--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # aws_network_firewall_tls_configuration{% #aws_network_firewall_tls_configuration %} ## `account_id`{% #account_id %} **Type**: `STRING` ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `tls_inspection_configuration`{% #tls_inspection_configuration %} **Type**: `STRUCT`**Provider name**: `TLSInspectionConfiguration`**Description**: The object that defines a TLS inspection configuration. This, along with TLSInspectionConfigurationResponse, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration. Network Firewall uses a TLS inspection configuration to decrypt traffic. Network Firewall re-encrypts the traffic before sending it to its destination. To use a TLS inspection configuration, you add it to a new Network Firewall firewall policy, then you apply the firewall policy to a firewall. Network Firewall acts as a proxy service to decrypt and inspect the traffic traveling through your firewalls. You can reference a TLS inspection configuration from more than one firewall policy, and you can use a firewall policy in more than one firewall. For more information about using TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection.html) in the Network Firewall Developer Guide. - `server_certificate_configurations`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ServerCertificateConfigurations`**Description**: Lists the server certificate configurations that are associated with the TLS configuration. - `certificate_authority_arn`**Type**: `STRING`**Provider name**: `CertificateAuthorityArn`**Description**: The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection. The following limitations apply: - You can use CA certificates that you imported into ACM, but you can't generate CA certificates with ACM. - You can't use certificates issued by Private Certificate Authority. For more information about configuring certificates for outbound inspection, see [Using SSL/TLS certificates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the Network Firewall Developer Guide. For information about working with certificates in ACM, see [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the Certificate Manager User Guide. - `check_certificate_revocation_status`**Type**: `STRUCT`**Provider name**: `CheckCertificateRevocationStatus`**Description**: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in ServerCertificateConfiguration. - `revoked_status_action`**Type**: `STRING`**Provider name**: `RevokedStatusAction`**Description**: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has a revoked status. - PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - DROP - Network Firewall closes the connection and drops subsequent packets for that connection. - REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. `REJECT` is available only for TCP traffic. - `unknown_status_action`**Type**: `STRING`**Provider name**: `UnknownStatusAction`**Description**: Configures how Network Firewall processes traffic when it determines that the certificate presented by the server in the SSL/TLS connection has an unknown status, or a status that cannot be determined for any other reason, including when the service is unable to connect to the OCSP and CRL endpoints for the certificate. - PASS - Allow the connection to continue, and pass subsequent packets to the stateful engine for inspection. - DROP - Network Firewall closes the connection and drops subsequent packets for that connection. - REJECT - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. `REJECT` is available only for TCP traffic. - `scopes`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Scopes`**Description**: A list of scopes. - `destination_ports`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `DestinationPorts`**Description**: The destination ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any destination port. You can specify individual ports, for example `1994`, and you can specify port ranges, such as `1990:1994`. - `from_port`**Type**: `INT32`**Provider name**: `FromPort`**Description**: The lower limit of the port range. This must be less than or equal to the `ToPort` specification. - `to_port`**Type**: `INT32`**Provider name**: `ToPort`**Description**: The upper limit of the port range. This must be greater than or equal to the `FromPort` specification. - `destinations`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Destinations`**Description**: The destination IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any destination address. - `address_definition`**Type**: `STRING`**Provider name**: `AddressDefinition`**Description**: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples: - To configure Network Firewall to inspect for the IP address 192.0.2.44, specify `192.0.2.44/32`. - To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24`. - To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128`. - To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64`. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). - `protocols`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `Protocols`**Description**: The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol. Network Firewall currently supports only TCP. - `source_ports`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `SourcePorts`**Description**: The source ports to decrypt for inspection, in Transmission Control Protocol (TCP) format. If not specified, this matches with any source port. You can specify individual ports, for example `1994`, and you can specify port ranges, such as `1990:1994`. - `from_port`**Type**: `INT32`**Provider name**: `FromPort`**Description**: The lower limit of the port range. This must be less than or equal to the `ToPort` specification. - `to_port`**Type**: `INT32`**Provider name**: `ToPort`**Description**: The upper limit of the port range. This must be greater than or equal to the `FromPort` specification. - `sources`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Sources`**Description**: The source IP addresses and address ranges to decrypt for inspection, in CIDR notation. If not specified, this matches with any source address. - `address_definition`**Type**: `STRING`**Provider name**: `AddressDefinition`**Description**: Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. Examples: - To configure Network Firewall to inspect for the IP address 192.0.2.44, specify `192.0.2.44/32`. - To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify `192.0.2.0/24`. - To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify `1111:0000:0000:0000:0000:0000:0000:0111/128`. - To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify `1111:0000:0000:0000:0000:0000:0000:0000/64`. