfiguration, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration.

  • certificate_authority
    Type: STRUCT
    Provider name: CertificateAuthority
    • certificate_arn
      Type: STRING
      Provider name: CertificateArn
      Description: The Amazon Resource Name (ARN) of the certificate.
    • certificate_serial
      Type: STRING
      Provider name: CertificateSerial
      Description: The serial number of the certificate.
    • status
      Type: STRING
      Provider name: Status
      Description: The status of the certificate.
    • status_message
      Type: STRING
      Provider name: StatusMessage
      Description: Contains details about the certificate status, including information about certificate errors.
  • certificates
    Type: UNORDERED_LIST_STRUCT
    Provider name: Certificates
    Description: A list of the certificates associated with the TLS inspection configuration.
    • certificate_arn
      Type: STRING
      Provider name: CertificateArn
      Description: The Amazon Resource Name (ARN) of the certificate.
    • certificate_serial
      Type: STRING
      Provider name: CertificateSerial
      Description: The serial number of the certificate.
    • status
      Type: STRING
      Provider name: Status
      Description: The status of the certificate.
    • status_message
      Type: STRING
      Provider name: StatusMessage
      Description: Contains details about the certificate status, including information about certificate errors.
  • description
    Type: STRING
    Provider name: Description
    Description: A description of the TLS inspection configuration.
  • encryption_configuration
    Type: STRUCT
    Provider name: EncryptionConfiguration
    Description: A complex type that contains the Amazon Web Services KMS encryption configuration settings for your TLS inspection configuration.
    • key_id
      Type: STRING
      Provider name: KeyId
      Description: The ID of the Amazon Web Services Key Management Service (KMS) customer managed key. You can use any of the key identifiers that KMS supports, unless you’re using a key that’s managed by another account. If you’re using a key managed by another account, then specify the key ARN. For more information, see Key ID in the Amazon Web Services KMS Developer Guide.
    • type
      Type: STRING
      Provider name: Type
      Description: The type of Amazon Web Services KMS key to use for encryption of your Network Firewall resources.
  • last_modified_time
    Type: TIMESTAMP
    Provider name: LastModifiedTime
    Description: The last time that the TLS inspection configuration was changed.
  • number_of_associations
    Type: INT32
    Provider name: NumberOfAssociations
    Description: The number of firewall policies that use this TLS inspection configuration.
  • tls_inspection_configuration_arn
    Type: STRING
    Provider name: TLSInspectionConfigurationArn
    Description: The Amazon Resource Name (ARN) of the TLS inspection configuration.
  • tls_inspection_configuration_id
    Type: STRING
    Provider name: TLSInspectionConfigurationId
    Description: A unique identifier for the TLS inspection configuration. This ID is returned in the responses to create and list commands. You provide it to operations such as update and delete.
  • tls_inspection_configuration_name
    Type: STRING
    Provider name: TLSInspectionConfigurationName
    Description: The descriptive name of the TLS inspection configuration. You can’t change the name of a TLS inspection configuration after you create it.
  • tls_inspection_configuration_status
    Type: STRING
    Provider name: TLSInspectionConfigurationStatus
    Description: Detailed information about the current status of a TLSInspectionConfiguration. You can retrieve this for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration and providing the TLS inspection configuration name and ARN.

update_token

Type: STRING
Provider name: UpdateToken
Description: A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn’t changed since you last retrieved it. If it has changed, the operation fails with an InvalidTokenException. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token.