feat(client-network-firewall): Network Firewall now introduces Reject and Alert action support for stateful domain list rule groups, providing customers with more granular control over their network traffic.

awstools · awstools · commit 75348db95ef8 · 2025-09-25T18:14:11.000Z
diff --git a/clients/client-network-firewall/src/commands/CreateRuleGroupCommand.ts b/clients/client-network-firewall/src/commands/CreateRuleGroupCommand.ts
@@ -75,7 +75,7 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _
  *         TargetTypes: [ // TargetTypes // required
  *           "TLS_SNI" || "HTTP_HOST",
  *         ],
- *         GeneratedRulesType: "ALLOWLIST" || "DENYLIST", // required
+ *         GeneratedRulesType: "ALLOWLIST" || "DENYLIST" || "REJECTLIST" || "ALERTLIST", // required
  *       },
  *       StatefulRules: [ // StatefulRules
  *         { // StatefulRule
diff --git a/clients/client-network-firewall/src/commands/DescribeRuleGroupCommand.ts b/clients/client-network-firewall/src/commands/DescribeRuleGroupCommand.ts
@@ -80,7 +80,7 @@ export interface DescribeRuleGroupCommandOutput extends DescribeRuleGroupRespons
  * //         TargetTypes: [ // TargetTypes // required
  * //           "TLS_SNI" || "HTTP_HOST",
  * //         ],
- * //         GeneratedRulesType: "ALLOWLIST" || "DENYLIST", // required
+ * //         GeneratedRulesType: "ALLOWLIST" || "DENYLIST" || "REJECTLIST" || "ALERTLIST", // required
  * //       },
  * //       StatefulRules: [ // StatefulRules
  * //         { // StatefulRule
diff --git a/clients/client-network-firewall/src/commands/UpdateRuleGroupCommand.ts b/clients/client-network-firewall/src/commands/UpdateRuleGroupCommand.ts
@@ -79,7 +79,7 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _
  *         TargetTypes: [ // TargetTypes // required
  *           "TLS_SNI" || "HTTP_HOST",
  *         ],
- *         GeneratedRulesType: "ALLOWLIST" || "DENYLIST", // required
+ *         GeneratedRulesType: "ALLOWLIST" || "DENYLIST" || "REJECTLIST" || "ALERTLIST", // required
  *       },
  *       StatefulRules: [ // StatefulRules
  *         { // StatefulRule
diff --git a/clients/client-network-firewall/src/models/models_0.ts b/clients/client-network-firewall/src/models/models_0.ts
@@ -2137,8 +2137,10 @@ export interface ReferenceSets {
  * @enum
  */
 export const GeneratedRulesType = {
+  ALERTLIST: "ALERTLIST",
   ALLOWLIST: "ALLOWLIST",
   DENYLIST: "DENYLIST",
+  REJECTLIST: "REJECTLIST",
 } as const;
 
 /**
@@ -2189,7 +2191,11 @@ export interface RulesSourceList {
   TargetTypes: TargetType[] | undefined;
 
   /**
-   * <p>Whether you want to allow or deny access to the domains in your target list.</p>
+   * <p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p>
+   *          <note>
+   *             <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications
+   *             generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p>
+   *          </note>
    * @public
    */
   GeneratedRulesType: GeneratedRulesType | undefined;
diff --git a/codegen/sdk-codegen/aws-models/network-firewall.json b/codegen/sdk-codegen/aws-models/network-firewall.json
@@ -3782,6 +3782,18 @@
           "traits": {
             "smithy.api#enumValue": "DENYLIST"
           }
+        },
+        "REJECTLIST": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "REJECTLIST"
+          }
+        },
+        "ALERTLIST": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ALERTLIST"
+          }
         }
       }
     },
@@ -7187,7 +7199,7 @@
         "GeneratedRulesType": {
           "target": "com.amazonaws.networkfirewall#GeneratedRulesType",
           "traits": {
-            "smithy.api#documentation": "<p>Whether you want to allow or deny access to the domains in your target list.</p>",
+            "smithy.api#documentation": "<p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p>\n         <note>\n            <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications \n            generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p>\n         </note>",
             "smithy.api#required": {}
           }
         }

Original file line number	Diff line number	Diff line change
`@@ -3782,6 +3782,18 @@`
`3782`	`3782`	`"traits": {`
`3783`	`3783`	`"smithy.api#enumValue": "DENYLIST"`
`3784`	`3784`	`}`
	`3785`	`+ },`
	`3786`	`+ "REJECTLIST": {`
	`3787`	`+ "target": "smithy.api#Unit",`
	`3788`	`+ "traits": {`
	`3789`	`+ "smithy.api#enumValue": "REJECTLIST"`
	`3790`	`+ }`
	`3791`	`+ },`
	`3792`	`+ "ALERTLIST": {`
	`3793`	`+ "target": "smithy.api#Unit",`
	`3794`	`+ "traits": {`
	`3795`	`+ "smithy.api#enumValue": "ALERTLIST"`
	`3796`	`+ }`
`3785`	`3797`	`}`
`3786`	`3798`	`}`
`3787`	`3799`	`},`
`@@ -7187,7 +7199,7 @@`
`7187`	`7199`	`"GeneratedRulesType": {`
`7188`	`7200`	`"target": "com.amazonaws.networkfirewall#GeneratedRulesType",`
`7189`	`7201`	`"traits": {`
`7190`		`- "smithy.api#documentation": "<p>Whether you want to allow or deny access to the domains in your target list.</p>",`
	`7202`	`+ "smithy.api#documentation": "<p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p>\n <note>\n <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications \n generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p>\n </note>",`
`7191`	`7203`	`"smithy.api#required": {}`
`7192`	`7204`	`}`
`7193`	`7205`	`}`