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). - `server_certificates`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ServerCertificates`**Description**: The list of server certificates to use for inbound SSL/TLS inspection. - `resource_arn`**Type**: `STRING`**Provider name**: `ResourceArn`**Description**: The Amazon Resource Name (ARN) of the Certificate Manager SSL/TLS server certificate that's used for inbound SSL/TLS inspection. ## `tls_inspection_configuration_response`{% #tls_inspection_configuration_response %} **Type**: `STRUCT`**Provider name**: `TLSInspectionConfigurationResponse`**Description**: The high-level properties of a TLS inspection configuration. This, along with the TLSInspectionConfiguration, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration. - `certificate_authority`**Type**: `STRUCT`**Provider name**: `CertificateAuthority` - `certificate_arn`**Type**: `STRING`**Provider name**: `CertificateArn`**Description**: The Amazon Resource Name (ARN) of the certificate. - `certificate_serial`**Type**: `STRING`**Provider name**: `CertificateSerial`**Description**: The serial number of the certificate. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: The status of the certificate. - `status_message`**Type**: `STRING`**Provider name**: `StatusMessage`**Description**: Contains details about the certificate status, including information about certificate errors. - `certificates`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Certificates`**Description**: A list of the certificates associated with the TLS inspection configuration. - `certificate_arn`**Type**: `STRING`**Provider name**: `CertificateArn`**Description**: The Amazon Resource Name (ARN) of the certificate. - `certificate_serial`**Type**: `STRING`**Provider name**: `CertificateSerial`**Description**: The serial number of the certificate. - `status`**Type**: `STRING`**Provider name**: `Status`**Description**: The status of the certificate. - `status_message`**Type**: `STRING`**Provider name**: `StatusMessage`**Description**: Contains details about the certificate status, including information about certificate errors. - `description`**Type**: `STRING`**Provider name**: `Description`**Description**: A description of the TLS inspection configuration. - `encryption_configuration`**Type**: `STRUCT`**Provider name**: `EncryptionConfiguration`**Description**: A complex type that contains the Amazon Web Services KMS encryption configuration settings for your TLS inspection configuration. - `key_id`**Type**: `STRING`**Provider name**: `KeyId`**Description**: The ID of the Amazon Web Services Key Management Service (KMS) customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN. For more information, see [Key ID](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the Amazon Web Services KMS Developer Guide. - `type`**Type**: `STRING`**Provider name**: `Type`**Description**: The type of Amazon Web Services KMS key to use for encryption of your Network Firewall resources. - `last_modified_time`**Type**: `TIMESTAMP`**Provider name**: `LastModifiedTime`**Description**: The last time that the TLS inspection configuration was changed. - `number_of_associations`**Type**: `INT32`**Provider name**: `NumberOfAssociations`**Description**: The number of firewall policies that use this TLS inspection configuration. - `tls_inspection_configuration_arn`**Type**: `STRING`**Provider name**: `TLSInspectionConfigurationArn`**Description**: The Amazon Resource Name (ARN) of the TLS inspection configuration. - `tls_inspection_configuration_id`**Type**: `STRING`**Provider name**: `TLSInspectionConfigurationId`**Description**: A unique identifier for the TLS inspection configuration. This ID is returned in the responses to create and list commands. You provide it to operations such as update and delete. - `tls_inspection_configuration_name`**Type**: `STRING`**Provider name**: `TLSInspectionConfigurationName`**Description**: The descriptive name of the TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it. - `tls_inspection_configuration_status`**Type**: `STRING`**Provider name**: `TLSInspectionConfigurationStatus`**Description**: Detailed information about the current status of a TLSInspectionConfiguration. You can retrieve this for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration and providing the TLS inspection configuration name and ARN. ## `update_token`{% #update_token %} **Type**: `STRING`**Provider name**: `UpdateToken`**Description**: A token used for optimistic locking. Network Firewall returns a token to your requests that access the TLS inspection configuration. The token marks the state of the TLS inspection configuration resource at the time of the request. To make changes to the TLS inspection configuration, you provide the token in your request. Network Firewall uses the token to ensure that the TLS inspection configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an `InvalidTokenException`. If this happens, retrieve the TLS inspection configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token.