policies
Creates, updates, deletes or gets a policy resource or lists policies in a region
Overview
| Name | policies |
| Type | Resource |
| Description | Creates an AWS Firewall Manager policy. |
| Id | awscc.fms.policies |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
exclude_map | object | An FMS includeMap or excludeMap. |
exclude_resource_tags | boolean | |
id | string | |
policy_name | string | |
policy_description | string | |
remediation_enabled | boolean | |
resource_tags | array | |
resource_tag_logical_operator | string | |
resource_type | string | An AWS resource type |
resource_type_list | array | |
resource_set_ids | array | |
security_service_policy_data | object | Firewall security service policy data. |
arn | string | A resource ARN. |
delete_all_policy_resources | boolean | |
resources_clean_up | boolean | |
tags | array | |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
id | string | |
region | string | AWS region. |
For more information, see AWS::FMS::Policy.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | policies | INSERT | ExcludeResourceTags, PolicyName, RemediationEnabled, SecurityServicePolicyData, region |
delete_resource | policies | DELETE | Identifier, region |
update_resource | policies | UPDATE | Identifier, PatchDocument, region |
list_resources | policies_list_only | SELECT | region |
get_resource | policies | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual policy.
SELECT
region,
exclude_map,
exclude_resource_tags,
include_map,
id,
policy_name,
policy_description,
remediation_enabled,
resource_tags,
resource_tag_logical_operator,
resource_type,
resource_type_list,
resource_set_ids,
security_service_policy_data,
arn,
delete_all_policy_resources,
resources_clean_up,
tags
FROM awscc.fms.policies
WHERE
region = 'us-east-1' AND
Identifier = '{{ id }}';
Lists all policies in a region.
SELECT
region,
id
FROM awscc.fms.policies_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new policy resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.fms.policies (
ExcludeResourceTags,
PolicyName,
RemediationEnabled,
SecurityServicePolicyData,
region
)
SELECT
'{{ exclude_resource_tags }}',
'{{ policy_name }}',
'{{ remediation_enabled }}',
'{{ security_service_policy_data }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.fms.policies (
ExcludeMap,
ExcludeResourceTags,
IncludeMap,
PolicyName,
PolicyDescription,
RemediationEnabled,
ResourceTags,
ResourceTagLogicalOperator,
ResourceType,
ResourceTypeList,
ResourceSetIds,
SecurityServicePolicyData,
DeleteAllPolicyResources,
ResourcesCleanUp,
Tags,
region
)
SELECT
'{{ exclude_map }}',
'{{ exclude_resource_tags }}',
'{{ include_map }}',
'{{ policy_name }}',
'{{ policy_description }}',
'{{ remediation_enabled }}',
'{{ resource_tags }}',
'{{ resource_tag_logical_operator }}',
'{{ resource_type }}',
'{{ resource_type_list }}',
'{{ resource_set_ids }}',
'{{ security_service_policy_data }}',
'{{ delete_all_policy_resources }}',
'{{ resources_clean_up }}',
'{{ tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: policy
props:
- name: exclude_map
value:
a_cc_ou_nt:
- '{{ a_cc_ou_nt[0] }}'
o_rg_un_it:
- '{{ o_rg_un_it[0] }}'
- name: exclude_resource_tags
value: '{{ exclude_resource_tags }}'
- name: include_map
value: null
- name: policy_name
value: '{{ policy_name }}'
- name: policy_description
value: '{{ policy_description }}'
- name: remediation_enabled
value: '{{ remediation_enabled }}'
- name: resource_tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: resource_tag_logical_operator
value: '{{ resource_tag_logical_operator }}'
- name: resource_type
value: '{{ resource_type }}'
- name: resource_type_list
value:
- null
- name: resource_set_ids
value:
- '{{ resource_set_ids[0] }}'
- name: security_service_policy_data
value:
managed_service_data: '{{ managed_service_data }}'
type: '{{ type }}'
policy_option:
network_firewall_policy:
firewall_deployment_model: '{{ firewall_deployment_model }}'
third_party_firewall_policy:
firewall_deployment_model: null
network_acl_common_policy:
network_acl_entry_set:
first_entries:
- cidr_block: '{{ cidr_block }}'
egress: '{{ egress }}'
icmp_type_code:
code: '{{ code }}'
type: '{{ type }}'
ipv6_cidr_block: '{{ ipv6_cidr_block }}'
port_range:
from: '{{ from }}'
to: '{{ to }}'
protocol: '{{ protocol }}'
rule_action: '{{ rule_action }}'
force_remediate_for_first_entries: '{{ force_remediate_for_first_entries }}'
last_entries: null
force_remediate_for_last_entries: '{{ force_remediate_for_last_entries }}'
- name: delete_all_policy_resources
value: '{{ delete_all_policy_resources }}'
- name: resources_clean_up
value: '{{ resources_clean_up }}'
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
UPDATE example
Use the following StackQL query and manifest file to update a policy resource, using stack-deploy.
/*+ update */
UPDATE awscc.fms.policies
SET PatchDocument = string('{{ {
"ExcludeMap": exclude_map,
"ExcludeResourceTags": exclude_resource_tags,
"IncludeMap": include_map,
"PolicyName": policy_name,
"PolicyDescription": policy_description,
"RemediationEnabled": remediation_enabled,
"ResourceTags": resource_tags,
"ResourceTagLogicalOperator": resource_tag_logical_operator,
"ResourceType": resource_type,
"ResourceTypeList": resource_type_list,
"ResourceSetIds": resource_set_ids,
"SecurityServicePolicyData": security_service_policy_data,
"DeleteAllPolicyResources": delete_all_policy_resources,
"ResourcesCleanUp": resources_clean_up,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.fms.policies
WHERE
Identifier = '{{ id }}' AND
region = 'us-east-1';
Permissions
To operate on the policies resource, the following permissions are required:
- Create
- Update
- Read
- Delete
- List
fms:PutPolicy,
fms:TagResource,
waf-regional:ListRuleGroups,
wafv2:CheckCapacity,
wafv2:ListRuleGroups,
wafv2:ListAvailableManagedRuleGroups,
wafv2:ListAvailableManagedRuleGroupVersions,
network-firewall:DescribeRuleGroup,
network-firewall:DescribeRuleGroupMetadata,
route53resolver:ListFirewallRuleGroups,
ec2:DescribeAvailabilityZones,
s3:PutBucketPolicy,
s3:GetBucketPolicy
fms:PutPolicy,
fms:GetPolicy,
fms:TagResource,
fms:UntagResource,
fms:ListTagsForResource,
waf-regional:ListRuleGroups,
wafv2:CheckCapacity,
wafv2:ListRuleGroups,
wafv2:ListAvailableManagedRuleGroups,
wafv2:ListAvailableManagedRuleGroupVersions,
network-firewall:DescribeRuleGroup,
network-firewall:DescribeRuleGroupMetadata,
route53resolver:ListFirewallRuleGroups,
ec2:DescribeAvailabilityZones,
s3:PutBucketPolicy,
s3:GetBucketPolicy
fms:GetPolicy,
fms:ListTagsForResource
fms:DeletePolicy
fms:ListPolicies,
fms:ListTagsForResource